Dekimu · anchored receipts docs
ATokR — Anchored Tokenization Receipts
Cryptographic proof of a data-tokenization lifecycle event — issuance, redemption, revocation, or rotation of a pseudonymous token.
Purpose
An ATokR anchors the lifecycle of a pseudonymous token: when it was created, when it was exchanged for original data, when it was invalidated, and when it was replaced by a new value. This provides a verifiable audit trail for pseudonymisation operations without exposing the underlying data.
Rotated tokens chain via the receipt's prev envelope field, allowing verifiers to reconstruct the full rotation history of a token without access to the vault.
Event types
| Kind | Label | Description |
|---|---|---|
token.issued | Issued | New pseudonymous token created. |
token.redeemed | Redeemed | Token exchanged for original data. |
token.revoked | Revoked | Token permanently invalidated. |
token.rotated | Rotated | Token replaced with new value. |
Key fields
token_format — encoding and structure of the token (e.g. UUID v4, opaque hex, structured format). Does not include the token value itself.
pseudonymization_method — the cryptographic or algorithmic method used to derive the token from the original data (e.g. HMAC-SHA256, AES-SIV, format-preserving encryption).
rotation_policy — policy governing when tokens are rotated: time-based, event-triggered, or on-demand. Present on issuance receipts and updated on rotation.
Regulatory context
Pseudonymisation is defined in GDPR Art. 4(5) as the processing of personal data in such a manner that it can no longer be attributed to a specific individual without additional information held separately. GDPR Recital 26 clarifies that pseudonymous data that can be attributed back to a natural person remains personal data and subject to GDPR obligations. ATokR receipts document the safeguards in place — the existence of the token vault, the method used, and the access policy — without exposing the vault contents.