Dekimu · anchored receipts docs

ABR — Anchored Breach Receipts

Cryptographic proof of a personal-data breach lifecycle event — detection, assessment, notification, containment, or closure.

← All families

Purpose

An ABR anchors each stage of a personal-data breach response. From the moment of detection (starting the 72-hour regulatory clock) through DPA notification, subject notification, containment, and eventual closure, every step is recorded in a cryptographically chained receipt.

The breach.detectedevent carries a mandatory trusted timestamp authority (TSA) attestation. This anchors the start of the 72-hour clock to an independently verifiable wall-clock time, not solely to the issuer's system clock.

Event types

KindLabelDescription
breach.detectedDetectedBreach identified (72h clock starts).
breach.assessedAssessedRisk and scope evaluated.
breach.dpa_notifiedDPA notifiedSupervisory authority informed.
breach.dpa_delayedDPA delayedNotification delay justified.
breach.subject_notifiedSubjects notifiedAffected individuals informed.
breach.subject_notification_exemptedNotification exemptedArt. 34(3) exemption applied.
breach.containedContainedBreach impact mitigated.
breach.closedClosedIncident fully resolved.

Key fields

severity — risk classification of the breach: low, medium, high, or critical. Drives which notification obligations apply.

affected_count — estimated number of data subjects affected. May be a range at detection time and refined in subsequent receipts.

containment_measures — structured description of technical and organisational measures taken to limit the breach impact.

Regulatory context

GDPR Art. 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach unless it is unlikely to result in a risk to natural persons. The ABR detection receipt provides cryptographic evidence of when "awareness" occurred. Art. 34 requires communication to affected data subjects when the breach is likely to result in a high risk; the breach.subject_notification_exempted event documents the basis for any Art. 34(3) exemption claimed.

Anchored Receipts are cryptographic provenance and privacy-lifecycle protocols; verify.dekimu.com is a reference implementation, not a qualified trust service under Regulation (EU) No 910/2014 (eIDAS) or successor.