Developer Docs
Developer Overview
Start at the main docs hub.
Verification Lifecycle
Artifact submission, receipts, and later comparison.
API Overview
Public request and response model.
Security Model
Claims boundary and public-safe controls.
Architecture
Workflow fit and trust-boundary framing.
Threat Model
Threat assumptions and review posture.
What is TrustSignal?
TrustSignal is evidence integrity infrastructure for compliance artifacts. It issues signed receipts at ingestion, preserves verifiable provenance, and gives teams a reliable way to confirm that an artifact still matches the record that was originally reviewed.
Evidence integrity
TrustSignal preserves the integrity of compliance artifacts from the moment they enter review.
Signed receipts
Each attestation produces a signed receipt that can be stored beside the original artifact.
Verifiable provenance
Receipt metadata captures source, control context, and timestamps for later verification.
At a practical level, TrustSignal sits behind an existing compliance workflow rather than replacing it. A platform, internal system, or evidence collector continues to gather documents, exports, and snapshots in the normal way. TrustSignal adds a signed receipt when the artifact is ingested, so the artifact hash and related metadata are recorded at the moment the record enters review. That receipt becomes a durable reference point for later verification.
This matters because many compliance programs depend on artifacts that move through multiple systems, reviewers, and retention stages. Screenshots, documents, or exported control evidence can drift after collection, either through accidental changes or deliberate tampering. TrustSignal addresses that integrity gap by attaching signed receipts to compliance artifacts and preserving the provenance needed to evaluate them later. Instead of relying only on process history, teams can compare the current artifact to the receipted record and detect whether it still matches.
Signed receipts are central to the product. A receipt records the evidence source, the artifact hash, the relevant control or review context, and the attestation timestamp. Because the receipt is signed, it can be checked independently from the original collection workflow. That makes TrustSignal useful for security reviewers, compliance buyers, partner evaluators, and technical teams who need a clear answer to a simple question: does the artifact under review still correspond to what was originally collected?
Verifiable provenance is equally important. TrustSignal is not only about detecting drift; it is also about preserving the chain of context around an artifact so later review remains meaningful. Source identifiers, timestamps, and control mappings help teams understand where a record came from, when it entered the workflow, and what it was supposed to represent. That combination of provenance and signed receipts supports audit readiness without forcing organizations to replatform their evidence systems.
For users who want the broader product overview, the homepage explains how TrustSignal fits alongside compliance platforms and internal workflows. The security overview describes the public site boundary and operational safeguards. The developers page is the intended destination for implementation-oriented material, and the public codebase is available in the TrustSignal repository.
In short, TrustSignal is the integrity layer for compliance artifacts. It adds signed receipts, preserves verifiable provenance, and supports compliance artifact verification in a way that fits existing workflows. That definition is narrow by design: TrustSignal is not a replacement for your compliance platform, and it is not a generic document store. It is infrastructure for proving that important artifacts remain trustworthy after collection.