Protocol · Open Source

    EventChain

    A zero-trust provenance protocol for enterprise data integrity.

    EventChain is the cryptographic substrate inside Helios. A hash-chained, append-only proof layer that makes evidence portable, attributable, and independently verifiable without blockchain infrastructure.

    Helios is the preferred Hub. It applies the business logic, deciding which lifecycle actions deserve evidentiary weight, binding them to context, and routing them to the parties who need them. EventChain is the reason evidence travels beyond Helios and still verifies.

    JSONLSHA-256WebAuthnHTTP webhooksOpenTimestamps

    How a fact becomes proof

    01

    Attest

    A party signs an event with a WebAuthn passkey

    02

    Chain

    Hashed and linked, append-only, order preserved

    03

    Anchor

    Daily public time-anchor via OpenTimestamps

    04

    Verify

    Any authorised holder checks it, offline, in seconds

    evt 0xa1
    prev null
    evt 0xb2
    prev a1
    evt 0xc3
    prev b2
    01What it does

    One narrow claim, proven completely.

    EventChain does one thing well. It proves who attested to what, when, in which sequence, and whether the record changed afterward. That narrower claim is what makes it operationally useful.

    Who attested to what, when, in which sequence, and whether it changed.

    It does not certify that every source claim is factually true. It does not replace contracts, audits, calibration, or governance. It anchors itself in reality by making the cryptographic proof layer independent while leaving business trust where it belongs.

    02How it works

    Built from boring, auditable primitives.

    EventChain centralises proof generation in the Hub and distributes cheap verification to authorised holders. The components are deliberately boring primitives. Nothing requires a custom codec, a binary envelope, or a vendor SDK to parse or validate.

    JSONL

    Append-only event log. Human-readable, diff-friendly, trivially archived.

    SHA-256

    Hash-chains each event to the last. Any edit breaks the chain visibly.

    WebAuthn passkeys

    Binds every attestation to a real, hardware-backed signer identity.

    HTTP webhooks

    Distributes events to the parties entitled to hold them.

    OpenTimestamps

    Anchors the chain to public time daily. No blockchain to operate.

    Open verifier

    Confirms any append-only file, including one a different Hub produced.

    A verifier built from the specification can confirm any append-only file, whether past, present, or produced by a different Hub implementation. The open-source reference verifier performs three checks.

    01

    Hash continuity

    across the full chain

    02

    Signature validity

    against registered public keys

    03

    Temporal anchor

    confirmation against public time

    One system generates proof at speed. Many parties keep the ability to verify.
    03Why it matters for passports

    Records that outlive the company that made them.

    Digital Product Passport regulations require that product records stay verifiable beyond the existence of any single manufacturer, platform, or vendor. EU regulation 2024/1781 makes this explicit: lifecycle data must remain accessible, interoperable, and verifiable by external parties over the product lifetime. The same record is what IOGP JIP33 and CFIHOS ask for at handover.

    EU 2024/1781IOGP JIP33CFIHOS

    A proprietary proof format fails both requirements. It ties long-lived products to short-lived companies and forces every verifier to license tooling. EventChain is built for that mandate. Every component is a published standard with multiple independent implementations, and the open verifier ships with the protocol.

    04What EventChain is not

    Honest about the boundary.

    Is notThree things it deliberately is not
    • A blockchain
    • A consortium ledger
    • A substitute for ERP audit trails when one organisation controls the entire lifecycle

    It will not detect a plausible-looking false entry signed by an authorised actor, calibration drift on a sensor, or a contract clause that never got enforced. Those failure modes need process controls, audit culture, and physical safeguards. EventChain is honest about that boundary.

    05Whitepaper

    Read the full specification.

    The whitepaper covers the provenance problem, enterprise use cases, the technical mechanism, the economic model, verification boundaries, and the deployment path.

    Whitepaper · v1.0

    EventChain: zero-trust provenance for enterprise data

    Problem, mechanism, economic model, verification boundaries, and deployment path, in full.

    Authored by Raam Roche, CTO at Helionics · Published 1 May 2026

    Read the EventChain whitepaper

    Pairs with

    Put EventChain under your evidence.

    Read the full specification, or talk to the team about a deployment.