Trust
What a VCC proves — and what it does not.
A Verifiable Calculation Certificate makes a calculation checkable by anyone, offline, without trusting us. That is a precise, narrow guarantee. The most important part of trusting VCC is understanding where that guarantee stops — so both are on this page, with equal weight.
The two lists
A signature is a strong statement about a record and a weak statement about the world. Read both columns together — the right one is not a disclaimer, it is half of the model.
What VCC proves
Authenticity
The receipt was signed by the key it claims, using Ed25519. A verifier checks the signature against the issuer's public key — no network round-trip required.
Integrity
Nothing in the receipt changed after signing. Alter one input, one output, one formula version or one byte, and verification fails.
Attribution to a key
The signature ties the receipt to a specific signing key. It attributes the receipt to whoever holds that key — which is a narrower claim than trusting the issuer.
What the issuer attested to
The receipt records the issuer's explicit claims — inputs received, formula package executed, dataset snapshots used, numeric profile applied, output produced, time of issuance — not a vague "signed by".
Reproducibility, when the package resolves
When the formula package and dataset snapshots are available, the calculation can be re-run and the output re-derived independently. Reproduction is reported separately from the signature — it is not implied by it.
What VCC does not prove
That the inputs are true
A receipt records the inputs that were used. It cannot know whether they reflect reality, whether a source was correct, or whether someone entering them was honest.
That the formula is appropriate
The receipt pins which formula ran and which version. It does not judge whether that formula was the right one to use, or whether it is legally or scientifically appropriate for the case.
Legality or compliance
A valid signature is not a statement that the calculation, its output, or the decision built on it satisfies any law, regulation or standard.
The absence of fraud
A perfectly signed, perfectly reproducible receipt can still describe a calculation that was set up to mislead. Cryptography protects the record, not intent.
That the issuer is trustworthy
Attribution to a key is not an endorsement. Whether a given verifier should trust a given issuer is a judgment the protocol deliberately leaves to that verifier.
That a decision is valid
A receipt is evidence about a calculation. Whether the resulting decision is fair, wise or correct is out of scope — and always remains a human responsibility.
One line to carry away: a VCC does not replace an audit, a professional judgment, or a decision. It gives those a stronger, more portable starting point — the evidence a bare number usually loses.
How trust is kept
The guarantees above rest on concrete practices. Each is documented in full on its own page — summarized here, not duplicated.
Security
Enforced transport and browser headers, passwordless authentication, API keys hashed at rest, Ed25519 signing with the private key confined to the server runtime. No certification is claimed that does not exist.
Privacy
What is collected and retained, and what is not. IP addresses used for rate limiting are stored SHA-256 hashed, never in the clear; free-tool inputs are processed to compute a result and are not tied to an account.
Key lifecycle
Signing keys are generated, published and — when needed — rotated and revoked. A receipt records which key signed it and when, so a verifier can reason about a signature made before or after a rotation.
Formula governance
Formulas are versioned and pinned by a deterministic package manifest. "Which formula, which version" is a recorded fact, and a change to a formula is a new version, not a silent edit.
Dataset governance
External data — benchmarks, indicators, reference rates — is captured as point-in-time snapshots with a stated vintage and retrieval date, refreshed periodically rather than fetched live. A receipt records the snapshot it used.
Transparency and governance
The protocol is designed to be implementable by anyone: open licensing, a neutrality requirement, a public decision process, and adoption gates so public claims only escalate when they are earned.
Incident response
If a key is compromised or a formula is found to be wrong, the point of the protocol is that the damage is bounded and inspectable. A revoked key stops signing new receipts, and receipts already issued can be re-evaluated against the revocation. A corrected formula is a new version, so past receipts still show — provably — which version they used. That turns “what did this affect?” from an open-ended investigation into a structured query over signed records.
To report a suspected security issue, email privacy@calcfleet.com. Please allow a reasonable window to investigate and remediate before public disclosure.
Limitations
A calculator is a model, and a receipt is a record of running one. A result is only as good as the assumptions entered, external data has a vintage, and no signature makes a modeled figure a promise about the future. The full set of caveats — including why there is no single “verified” verdict — is on the limitations page.
