--- title: Vault Receipts (EU Compliance) description: Ensure absolute log integrity and non-tampering of prompt templates with cryptographically signed vault receipts for regulatory compliance. --- > **INFO** > **Premium & Enterprise Feature Only** > This feature is available only for Premium and Enterprise customers, meant to fulfill EU AI Act Article 12 high-risk AI requirements. To activate this, the company superadmin must sign the **AI Act Cooperation Addendum (AACA)** from the [Agreements](https://prompteasy.eu/dashboard/agreements.md) page and enable **High-risk AI** from the [Plan Management](https://prompteasy.eu/dashboard/plan.md) page. Under regulatory auditing requirements for high-risk AI systems (such as **Article 12** of the EU AI Act), standard usage logs are often insufficient. Auditors and compliance officers demand absolute proof of log integrity and non-tampering. To satisfy this, PromptEasy.EU provides automated **Cryptographic Vault Receipts**. Whenever a prompt template is modified, versioned, or executed, the system captures the exact state and signs it cryptographically to prove it has not been retroactively altered. --- ## How It Works PromptEasy.EU secures auditing logs through a multi-step cryptographic verification flow that runs automatically in the background: 1. **Deterministic Serialization**: When a prompt event occurs, the system compiles the exact template state (title, system message, prompt template, parameters, model, and metadata) and user timestamp, sorting the keys deterministically. 2. **Zero-Knowledge CipherSweet Encryption**: Sensitive data like prompt templates and system messages are stored using field-level **Spatie CipherSweet** encryption using tenant-specific keys, ensuring that your core AI instructions remain zero-knowledge. 3. **SHA-256 Hash Generation**: A SHA-256 hash is computed representing this deterministic state payload. 4. **HMAC-SHA-256 Signature**: The hash is digitally signed with the application key using `HMAC-SHA-256`, creating an immutable cryptographic seal. Because any alteration to the metadata, the timestamp, or the prompt state changes the hash and signature, this provides court-admissible mathematical proof of log integrity. --- ## Access & Plan Limits - **Roles**: Only **Admin** and **Superadmin** roles can view and verify vault receipts. - **Plans**: Vault Receipts are exclusive to **Premium** and **Enterprise** plans. Standard plan users do not have access to this section. - **Deletions Immunity**: If a prompt or version history is deleted by a user, the corresponding vault receipt **remains intact** for audit continuity. The prompt ID is set to `null`, but the decrypted template contents remain preserved in the receipt. Receipts are permanently deleted only if the entire tenant undergoes deletion. --- ## Verifying Receipt Authenticity Compliance officers can browse and verify receipts directly from the dashboard: 1. Navigate to the **Audit Log** page and select the **Vault Receipts** tab. 2. The list displays the event type (`modified`, `versioned`, or `executed`), the responsible actor, the timestamp, and a truncated SHA-256 state hash. 3. You can verify a receipt in two ways: - **Inline Verification**: Click the **Verify** button directly in the table row. - **Detailed Receipt View**: Click the **View Details** (eye icon) to open the full drawer containing complete details. ### Understanding Verification Statuses Inside the details drawer, click **Verify Authenticity** to run a real-time mathematical validation against the server signature. The interface will display one of the following states: - **Pending (Unverified)**: The receipt's signature has not yet been validated in the current session. - **Verifying**: The system is fetching data and re-calculating the HMAC signature. - **Log Integrity Verified (Green)**: The SHA-256 hash and HMAC-SHA-256 digital signature are fully valid, mathematically proving the log has not been retroactively altered. - **Verification Failed (Red)**: A signature mismatch was detected. This warning alerts you that the record or prompt template state has been altered, deleted, or corrupted in the database.