Etch

Etch provides the provenance primitive that every system of records needs but none actually have. AI agents are collapsing the SoR UI layer — what remains is authoritative data store + provenance + access control. Where Veeva has audit logs, Etch has math.

Key Features

• >Namespace Isolation: Per-tenant AuditChain instances — no cross-tenant visibility
• >API Key Auth: Stripe-style keys (`etch_live_sk_...`), SHA-256 hashed storage
• >Records API (v0.2.0): Full system-of-records — create, retrieve, list, proof, verify, chain/root
• >Legacy Proof API: Simple content timestamping — register, retrieve, lookup, verify
• >Merkle MMR Audit Chain: Every record is chained using a Merkle Mountain Range, making tampering cryptographically detectable
• >Privacy-Preserving: Raw content never stored — only SHA-256 hashes
• >Python SDK: `etch.records.create()`, `.verify()`, `.proof()`, `.list()`

How It Works

1. 1.1. `POST /v1/records` with your data, type, and metadata`POST /v1/records` with your data, type, and metadata
2. 2.2. Receive a receipt: record_id, namespace, content_hash, mmr_root, timestamp, chain_depthReceive a receipt: record_id, namespace, content_hash, mmr_root, timestamp, chain_depth
3. 3.3. Later, `POST /v1/records/{id}/verify` to prove the record hasn't been tampered withLater, `POST /v1/records/{id}/verify` to prove the record hasn't been tampered with
4. 4.4. `GET /v1/records/{id}/proof` returns the full Merkle inclusion proof — independently verifiable by any party`GET /v1/records/{id}/proof` returns the full Merkle inclusion proof — independently verifiable by any party

Use Cases

• >Clinical Trials: Tamper-evident audit trails from bench to FDA submission (21 CFR Part 11)
• >AI Agent Decisions: Every autonomous decision timestamped and cryptographically sealed
• >Content Provenance: Prove a story, image, or code existed before AI could replicate it
• >Patent Defense: Timestamp discoveries with mathematical proof of creation date
• >Compliance: EU AI Act Article 50 (deadline August 2026) requires provenance on AI-generated content

Revival Story

Poet (Po.et, YC W17) raised $11M to do this on Ethereum. It died under gas fees and blockchain overhead. Etch does the same thing with a simple REST API — no gas, no wallets, sub-100ms receipts — plus namespace isolation and API key auth that make it enterprise-ready.

Etch Assent

The first canonical application of Etch is **Assent** ([assent.to](https://assent.to)) — a client-side E2EE PDF signing app where every event is recorded to Etch's `/v1/records` API as a Merkle-chained receipt. Where DocuSeal and DocuSign hold the audit log themselves, Assent's audit trail is an independent Etch chain — verifiable without trusting the vendor. Passkey/WebAuthn signing, ESIGN/UETA + eIDAS Advanced compliant. The marketing line: *permanent proof of agreement, no vendor to trust*.

Traction

• >TrialSight integration: all 10 clinical data sources stamp to Etch
• >Assent live at assent.to as the verifiable e-signature alternative to DocuSeal
• >61 tests passing (22 for records API)
• >Production deployment with namespace isolation and API key auth

Tech Stack

FastAPI, Python, SQLAlchemy, PostgreSQL (Merkle chain persistence), SHA-256 cryptography. Stripe-style Python SDK.