OCSS Specification / CapabilityDraft 4 · pre-release

Receipt

Cryptographically signed events and regulatory reporting.

What Receipt does

One signed receipts layer for every regulator request.

When a state AG, the FTC, or a plaintiff’s attorney asks “show me every block enforced for jurisdiction X under provision Y in the last 90 days,”most platforms can’t answer. Their enforcement events live in a dozen logs across a dozen systems with no chain-of-custody, no signature, and no statute citation.

Receipt is the receipts layer. Every Phosra enforcement decision — every block, every consent grant, every age signal verification, every CSAM detection — is cryptographically signed at the moment it happens, stamped with the statute citation that triggered it, and held in a tamper-evident append-only log. State AG submission portals, NCMEC’s CyberTipline, and the EU eSafety commission reporting channels read directly from Receipt.

A platform’s response to a regulator goes from a six-week subpoena exercise to a 30-second query. The chain-of-custody required for litigation evidence (CA AB 2, NY S8102) is built into every event by default.

How partners plug in

Receipt is a socket. Signed events flow out. Regulator portals read directly.

These are the downstream regulator submission channels and attestation frameworks Receipt writes to — either shipping today, in conversation with a partner, or pending an upstream pilot.

Powered byReceipt
NCMEC CyberTipline — signed CSAM detection event submissionPending pilot
Powered byReceipt
State AG submission portals — TX / UT / CA / NY (mappings shipped)Mappings shipped
Powered byReceipt
AICPA-style attestation framework — cryptographic chain-of-custody (in conversation)Design partner candidate
Standards & laws

What Receipt does for each statute.

  • 18 U.S.C. § 2258A (CSAM mandatory reporting)— produces the signed event submission package.
  • CA AB 1700 (eSafety commissioner reporting)— auto-routes to the state reporting channel.
  • CA AB 2 + NY S8102 (platform liability evidence) — captures and preserves harm-event traces.
  • FTC consent decrees + Disney 2025 settlement— produces the audit-trail compliance report.
  • EU DSA Art. 24 (transparency reporting)— generates the periodic transparency dump.
  • Australia eSafety Commissioner (BOSE Codes)— formats reports per the Australian schema.
  • 18 U.S.C. § 2258B— preserves CSAM-detection chain-of-custody for prosecution.
Conformance

Adopter Tier 1 certification.

To ship Receipt-conformance for an Adopter Tier 1 certification, your implementation must pass the Receipt suite. Test count is [draft] coming Q3 2026. The suite covers cryptographic signature integrity, statute-citation correctness, append-only log tamper-evidence, and regulator-portal submission interop.

We are co-authoring the suite with our design partners. If you want a seat at the table while the bar is being set, reach out.

Rule list

The 10 rules Receipt ships

Every rule below is implemented by this capability. Pulled directly from the rule registry.

  • Intermediary Signature
  • Sender Signature
  • Minor Data Sale Audit LogSigns and archives an audit log for every minor data transaction; regulators replay against the log.
  • Parental Attestation CertificateEmits a signed parental-attestation certificate every regulator can verify against the Charter's public key.
  • AI Toy Safety CertificationRequires AI-enabled toys to present a current safety certification before activation in a household with minors.
  • CSAM ReportingAutomates detection and reporting workflows for child sexual abuse material across platforms.
  • eSafety Commission ReportingStreams enforcement events to the Australian eSafety Commission's required reporting endpoint.
  • Platform Liability Evidence CaptureCaptures and signs evidence of platform compliance posture for use in adopter liability defense.
  • NCII TakedownMandatory 48-hour removal of nonconsensual intimate imagery (NCII) and AI deepfakes under the TAKE IT DOWN Act (federal, signed May 2025) and DEFIANCE Act. A victim or parent issues a signed takedown directive; the platform removes the content and emits a signed §8.3.8 enforcement_result receipt as auditable proof of compliance.
  • Harm Report IntakeSigned receipt that a minor-harm report was received and substantively responded to within the statutory SLA (KIDS Act §215).
Implement it

Implementing Receipt? Talk to us.