Customer-held evidence. Local verification. Clear trust boundaries.
GeoClear helps customers retain and independently verify operational evidence for AI actions, tool calls, workflow decisions, and audit-heavy systems. Verification can run locally using retained verification material, without a live GeoClear application call in the verification path.
GeoClear does not ask customers to trust our logs. We help you keep evidence you can verify.
GeoClear does not verify the AI was right. It verifies whether the action followed the approved evidence path before the customer-designated receiving system accepted it.
Containment is necessary. Evidence is the next layer.
GeoClear does not verify the AI was right. It verifies whether the action followed the approved evidence path before the customer-designated receiving system accepted it.
When model confidence, model service cards, evaluation reports, or calibration evidence are available, GeoClear can enforce customer policy over that evidence. The model signal is evidence, not authority by itself.
Containment addresses what an agent can reach. Evidence addresses what an action carries. Both layers compose; neither replaces the other.
| Existing defenses | What GeoClear adds |
|---|---|
| Sandboxes and VMs limit what an agent can reach. | Verifies the evidence path before the receiving system accepts the action. |
| Model policies shape what an agent tends to do. | Provides a deterministic accountability record of what the action actually was. |
| Human approvals add oversight. | Verifies whether approval was required and whether it was present. |
| Access controls limit destinations and capabilities. | Verifies that a permitted destination received an authorized action, not just any action. |
What GeoClear verifies. What it does not.
The trust boundary is where GeoClear stops and the customer's verification starts. The claim boundary is what an operational evidence record is, and is not, meant to assert. Reviewing both together avoids the most common procurement misunderstanding: that a tamper-evident operational evidence record is a regulator-grade certification. It is not.
| GeoClear verifies | GeoClear does not |
|---|---|
| Operational evidence was issued by GeoClear at the timestamp inside it. | That the upstream data is correct. |
| The evidence packet has not been mutated since issuance. | That the real-world fact described by the evidence is true. |
| The verification material traces to a stable, customer-verifiable trust anchor. | That a regulator, court, or third party will accept the evidence as legally definitive. |
| The customer can re-verify the evidence later without contacting GeoClear servers. | Legal certification, notarization in the legal sense, or affidavit-grade testimony. |
GeoClear signs the evidence at decision time, not after the audit begins. The customer retains the evidence and decides how to use it.
What a customer-held evidence bundle contains.
A GeoClear Evidence Bundle contains everything an independent reviewer needs to verify what GeoClear issued, using retained artifacts, public verification material, and verifier tooling outside GeoClear’s application runtime.
- Operational evidence record — the technical artifact.
- Action or decision payload summary — what the record covers.
- Verification material — public-key material needed to verify the record later.
- Evidence commitments or references — pointers to the inputs and trust anchors active at issuance.
- Bundle manifest — index of what the bundle contains and how to verify it.
- Offline verification instructions — a self-contained verifier that runs from the bundle without contacting GeoClear.
What this verifies
- ✓ GeoClear issued this verdict.
- ✓ The retained operational evidence matches the issued record.
- ✓ Active verification material verifies the evidence packet.
- ✓ The record was not modified after issuance.
What this does not verify
- × That every upstream dataset was perfect.
- × Full legal or regulatory compliance.
- × That a downstream business decision was risk-free.
- × That the physical world itself was verified (we record what was checked, not whether the world matched).
The line GeoClear holds.
GeoClear helps customers retain evidence that an action followed the approved evidence path before acceptance. Operational evidence records and customer-held evidence bundles are designed to make later modification detectable. GeoClear does not provide legal certification, makes no claim about model correctness, and does not establish the real-world truth of upstream data sources.
Hardened infrastructure
GeoClear uses encrypted storage, least-privilege access, transport security, private networking where applicable, monitored service paths, and controlled production access. Vulnerability acknowledgement target is within 72 business hours; remediation timelines are coordinated with the reporter on a per-finding basis. The cryptographic substrate, key-management posture, and control-evidence catalog are available under NDA via the Security Architecture Brief.
Want to verify operational evidence locally? Run the in-browser verifier, entirely client-side. After the verifier page and public verification material are loaded, signature verification runs locally on your device; GeoClear’s application servers do not participate in the verification result. For full developer integration detail, see our docs.
Coordinated Vulnerability Disclosure
GeoClear welcomes good-faith security research on public GeoClear systems. If you believe you have found a vulnerability, please report it privately so we can investigate and remediate before public disclosure. We accept reports per RFC 9116 and our security.txt.
Contact
Scope
geoclear.ioapi.geoclear.io- Public GeoClear demo and verification surfaces
- Other
*.geoclear.ioproperties that are publicly reachable and operated by GeoClear
Out of scope
- Denial-of-service testing
- Social engineering
- Physical attacks
- Spam, phishing, or credential stuffing
- Accessing, modifying, deleting, or exfiltrating data that is not yours
- Testing customer-controlled, partner-controlled, or third-party systems without explicit authorization
- Automated high-volume scanning that degrades service
When reporting, include
- Affected URL or endpoint
- Steps to reproduce
- Impact summary
- Screenshots or a reproducer, if safe
- Your contact information
- Whether any data was accessed, modified, or exposed
GeoClear commitment
- Acknowledgement target: within 72 business hours.
- We investigate in good faith.
- We prioritize based on severity, exploitability, and customer impact.
- We coordinate remediation and disclosure timing where appropriate.
- GeoClear will not pursue legal action against researchers who conduct good-faith testing, avoid privacy violations and service disruption, report findings promptly, and comply with this policy.
Important note: This is a coordinated vulnerability disclosure policy, not a public bug-bounty program. GeoClear does not currently promise monetary rewards unless separately agreed in writing. Public credit may be provided with the researcher’s consent, where appropriate.
Data protection
- Encryption in transit: modern transport security with HSTS enforced.
- Encryption at rest: hardware-managed encryption keys.
- API key storage: stored as one-way hashes, we cannot recover a key if you lose it.
- Network isolation: PostgreSQL database in a private network, not publicly reachable.
- Tenant isolation: every API request is scoped to the key's tenant, no cross-tenant data access paths exist.
Access controls
- Least-privilege role-based access across all infrastructure.
- MFA required on every engineer account.
- Production console access limited to on-call engineers.
- Secrets stored encrypted in a managed vault, never in code; rotated on schedule.
Monitoring and incident response
- Centralized log aggregation, error monitoring, and metrics on every service tier.
- Synthetic monitors for core endpoints every 60 seconds.
- Public status page at geoclear.io/status.
- Incident history and postmortems published when a user-impacting event occurs.
Compliance
- GDPR / CCPA: we process personal data as described in our Privacy Policy; data-subject requests are actioned within 30 days.
- Vertical compliance: See the Compliance & Governance brief for vertical-specific evidence models.
Sub-processors
Current list at privacy policy §5. We notify customers by email 30 days before adding a new sub-processor that processes customer data.
Verify operational evidence locally.
Change one byte in an issued evidence packet and watch local verification reject the tampered evidence. After the verifier and retained verification material are loaded, verification runs locally. GeoClear’s application servers do not participate in the verification result.
View record summary
,
An operational evidence record issued today remains verifiable years later from the record and the verification material the customer retained at decision time, independent of GeoClear’s continued operation. Server-side integrations can use our SDK; client-side verification runs entirely in the customer’s browser. The full key-distribution model and key-rotation policy live in our Security & Verification Whitepaper (NDA · for procurement and security review).
Seeing a 403, a blank page, or a stale verifier response?
Hard-reload first (Cmd/Ctrl + Shift + R), most edge-cache blips resolve there.
If it persists, include the full response headers (browser dev-tools → Network tab → click the request → Response Headers) with any report to security@geoclear.io.
The edge identifiers in those headers let us trace the exact request that failed.
Last updated: 2026-05-31
GeoClear issues operational evidence records for AI actions, tool calls, and workflow decisions. The evidence bundle is tamper-evident, and verifiers detect modification. GeoClear does not provide legal certification and does not verify the real-world truth of upstream data sources.