Sovereign Multi-Tenant Forgetting with Cryptographic Proof of Erasure under GDPR Article 17.

Signed tombstone records prove dataset and model-weight erasure without re-disclosing the erased data.

A method and system for honouring an erasure request under Article 17 of the General Data Protection Regulation against a multi-tenant AI system in a manner that is cryptographically verifiable without re-disclosing the erased data. On receipt of an erasure request the operator-controlled computer system identifies the dataset fragments belonging to the requesting data subject, computes a Merkle root over them, executes a machine-unlearning procedure against the model trained on the said fragments, computes a weight-delta proof representing the parameter change, and emits a signed tombstone record under a post-quantum module-lattice key bound to operator-personalised silicon. A regulator, the data subject, or a third-party auditor given the tombstone and the operator's public key can independently verify that the named data has been removed both from the dataset and from the learned model parameters, without ever observing the erased data. Filed 21 May 2026 as GB2611916.4.