We run Project AIR on our own infrastructure.
Every Vindicara API request and dashboard auth event is recorded as a signed AgDR record using
the same airsdk library customers use. Each
chain is anchored to public Sigstore Rekor. The published JSONL has bodies redacted to
BLAKE3 hashes, but the cryptographic ordering is preserved end-to-end.
This is not a marketing dashboard. The data below is read from a public S3 bucket every page
load, and the Rekor log index it points to is checked against the public Sigstore transparency
log. To verify a chain yourself: pip install projectair, curl the chain JSONL to a file, then air verify-public /tmp/chain.jsonl.
Records are signed in-process at the moment of action by the same library customers use. Anchoring is async via a separate cron Lambda. The signature on each record was produced inside the Lambda that emitted it, not by a downstream reconstruction.
Default deny. Only fields explicitly whitelisted per event kind appear in clear in the public chain. Everything else is replaced by a BLAKE3 hash of the original value. Signatures cover the unredacted internal records; the public JSONL is for narrative, and the Rekor anchor binds the chain root.