What does AffixIO actually do?

AffixIO is cryptographic proof infrastructure. It captures any consequential event, such as a payment, a credential check, a ticket scan, an entitlement granted, hashes it, generates a zero-knowledge proof, and anchors it in a tamper-evident Merkle tree signed with post-quantum cryptography. The result is an independently verifiable record that nobody can quietly rewrite after the fact.

What partnership tracks does AffixIO offer?

AffixIO offers four partnership tracks: platform and product integration for software companies embedding proof into their products; enterprise pilot programmes for regulated businesses; public sector and government pilots for departments needing verifiable decision records; and research and academic partnerships with university groups and standards bodies.

Which industries and sectors does AffixIO work with?

AffixIO works across financial services and fintech, healthcare and life sciences, events and transport (including ticketing and access control), public sector and government, supply chain and logistics, and legal, insurance, and professional services. The underlying proof infrastructure is sector-agnostic.

How long does an AffixIO pilot programme take?

A structured AffixIO pilot typically runs six to eight weeks: weeks one to two for scoping and integration design; weeks three to four for integration and configuration; weeks five to six for a live proof run; and weeks seven to eight for the pilot report. The report includes proof statistics, Merkle certificates, and regulatory mapping you can present to a board or regulator.

How does stateless QR code verification work?

With AffixIO, the QR code contains the cryptographic proof itself rather than pointing to a central database. A scanner verifies the proof locally, on-device, with no internet connection required. The proof encodes all validity conditions at the moment of issue and cannot be copied, forged, or used twice thanks to a spent-proof mechanism.

How do I contact AffixIO about a partnership?

Email partnership@affix-io.com with a brief description of your context and what you need to prove. AffixIO responds to every genuine enquiry within two business days.

AffixIO Partnerships & Pilots

Work with us to prove what matters, in any market

AffixIO is cryptographic proof infrastructure. We make it possible to prove that something happened correctly, a transaction, a credential check, a ticket scan, an entitlement granted, without exposing the underlying data and without trusting a central system to vouch for it. We partner with organisations across every sector to put that capability into production. Integrators can try scan-to-prove live on this page, or read WP-039.

What the AffixIO engine actually does

Whenever something consequential happens, a payment clears, a credential is checked, a ticket is issued, an entitlement is granted, a document is signed, AffixIO can capture it, hash it, and generate a zero-knowledge proof over it. That proof is anchored into a tamper-evident Merkle tree and signed with a post-quantum ML-DSA-65 signature. The result is an immutable, independently verifiable record, not a database entry you have to trust, a proof anyone can check.

The engine runs synchronously, at the moment the event occurs. There is no batch processing, no nightly export, no trust-me-later assertion. Whoever needs to verify, a regulator, a customer, a court, a gate scanner, can do so independently, without touching your systems, your data, or your infrastructure.

This is how compliance becomes technically enforceable, how entitlements become unforgeable, and how audit trails become something that cannot be quietly rewritten after the fact, across any industry, for any kind of event that needs to be proven.

The proof pipeline

Hash & register a SHA-256 fingerprint of the event, transaction, or credential is submitted to the Hash Oracle, which records it immutably with a timestamp.

Condition verification the relevant conditions are checked: was this authorised? Is it in-date? Does the claim hold? Every condition is verified before a proof is issued.

ZK circuit prove a zero-knowledge proof is generated confirming every condition passed, without revealing the underlying data to anyone.

Merkle anchor + PQ sign the proof is anchored into an append-only Merkle tree and the root is signed with ML-DSA-65 (NIST FIPS 204). Quantum-resistant and tamper-evident.

Record published the full record is available for independent verification via the public Oracle API. No credentials, no access to your systems, required to verify.

Standards and regulatory frameworks covered

GDPR Article 25 eIDAS 2.0 / EUDI Wallet NIS2 Directive DORA ICT Governance PSD2 / PSD3 FATF Travel Rule MiCA HIPAA UK Online Safety Act Cyber Resilience Act EU Product Liability Directive EU AI Act (2024/1689) ISO 27001 ISO 42001 PCI DSS CNSA 2.0 / NIST FIPS 203/204

How we work together

Partnership programmes

We run four partnership tracks. Each one is designed to produce a working integration, not a slide deck.

Track 01

Platform & product integration

Any platform that handles transactions, credentials, access decisions, or entitlements can embed AffixIO's proof layer directly. We provide a production-ready API, open-source integration components, and full technical documentation. Your customers get cryptographic proof of the things your platform does, without you having to build the verification infrastructure yourself.

Ideal for SaaS platforms, identity providers, payment processors, ticketing systems, access control vendors, and any product where trust between parties needs to be demonstrated, not assumed. Platform partners can validate the proof layer in the API sandbox before scoping integration.

API integration SaaS platform Identity Payments Ticketing Co-sell eligible

Track 02

Enterprise pilot programme

Deploy AffixIO as a proof layer over your existing systems in a time-boxed, production-equivalent pilot. You get a dedicated integration engineer, a configuration scoped to your compliance obligations, and a pilot report you can take to your board, your auditors, or a regulator.

Designed for regulated enterprises in financial services, healthcare, transport, insurance, legal, or any sector where the cost of an unverifiable record is high and the regulatory pressure to produce one is rising.

Managed onboarding Time-boxed Compliance report Audit-ready GDPR DORA

Track 03

Public sector & government pilots

AffixIO is built from first principles for public sector accountability. We work with central government departments, local authorities, NHS trusts, and regulators who need verifiable records of consequential decisions, benefit eligibility, service access, licensing, inspection outcomes, that can be audited independently without exposing citizen data.

Pilot outputs include cryptographic proof records, Merkle-rooted audit archives, and post-quantum attestation built to outlast any future quantum threat to long-term public records. See WP-038 sandbox walkthrough for a CDDO-style audit path, and the war room for the verification infrastructure overview.

UK Government NHS Local authority Citizen services Post-quantum ready Open to framework

Track 04

Research & academic partnerships

We collaborate with university research groups, think tanks, and standards bodies working on ZK proof systems, post-quantum cryptography, privacy-preserving verification, and digital credential infrastructure. Our technical work is publicly documented in 39 white papers, including WP-039 scan-to-prove partnerships and WP-038 UK gov sandbox walkthrough.

If your research needs a production ZK implementation to test against, extend, or benchmark, we want to hear from you.

Academic collaboration Open source ZK research Post-quantum Standards bodies

Where we operate

Sectors and use cases

Cryptographic proof is not sector-specific, any system that records consequential events benefits from verifiable, tamper-evident records. These are the areas where we have the deepest knowledge and the most relevant coverage.

Financial services & fintech

Transaction proof trails, AML/KYC without PII databases, verifiable credit and underwriting decisions, DORA-compliant ICT audit records, and MiCA governance for digital assets.

Healthcare & life sciences

Privacy-preserving patient eligibility, HIPAA-compliant clinical audit records, ZK-proof prescription and entitlement verification, and tamper-evident clinical trial records.

Events, transport & access

Stateless ticketing and QR verification, offline-capable gate scanning, anti-counterfeit proof-of-purchase, and credential-based access control with no central server dependency. See anti-scalping tickets and WP-037.

Public sector & government

Verifiable records of consequential decisions, benefit eligibility without exposing case data, licensing and inspection audit trails, and citizen credential infrastructure meeting eIDAS 2.0.

Supply chain & logistics

IoT device provenance, NIS2-compliant infrastructure attestation, Cyber Resilience Act compliance, and tamper-evident product authenticity records across multi-party supply chains.

Legal, insurance & professional services

Document provenance and signing audit trails, verifiable risk assessment records, tamper-evident claims history, and independent compliance verification without opening proprietary systems to auditors.

These are the sectors we know best, but the honest answer is that imagination is the only place AffixIO stops.

Anywhere you need to prove something happened correctly, without exposing the underlying data, and without trusting a single central system to tell you so, AffixIO can provide the infrastructure. The use cases below are just one example of how far that can go.

A real-world example

Ticketing, QR codes, and stateless verification at the edge

You already use this technology every day, you just don't know it could work without a server in the middle.

Think about the last time you scanned into an event

You pulled up a QR code. Someone pointed a reader at it. A green tick appeared. You walked in.

Simple. But what actually happened in that half-second? Your code was sent to a server. The server looked up a database. The database said yes, this ticket is valid and unused. The scanner showed green.

That chain works most of the time. But it has a lot of links that can break. The server goes down at 8pm on a Saturday. The venue's 4G drops when 50,000 people all arrive at once. Someone screenshots your QR code and walks in twenty minutes before you get there. A data breach leaks every ticket holder's details. The promoter's ticketing platform gets hacked three days before the show.

Every one of those failures has happened, at real events, to real people. The fragility is baked into the architecture, because the QR code is just a claim that a database somewhere will agree with.

How it compares

Traditional ticketing

QR code is a database key
Requires live server connection
Single point of failure
Copiable, screenshots work
Data breach exposes all buyers
Scalper bots can harvest codes
Offline scanning impossible

AffixIO stateless

QR code contains the proof
Verifies entirely on-device
No server, no single failure
Cryptographically uncopyable
No personal data stored
Anti-scalp built into the proof
Works with no internet at all

What "stateless at the edge" actually means

With AffixIO, the QR code is not a key that unlocks a door, it is the proof. A zero-knowledge circuit bakes the validity conditions directly into the code at the moment of issue: this ticket was legitimately purchased, it has not been used, and it is valid for this event on this date. All of that is encoded as cryptographic mathematics, not as a database record.

When the scanner reads it, it runs the proof locally, on the device, at the gate, at the edge of the network. No round-trip to a server. No waiting for a database response. No connectivity required at all. The scanner either confirms the maths checks out, or it doesn't. There is no middle layer to fail, hack, or overload.

The spent-proof mechanism handles double-entry: once a proof is consumed, it is recorded locally and the same proof cannot be accepted again, even by a different scanner at a different gate, even offline. Think of it like a scratch card: the act of verifying it marks it as used in a way that cannot be undone or forged.

Where this applies

Stateless proof verification: use cases across every sector

Live events

Concerts, festivals & sports

Offline-capable gate scanning for 80,000-person venues. Anti-counterfeit and anti-scalp by design. No connectivity bottleneck when everyone arrives at once.

Transport

Rail, bus & aviation

Tap-and-validate without calling a central ticketing server. Works in underground stations, tunnels, and any low-signal environment. Proof of travel without a passenger database.

Access control

Buildings, car parks & hotels

Issue time-bounded access proofs that expire automatically. No master database of who was where and when. Works during network outages, critical for emergency access scenarios.

Conferences & exhibitions

Event badges & session access

Attendee identity stays private, the badge proves eligibility for a session without revealing who the attendee is. Session capacity limits enforced by the proof, not by staff headcounts.

Loyalty & rewards

Vouchers, offers & entitlements

Prove you have earned a reward without revealing your purchase history. One-time-use coupons that cannot be copied, forwarded, or fraudulently redeemed at scale.

Healthcare & welfare

Prescriptions & entitlements

Prove eligibility for a service or prescription without exposing a patient record. The pharmacist or caseworker sees a valid proof, not a name, a condition, or a history.

The pilot process

What a structured pilot looks like

We do not run open-ended evaluations. Pilots are scoped, time-boxed, and output a verifiable result. Typical duration: six to eight weeks.

Week 1–2

Scoping & integration design

We map your existing systems, data flows, and the events you need to prove. We identify the verification obligations you need to satisfy, regulatory, contractual, or operational, and design the integration. You receive an integration spec and a defined set of pilot success criteria.

Week 3–4

Integration & configuration

The AffixIO proof layer is deployed against your systems, as a proxy, webhook, SDK integration, or direct API call. ZK circuits are configured for your specific proof conditions. The Hash Oracle and Merkle sync daemon are provisioned for your namespace.

Week 5–6

Live governance run

Your real workload runs through the proof engine in a production-equivalent environment. Every qualifying event is hashed, condition-verified, ZK-proved, and Merkle-anchored in real time. You can query the public Oracle API at any point to verify any record independently. We monitor proof success rates, latency overhead, and record completeness.

Week 7–8

Pilot report & next steps

You receive a signed pilot report containing: proof success statistics, Merkle root certificates for the pilot period, latency benchmarks, regulatory mapping to your specific obligations, and a recommended production architecture. The report is designed to be presented to a board, an auditor, a DPO, or a regulator.

Start a conversation

Whether you want to embed the AffixIO proof layer into your platform, run a structured pilot in your sector, or explore a research collaboration, the first step is the same. Send us a brief description of what you need to prove and why it matters.

We respond to every genuine partnership enquiry within two business days. No sales cycle, no discovery call prerequisite, just an honest conversation about whether this is a fit.

Contact form

partnership@affix-io.com

WP-039 scan-to-prove field report