Skip to main content
AIP defines protocol-level compliance invariants that ensure privacy, transparency, and verifiability. AIP does not define retention policies, audit procedures, incident response, or regulatory frameworks. Compliance is enforced through protocol constraints, not operator policies.

1. TL;DR

AIP guarantees compliance through protocol-level invariants: data minimization, deterministic message flow, and cryptographic verifiability. The protocol does not define how operators, platforms, or brand agents implement compliance procedures.

2. Compliance Philosophy

AIP enforces compliance through protocol constraints, not policy or trust:
  • Data minimization: The protocol never requires personal identifiers or raw user data
  • Deterministic message flow: All billable actions are cryptographically verifiable and traceable
  • Cryptographic verifiability: Every settlement outcome can be independently verified
Compliance is a property of the protocol’s design, not a checklist of operator behaviors.

3. Protocol-Level Compliance Invariants

The protocol guarantees the following compliance invariants:
InvariantDescription
No raw personal data requiredThe protocol never mandates personal identifiers, user names, email addresses, or other personally identifiable information
Cryptographically verifiable actionsAll billable actions (exposures, clicks, conversions) are cryptographically verifiable and cannot be unilaterally fabricated
Single serve_token settlementEvery settlement is traceable to a single serve_token from the original auction
No unilateral value fabricationNo participant can unilaterally create billable events or settlement outcomes
Intent-only contextBrand Agents receive only anonymized intent context, never raw user queries or personal data
Deterministic outcomesSettlement outcomes are deterministic and reproducible from verifiable event sequences
Operators implement their own compliance procedures, retention policies, and audit systems. The protocol only constrains what data flows and how it is structured.

4. Data Scope and Ownership (Invariants Only)

The protocol defines data ownership and scope through invariants:
  • Platforms control user consent and identity: Platforms are responsible for user consent, identity management, and data collection. The protocol does not define consent mechanisms.
  • Operators verify events and enforce invariants: Operators verify events and enforce protocol-level invariants. The protocol does not define verification procedures.
  • Brand Agents receive only anonymized intent context: Brand Agents receive ContextRequest objects that contain intent signals, not raw user data. The protocol guarantees this separation.
  • The protocol never requires personal identifiers: No AIP message schema requires personal identifiers, user names, or other PII.
The protocol enforces data minimization by design, not through policy.

5. Regulatory Neutrality

AIP does not encode jurisdiction-specific rules or regulatory frameworks. The protocol is designed to be compatible with privacy and financial regulations without embedding them.
  • The protocol does not mandate GDPR, CCPA, PCI DSS, SOC 2, ISO 27001, or any other specific regulatory compliance
  • The protocol does not define retention durations, audit procedures, or incident response protocols
  • The protocol does not prescribe tax handling, financial reporting, or regulatory filing requirements
Operators, platforms, and brand agents implement their own regulatory compliance according to applicable laws and standards in their jurisdictions.

6. What AIP Does NOT Define

The protocol explicitly does not define:
  • Retention durations: How long data, events, or records must be stored
  • Ledger schemas: Specific ledger structures, database models, or storage formats
  • Wallet architecture: Wallet implementations, balance storage, or transaction models
  • Tax handling: Tax calculation, reporting, or withholding procedures
  • Audit processes: Audit procedures, audit firm requirements, or audit trail formats
  • Incident response: Breach procedures, key rotation policies, or recovery protocols
  • Disclosure formats: Ad labeling requirements, consent UI, or transparency mechanisms
  • Regulatory frameworks: Specific compliance with GDPR, CCPA, PCI DSS, SOC 2, ISO 27001, or other standards
These are implementation concerns that operators, platforms, and brand agents address according to their own requirements.

7. Guarantees

The protocol guarantees:
  • Privacy preservation: The protocol never requires personal identifiers or raw user data. Brand Agents receive only anonymized intent context.
  • Non-repudiation: All billable actions are cryptographically verifiable. Participants cannot deny authenticated messages they sent.
  • Auditability via cryptographic linkage: Every settlement outcome is traceable to a single serve_token and can be independently verified through cryptographic linkage.
  • Deterministic settlement outcomes: Settlement outcomes are deterministic and reproducible from verifiable event sequences. No participant can unilaterally fabricate value.
The protocol does not guarantee specific regulatory compliance, retention policies, or audit procedures. Operators implement their own compliance systems to enforce these protocol-level guarantees within applicable regulatory frameworks.

Summary

AIP defines protocol-level compliance invariants that ensure privacy, verifiability, and deterministic outcomes through cryptographic constraints. The protocol does not define how operators implement compliance procedures, retention policies, or regulatory frameworks.
Next: Glossary