Dekimu · anchored receipts docs
ABR — Anchored Breach Receipts
Cryptographic proof of a personal-data breach lifecycle event — detection, assessment, notification, containment, or closure.
Purpose
An ABR anchors each stage of a personal-data breach response. From the moment of detection (starting the 72-hour regulatory clock) through DPA notification, subject notification, containment, and eventual closure, every step is recorded in a cryptographically chained receipt.
The breach.detectedevent carries a mandatory trusted timestamp authority (TSA) attestation. This anchors the start of the 72-hour clock to an independently verifiable wall-clock time, not solely to the issuer's system clock.
Event types
| Kind | Label | Description |
|---|---|---|
breach.detected | Detected | Breach identified (72h clock starts). |
breach.assessed | Assessed | Risk and scope evaluated. |
breach.dpa_notified | DPA notified | Supervisory authority informed. |
breach.dpa_delayed | DPA delayed | Notification delay justified. |
breach.subject_notified | Subjects notified | Affected individuals informed. |
breach.subject_notification_exempted | Notification exempted | Art. 34(3) exemption applied. |
breach.contained | Contained | Breach impact mitigated. |
breach.closed | Closed | Incident fully resolved. |
Key fields
severity — risk classification of the breach: low, medium, high, or critical. Drives which notification obligations apply.
affected_count — estimated number of data subjects affected. May be a range at detection time and refined in subsequent receipts.
containment_measures — structured description of technical and organisational measures taken to limit the breach impact.
Regulatory context
GDPR Art. 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach unless it is unlikely to result in a risk to natural persons. The ABR detection receipt provides cryptographic evidence of when "awareness" occurred. Art. 34 requires communication to affected data subjects when the breach is likely to result in a high risk; the breach.subject_notification_exempted event documents the basis for any Art. 34(3) exemption claimed.