Receipt
Cryptographically signed events and regulatory reporting.
One signed receipts layer for every regulator request.
When a state AG, the FTC, or a plaintiff’s attorney asks “show me every block enforced for jurisdiction X under provision Y in the last 90 days,”most platforms can’t answer. Their enforcement events live in a dozen logs across a dozen systems with no chain-of-custody, no signature, and no statute citation.
Receipt is the receipts layer. Every Phosra enforcement decision — every block, every consent grant, every age signal verification, every CSAM detection — is cryptographically signed at the moment it happens, stamped with the statute citation that triggered it, and held in a tamper-evident append-only log. State AG submission portals, NCMEC’s CyberTipline, and the EU eSafety commission reporting channels read directly from Receipt.
A platform’s response to a regulator goes from a six-week subpoena exercise to a 30-second query. The chain-of-custody required for litigation evidence (CA AB 2, NY S8102) is built into every event by default.
Receipt is a socket. Signed events flow out. Regulator portals read directly.
These are the downstream regulator submission channels and attestation frameworks Receipt writes to — either shipping today, in conversation with a partner, or pending an upstream pilot.
What Receipt does for each statute.
- 18 U.S.C. § 2258A (CSAM mandatory reporting)— produces the signed event submission package.
- CA AB 1700 (eSafety commissioner reporting)— auto-routes to the state reporting channel.
- CA AB 2 + NY S8102 (platform liability evidence) — captures and preserves harm-event traces.
- FTC consent decrees + Disney 2025 settlement— produces the audit-trail compliance report.
- EU DSA Art. 24 (transparency reporting)— generates the periodic transparency dump.
- Australia eSafety Commissioner (BOSE Codes)— formats reports per the Australian schema.
- 18 U.S.C. § 2258B— preserves CSAM-detection chain-of-custody for prosecution.
Adopter Tier 1 certification.
To ship Receipt-conformance for an Adopter Tier 1 certification, your implementation must pass the Receipt suite. Test count is [draft] coming Q3 2026. The suite covers cryptographic signature integrity, statute-citation correctness, append-only log tamper-evidence, and regulator-portal submission interop.
We are co-authoring the suite with our design partners. If you want a seat at the table while the bar is being set, reach out.
The 10 rules Receipt ships
Every rule below is implemented by this capability. Pulled directly from the rule registry.
- Intermediary Signature
- Sender Signature
- Minor Data Sale Audit Log — Signs and archives an audit log for every minor data transaction; regulators replay against the log.
- Parental Attestation Certificate — Emits a signed parental-attestation certificate every regulator can verify against the Charter's public key.
- AI Toy Safety Certification — Requires AI-enabled toys to present a current safety certification before activation in a household with minors.
- CSAM Reporting — Automates detection and reporting workflows for child sexual abuse material across platforms.
- eSafety Commission Reporting — Streams enforcement events to the Australian eSafety Commission's required reporting endpoint.
- Platform Liability Evidence Capture — Captures and signs evidence of platform compliance posture for use in adopter liability defense.
- NCII Takedown — Mandatory 48-hour removal of nonconsensual intimate imagery (NCII) and AI deepfakes under the TAKE IT DOWN Act (federal, signed May 2025) and DEFIANCE Act. A victim or parent issues a signed takedown directive; the platform removes the content and emits a signed §8.3.8 enforcement_result receipt as auditable proof of compliance.
- Harm Report Intake — Signed receipt that a minor-harm report was received and substantively responded to within the statutory SLA (KIDS Act §215).