The regulations already say it: an automated vehicle must record what it saw, what it decided, and when it handed back control — in a tamper-proof format an investigator can read. But the recorder is held by the carmaker. A black box the operator can edit, delay, or deny is not evidence, it is a claim. SDR signs every perception, decision, and disengagement frame with an independent post-quantum receipt — the one record of what your vehicle did that the operator, the plaintiff, and the regulator can all verify, and none of them can change.
After a crash, everything turns on one question: what did the vehicle actually do in the seconds before impact? Today the only party who can answer holds the recorder, controls the export, and has the strongest incentive to shade it. Three things keep going wrong, and they are the same three thing every time.
In a fatal Florida FSD case, the crash data “didn’t exist” until an independent researcher recovered it. NHTSA had to pull the recorder independently — that is the version that counts. When the operator is the sole custodian, the record is whatever survives the operator’s discretion.
A disengagement logged a few seconds before impact can reclassify an automated crash as human-caused. Senators have asked NHTSA to audit that telemetry because the regulator “has no way of knowing whether public-safety claims bear any relationship to reality.” The disengagement timestamp is exactly the field that decides liability.
As crash-reporting requirements were rolled back, what reaches investigators is increasingly the operator’s own filtered export. BYD now accepts liability for its driver-assist — something the largest US operator never has. The recorder being “tamper-proof” on paper does not help if the operator decides what, and when, to hand over.
SDR signs each perception, planning, and disengagement frame — what the stack perceived, what it decided, the system state, and the exact handover timestamp — using ML-DSA-65 (NIST FIPS 204), with a key the operator does not hold. Anyone — a regulator, a court, an insurer, a plaintiff — can verify the record offline, with no access to your fleet, forever. Move the disengagement timestamp by one second and verification fails. SDR does not replace your EDR, your DSSAD, or your data store under R157 and R160. It sits underneath them and turns the recorder the operator holds into a record the operator cannot edit.
UN Regulation 157 (DSSAD) and UN Regulation 160 (EDR) already require automated vehicles to record system status, the driver-availability state, and the environment in a tamper-proof format accessible to investigators. New UN global rules now require a data-storage system for automated driving. The obligation to record is settled. What is not settled is whose word the record represents.
A recorder satisfies the regulation until the day the readout is disputed. On that day, “our logs show” is a self-attestation by the one party with the most at stake. An independent signature is the only form of recording whose truth does not depend on trusting the operator who produced it.
SDR is not another data logger competing with your DSSAD or your EDR. It is the evidentiary layer that makes whatever your recorder captured hold up the moment a regulator, an insurer, or a court asks you to prove that nothing moved between the crash and the export.
As the stack runs, SDR signs a receipt over each driving-event frame — the perception summary, the planned action, the system state, and the disengagement or handover timestamp. Out-of-band; it records, it does not gate the vehicle.
The receipt rides with the recording you already keep under R157 and R160. Your logging pipeline is unchanged; the signature simply makes each frame independently verifiable after the fact.
A regulator pulls the record, a plaintiff alleges the disengagement was backdated, an insurer disputes fault. The receipt verifies — or doesn’t — with the public key alone, no access to your systems. You move from “trust our export” to “check the math.”
Verification costs nothing and needs nothing from Hive or from you. The receipt outlives the investigation, the recall, the litigation, and the company. The record of what the vehicle did survives everyone with a reason to change it.
This is the real signer, not a mock. Pick a frame from a driving event — the same independent signer receipts every one of them. You take the steps; these are the expected results: sign the frame, verify it independently, then backdate the disengagement by one second and watch verification fail. That is the field a liability fight turns on.
Pick a frame from the driving event
Perception, prediction, planning, the disengagement event, the human-availability check, the over-the-air software version that was running, and the sensor-health state — every layer that an investigator, an insurer, or a court will ask about carries the same evidentiary gap underneath the recorder. The receipt does not change by subsystem: the same signer signs each frame, and anyone verifies it offline. SDR sits underneath whatever recording stack you already run — it does not compete with it.
Three steps, the same for every frame. You take them; these are the expected results. Hive is the independent third party in the loop — it makes no judgment about whether the driving decision was right. It signs what the stack recorded and lets anyone else check it.
Send the driving-event frame — perception, decision, system state, the disengagement timestamp — to the signer through one API call from the vehicle or the fleet backend.
result: typed fragments acceptedAn ML-DSA-65 receipt is produced over those exact fields. Post-quantum, tamper-evident, issued by a key that is not the operator’s and not the regulator’s.
result: independent receipt in ~77µsA regulator, an insurer, or a court checks the receipt with the published public key alone — no access to your fleet, no access to Hive. Move the disengagement time by a second and it fails.
result: VALID, or INVALID if alteredThe signature comes from an independent key, not the operator’s. A black box you control is a claim. An independently signed frame is evidence.
SDR attests only to what the stack recorded and that it was unchanged. It does not judge whether the maneuver was correct — it proves no one moved the disengagement timestamp.
Runs beneath the DSSAD, the EDR, and the data-storage system you already maintain. It does not replace or compete with any of them. It makes them provable.
Pick the layer of the stack you want receipted first. You will land on a page that sets up your tenant and hands you a one-line call to sign your first driving-event frame — no call, no demo, no one to talk to.
This is independent, third-party recording and attestation. Hive signs what your stack records and makes no decision about the driving. You run the steps above; the expected results are VALID on an honest frame and INVALID the instant a field is altered. Verification is free, forever, for anyone — the regulator, the insurer, the court.
No call, no demo, no one to talk to. Sign a driving-event frame above, verify it independently with the public key alone, then backdate the disengagement by one second and watch it fail. The same flow runs against your own stack through the SDK — independent, third-party recording sitting underneath the DSSAD and EDR you already run under R157 and R160.
Sources: UN R157 (DSSAD) + R160 (EDR) require tamper-proof ADS recording accessible to investigators — MmowW, UN News. Florida FSD crash data recovered independently — Electrek. Senators ask NHTSA to audit FSD telemetry; the 5-second disengagement window — The Star / Reuters, Tesery. AV crash-reporting requirements rolled back — The Crash Report; NTSB recommendation on 49 CFR Part 563 — NTSB. BYD accepts driver-assist liability — Electrek.