Status: Public Beta v0.1 · Regulations · Privacy-first · No blockchain
Regulations & Compliance
Hash-only, stateless, open verification. This page maps how TimeProofs aligns with the EU AI Act, GDPR, Data Act, and other frameworks.
Overview
Model. Hash on client. Timestamp via API. Verify publicly. No content upload. No user profiling.
Implication. Non-high-risk infrastructure posture for AI rules. Fits GDPR principles by design: minimization, purpose limitation, integrity, transparency.
TimeProofs complies with the spirit of the EU AI Act, Data Act, and GDPR by staying stateless, hash-only, and providing open verification endpoints.
EU Framework
| Regulation | Relevance | TimeProofs stance |
|---|---|---|
| EU AI Act | Classification, transparency | Infrastructure utility. No profiling. Public verify endpoint aids provenance and traceability. |
| GDPR | Data protection | Hash-only. No personal data by default. Controllers must avoid PII in meta fields. |
| Data Act | Portability, cloud neutrality | Multi-backend abstraction and BYOI planned. No user lock-in at protocol level. |
| eIDAS2 / QEAA | Qualified trust services | Protocol-agnostic. Future optional bridges possible. Current service is a non-qualified timestamp proof. |
| DSA / DMA | Platform obligations | B2B API, not a consumer platform. Transparency via public verify and open specification. |
Controllers remain responsible for legal basis and content handling. Do not upload originals to TimeProofs.
US & International
| Framework | Relevance | TimeProofs stance |
|---|---|---|
| NIST AI RMF | Risk management | Proofs support provenance, integrity controls, and auditability in AI/data pipelines. |
| US/State privacy laws | Data minimization | No content collected. Hash-only model reduces exposure and simplifies compliance. |
| International | Interoperability | Open spec, public verification URL, and JSON-LD metadata help cross-border audits. |
Data minimization
- No uploads. Only 64-hex SHA-256 hashes are sent to the API.
- Meta hints optional. Keep generic (e.g. “contract”, “dataset v3”). Avoid PII and secrets.
- Minimal records. Proofs store just hash, timestamp, signature, and optional small metadata.
{
"hash": "<sha256_hex>",
"meta": { "type": "file", "hint": "small-non-PII-note" }
}Audit & evidence
Each proof returns enough information to be reused as evidence in logs, tickets, and reports.
{
"ok": true,
"hash": "7c040f...d76c2",
"ts": "2025-10-22T12:34:56.789Z",
"sig": "<signature>",
"alg": "HMAC-SHA256|Ed25519",
"issuer": "timeproofs.io",
"verify_url": "https://timeproofs.io/verify.html?hash=..."
}Organizations can store verify_url alongside their own logs to prove integrity over time.
Status & references
/api/pingreturns HTTP 200 when the service is healthy.- On failures, the API returns
{"ok":false,"error":"…"}with appropriate 4xx/5xx codes. - Rate limits (indicative): verify 60 rpm/IP, timestamp 30 rpm/token.
See also: Legal · Privacy · Protocol (ProofSpec).
This page is verified by TimeProofs
Release: … ·
Hash: … ·
Verify
Timestamp created via TimeProofs API (public, privacy-first, no blockchain).