Every readiness score, AFib flag, BP estimate, and RPM alert is a statement about a person's body — and none of them can prove the reading came from a real on-body sensor, on the real person, in an unspliced stream, read by the stated model. PPR is that proof: ML-DSA-65 signed, verifiable offline by a regulator, a court, or a plaintiff's expert — and Hive never sees a heartbeat.
You keep the data. We keep the proof. We never see a heartbeat.
The trace below streams like a member's night of PPG. Green links under the wave are the anti-splice chain — each interval committing to its predecessor. Try every lie the industry is afraid of and watch the exact binding that catches it.
Sealing happens capture-side, inside your trust boundary. Raw biosignal, holder salts, inference plaintext — none of it ever reaches Hive. Only commitments and verdicts cross the wall. Hive cannot open a commitment: the salt never crossed. Watch it.
v1 ships holder-ingest-signed — the honest floor: the holder's ingest key asserts the signal arrived through the device SDK, not device silicon. Secure-element-signed is the hardware upgrade path. You're the relying party — a health plan, a sponsor, a regulator. Set your required floor and watch the receipts sort themselves honestly.
The tier lives inside the origin commitment O — load-bearing, not a label. A holder-ingest receipt presented as secure-element fails verification cryptographically, not procedurally. A relying party can honestly reject anything below its floor — and a vendor honestly cannot inflate what it sells.
simulated=true — origin evidence in the reference build is flagged until wired to a live device attestation feed. We never fake a receipt. Honesty is the product.
Pick one AI feature — a readiness score, a BP insight, an RPM flag, a trial endpoint. We wire PPR capture-side, you keep every raw sample, and you walk out with a signed receipt a regulator or a court can verify offline. No raw data leaves your boundary. Ever.