Platform
Cryptographic Erasure
Right to Erasure →

STACCR™ · Cryptographic Erasure Engine

Provable destruction,
not promised deletion.

When a key is destroyed, every ciphertext it ever protected becomes permanently unrecoverable — across every backup, replica, and AI context store — without touching any of them. That's the proof. Not a log entry saying a job ran.

See how it worksApply for design partner access

Pre-GA: STACCR's erasure engine is architected and under active design-partner engagement. This page demonstrates the designed mechanism — not a shipping product.

The Problem

Deletion tells systems to forget. It can't prove they did.

Distributed copies

When context propagates — to a CRM, a data warehouse, an AI agent's memory — each system received a copy. Deletion must reach all of them. Most can't confirm it did.

Append-only stores

Backups, audit logs, WORM archives, and vector databases are structurally resistant to deletion. You can't overwrite what you're forbidden from overwriting.

No shared proof

There is no cryptographic primitive behind a deletion API call. Every 'DELETE' is a promise. The requesting party has no way to verify the promise was kept.

AI context leakage

AI agents embed context into model state, fine-tuning sets, and memory stores. No deletion API exists for embedded context — but a key can govern all of it.

How It Works

One key governs every copy. Destroy the key, invalidate all of them.

Every context token is encrypted with a User Encryption Key (UEK) that never leaves the KMS. Downstream adapters — CRMs, warehouses, AI agents — receive only ciphertext. The key is what unlocks access. When erasure is requested, the key is destroyed. The ciphertext remains, but it becomes permanently meaningless. No downstream system needs to cooperate.

Step through the erasure sequence

Key Lifecycle State

Active

Scheduled

Destroying

Deleted

Verified

Destruction Sequence

Generate erasure request

Revoke decrypt access via KMS ACL

Destroy UEK key material

Notify adapters via propagation registry

Issue cryptographic erasure certificate

The Proof

Every erasure produces a verifiable certificate.

After key destruction and adapter acknowledgment collection, STACCR issues a cryptographic erasure certificate — a signed, structured record containing the destruction token, FIPS 140-3 L3 attestation, all adapter acknowledgments, and a regulation mapping. The certificate is stored in an immutable audit ledger and can be exported for regulatory submission.

Verifiable Erasure Certificate

Sample — redacted, pre-GA format

Issuer

STACCR™ / Context Layer Systems

{
  "certificate_id": "cert_01HXYZ9Q2...",
  "subject_id": "[REDACTED]",
  "dek_versions_destroyed": ["v1", "v2", "v3"],
  "destruction_confirmation_token":
    "[REDACTED — held by customer KMS]",
  "test_decryption_result":
    "FAILED — token unrecoverable",
  "adapter_acknowledgments": [
    { "adapter_id": "adp_crm_01...", "status": "ACKNOWLEDGED", "signed": true },
    { "adapter_id": "adp_analytics_02...", "status": "ACKNOWLEDGED", "signed": true },
    { "adapter_id": "adp_ai_agent_03...", "status": "ACKNOWLEDGED", "signed": true }
  ],
  "issued_at": "2026-06-11T17:42:09Z",
  "issuer": "STACCR™ / Context Layer Systems"
}

HMAC-SHA256 signed · Immutable audit ledger entry · Regulatory evidence

Signed

Today this certificate is signed by STACCR. The designed end state is a published verification key allowing any party holding the certificate to confirm its authenticity independently — no trust in the issuer required. That capability is on the pre-GA roadmap.

Regulatory Coverage

Designed to satisfy erasure obligations across major frameworks.

The following mapping reflects how STACCR's erasure architecture is designed to address each regulation's specific requirements. All language uses "designed to" framing — STACCR is pre-GA and makes no present-tense compliance certification.

GDPR

Art. 17

Right to erasure ('right to be forgotten'): controller must erase personal data without undue delay.

Cryptographic key destruction renders all copies computationally inaccessible simultaneously, with verifiable proof.

CCPA

§1798.105

Consumers may request deletion of personal information collected by a business or service provider.

Erasure certificate with adapter acknowledgments provides documented evidence of purge across all connected systems.

HIPAA

§164.312(a)(2)(iv)

Encryption and decryption: implement mechanism to encrypt and decrypt ePHI. Destruction must render data unreadable.

AES-256-GCM key destruction meets NIST SP 800-88 standards; FIPS 140-3 L3 attestation provided.

LGPD

Art. 18 VI

Data subjects have the right to deletion of unnecessary or excessive personal data.

Key destruction propagates across all registered adapters; signed certificate is issued per request.

AI Act

Art. 10(5)

Where necessary, providers shall ensure training data can be erased and verified erased from deployed models.

CCL context tokens in AI agent memory stores are governed by the same key — destruction revokes all copies including embedded context.

Design Partners

We're co-designing the implementation with security-first teams.

If your team is responsible for demonstrable erasure across AI systems, distributed data pipelines, or multi-tenant SaaS — and you want to shape what the certificate format, adapter contract, and audit export look like — we'd like to work with you.