Privacy Claims Token

Open Specification

An open, portable format for expressing, signing, and verifying the data obligations that govern how a dataset may be lawfully processed, transferred, or used.

v0.1Draft for Public CommentCC BY 4.0

Read the Specification View on GitHub

Portable

PCT travels with data through systems and pipelines as a signed token, enabling verification at every enforcement point.

Cryptographically Signed

Claims are tamper-evident using RS256 or HS256 signatures, following the JWT model from RFC 7519.

Jurisdiction-Neutral

Core schema supports GDPR, HIPAA, EU AI Act, DORA, and any framework via extension namespaces.

Audit-First

Every verification event produces a structured, tamper-evident audit record automatically.