Skip to main content

Workspaces

A workspace is the top-level boundary for billing, API keys, plans, retention limits, and evidence exports.

Projects

Projects separate records inside a workspace. Use them for product areas, environments, or evidence domains. API keys, exports, receipt access, policy access, and activity links can be scoped to a project.

Events

Events are normalized records with:
  • actor: who or what performed the action.
  • action: the stable event name, such as billing.invoice.paid.
  • target: the object affected by the action.
  • occurredAt: when your system says the action happened.
  • metadata: structured context needed for review.
Lodger also records receivedAt, the API key identity, environment/server hints, request/session/trace context, and related-record references when provided.

Receipts

Every accepted event returns a receipt. The receipt is the citation you store next to your own domain object or show in internal support tooling. Receipts include the event hash and previous hash. If an event changes later, verification fails because the chain no longer matches. Published policies are immutable snapshots. Consent records point to the policy version that was current when the user accepted or continued using the product. Use explicit consent for direct acceptance actions and implicit consent for flows where your product displays a notice and records continued use. A legal hold is a project-level retention suspension. It does not edit old ledger records or mark individual events as held. Creating, reviewing, or releasing a hold appends a new ledger event to the project, and active holds stop retention purge and archive compaction jobs for that project’s records. Review dates are reminders, not automatic expiration. Releasing a hold only makes records eligible for normal retention again; it does not immediately delete anything.

Evidence exports

Evidence exports are ZIP packages, not one giant JSON file. A package contains a manifest, batched NDJSON records, receipt rows, consent rows, and a policy snapshot when available. The verifier reads the ZIP locally and checks hashes, summaries, receipt rows, consent coverage, policy attachment, and export scope without calling the backend once per event.