Pending Review
A concern, expiry or scope change is queued before private access changes.
CAPPS Revocation & Audit Ledger
Access must be removable, reviewable and evidenced without exposing private records.
This ledger defines how chosen access is suspended, expired, revoked, reviewed and evidenced while keeping names, contact records, identity evidence, health records, school records and operator notes private.
Ledger Controls
suspend
expire
revoke
review
Revocation States
Every access removal has a clear operating state.
Suspended
Private capability is paused while a review is completed.
Revoked
Access is removed and cannot be reused without a new approval.
Restored
Access is restored only after a new review state, scope and expiry are recorded.
Trigger Rules
Access is removed when the risk or purpose changes.
ExpiryTime-limited access ends automatically unless reviewed again.
Scope ChangeNew route, data, role, API or pilot purpose requires fresh approval.
Unsafe RequestRequests for private child, identity, health, message, location or credential data are blocked.
Unsupported ClaimClaims of approval, adoption, endorsement or outcomes are blocked without reviewed evidence.
Operator ReviewFailed review means access is suspended or revoked before any further use.
Public Proof
The public ledger publishes process evidence, not private access records.
Evidence Hash
Public proof can reference an evidence hash without exposing the underlying private material.
Policy Version
Every action is tied to a policy version so rule changes can be tracked.
Private Material
Names, contacts, identity evidence, health records, school records and operator notes stay out of the public site.
Audit Trail
Public-safe states show that removal, review and restoration are defined before pilots scale.