Customer-held evidence. Local verification. Clear trust boundaries.
GeoClear helps customers retain and independently verify operational evidence for AI actions, tool calls, workflow decisions, and audit-heavy systems. Verification can run locally using retained verification material, without a live GeoClear application call in the verification path.
GeoClear does not ask customers to trust our logs. We help you keep evidence you can verify.
GeoClear does not certify that the AI was right. It provides verifiable evidence that the action followed the approved evidence path before the customer system accepted it.
Containment is necessary. Evidence is the next layer.
GeoClear does not certify that the AI was right. It proves whether the action followed the approved evidence path before the receiving system accepted it.
Containment addresses what an agent can reach. Evidence addresses what an action carries. Both layers compose; neither replaces the other.
| Existing defenses | What GeoClear adds |
|---|---|
| Sandboxes and VMs limit what an agent can reach. | Verifies the evidence path before the receiving system accepts the action. |
| Model policies shape what an agent tends to do. | Provides a deterministic accountability record of what the action actually was. |
| Human approvals add oversight. | Proves whether approval was required and whether it was present. |
| Access controls limit destinations and capabilities. | Verifies that a permitted destination received an authorized action, not just any action. |
What GeoClear proves. What GeoClear does not prove.
The trust boundary is where GeoClear stops and the customer's verification starts. The claim boundary is what an operational receipt is, and is not, meant to assert. Reviewing both together avoids the most common procurement misunderstanding: that a tamper-evident receipt is a regulator-grade certification. It is not.
| GeoClear proves | GeoClear does not prove |
|---|---|
| Operational evidence was issued by GeoClear at the timestamp inside it. | That the upstream data is correct. |
| The signed evidence packet has not been mutated since issuance. | That the real-world fact described by the evidence is true. |
| The verification material traces to a stable, customer-verifiable trust anchor. | That a regulator, court, or third party will accept the evidence as legal proof. |
| The customer can re-verify the evidence later without contacting GeoClear servers. | Legal certification, notarization in the legal sense, or affidavit-grade testimony. |
GeoClear signs the evidence at decision time, not after the audit begins. The customer retains the evidence and decides how to use it.
What a customer-held evidence bundle contains.
A GeoClear Evidence Bundle contains everything an independent reviewer needs to verify what GeoClear issued, using retained artifacts, public verification material, and verifier tooling outside GeoClear’s application runtime.
- Signed operational evidence receipt — the technical artifact.
- Action or decision payload summary — what the receipt covers.
- Verification material — public-key material needed to verify the receipt later.
- Evidence commitments or references — pointers to the inputs and trust anchors active at issuance.
- Bundle manifest — index of what the bundle contains and how to verify it.
- Offline verification instructions — a self-contained verifier that runs from the bundle without contacting GeoClear.
What this proves
- ✓ GeoClear signed this verdict.
- ✓ The retained operational evidence matches the issued receipt.
- ✓ Active verification material verifies the signed evidence packet.
- ✓ The receipt was not modified after signing.
What this does not prove
- × That every upstream dataset was perfect.
- × Full legal or regulatory compliance.
- × That a downstream business decision was risk-free.
- × That the physical world itself was proven (we record what was checked, not whether the world matched).
The line GeoClear holds.
GeoClear helps customers retain evidence that an action followed the approved evidence path before acceptance. Signed operational evidence receipts and customer-held evidence bundles are designed to make later modification detectable. GeoClear does not provide legal certification, does not certify that the AI was right, and does not certify the real-world truth of upstream data sources.
Hardened infrastructure
GeoClear uses encrypted storage, least-privilege access, transport security, private networking where applicable, monitored service paths, and controlled production access. Vulnerability acknowledgement target is within 72 business hours; remediation timelines are coordinated with the reporter on a per-finding basis. The cryptographic substrate, key-management posture, and control-evidence catalog are available under NDA via the Security Architecture Brief.
Want to verify operational evidence locally? Run the in-browser verifier, entirely client-side. After the verifier page and public verification material are loaded, signature verification runs locally on your device; GeoClear’s application servers do not participate in the verification result. For full developer integration detail, see our docs.
Coordinated Vulnerability Disclosure
GeoClear welcomes good-faith security research on public GeoClear systems. If you believe you have found a vulnerability, please report it privately so we can investigate and remediate before public disclosure. We accept reports per RFC 9116 and our security.txt.
Contact
Scope
geoclear.ioapi.geoclear.io- Public GeoClear demo and verification surfaces
- Other
*.geoclear.ioproperties that are publicly reachable and operated by GeoClear
Out of scope
- Denial-of-service testing
- Social engineering
- Physical attacks
- Spam, phishing, or credential stuffing
- Accessing, modifying, deleting, or exfiltrating data that is not yours
- Testing customer-controlled, partner-controlled, or third-party systems without explicit authorization
- Automated high-volume scanning that degrades service
When reporting, include
- Affected URL or endpoint
- Steps to reproduce
- Impact summary
- Screenshots or proof-of-concept, if safe
- Your contact information
- Whether any data was accessed, modified, or exposed
GeoClear commitment
- Acknowledgement target: within 72 business hours.
- We investigate in good faith.
- We prioritize based on severity, exploitability, and customer impact.
- We coordinate remediation and disclosure timing where appropriate.
- GeoClear will not pursue legal action against researchers who conduct good-faith testing, avoid privacy violations and service disruption, report findings promptly, and comply with this policy.
Important note: This is a coordinated vulnerability disclosure policy, not a public bug-bounty program. GeoClear does not currently promise monetary rewards unless separately agreed in writing. Public credit may be provided with the researcher’s consent, where appropriate.
Data protection
- Encryption in transit: modern transport security with HSTS enforced.
- Encryption at rest: hardware-managed encryption keys.
- API key storage: stored as one-way hashes, we cannot recover a key if you lose it.
- Network isolation: PostgreSQL database in a private network, not publicly reachable.
- Tenant isolation: every API request is scoped to the key's tenant, no cross-tenant data access paths exist.
Access controls
- Least-privilege role-based access across all infrastructure.
- MFA required on every engineer account.
- Production console access limited to on-call engineers.
- Secrets stored encrypted in a managed vault, never in code; rotated on schedule.
Monitoring and incident response
- Centralized log aggregation, error monitoring, and metrics on every service tier.
- Synthetic monitors for core endpoints every 60 seconds.
- Public status page at geoclear.io/status.
- Incident history and postmortems published when a user-impacting event occurs.
Compliance
- GDPR / CCPA: we process personal data as described in our Privacy Policy; data-subject requests are actioned within 30 days.
- Vertical compliance: See the Compliance & Governance brief for vertical-specific evidence models.
Sub-processors
Current list at privacy policy §5. We notify customers by email 30 days before adding a new sub-processor that processes customer data.
Verify operational evidence locally.
Change one byte in a signed evidence packet and watch local verification reject the tampered proof. After the verifier and retained verification material are loaded, verification runs locally. GeoClear’s application servers do not participate in the verification result.
View receipt summary
,
A receipt issued today remains verifiable years later from the receipt and the verification material the customer retained at decision time, independent of GeoClear’s continued operation. Server-side integrations can use our SDK; client-side verification runs entirely in the customer’s browser. The full key-distribution model and key-rotation policy live in our Security & Verification Whitepaper (NDA · for procurement and security review).
Seeing a 403, a blank page, or a stale verifier response?
Hard-reload first (Cmd/Ctrl + Shift + R), most edge-cache blips resolve there.
If it persists, include the full response headers (browser dev-tools → Network tab → click the request → Response Headers) with any report to security@geoclear.io.
The edge identifiers in those headers let us trace the exact request that failed.
Last updated: 2026-05-31
GeoClear issues signed operational evidence receipts for AI actions, tool calls, and workflow decisions. The signed evidence bundle is tamper-evident, and verifiers detect modification. GeoClear does not provide legal certification and does not certify the real-world truth of upstream data sources.