Custody

Consistency control room

Parental consent and minor spend, strongly consistent across regions on commit, with a tamper-evident audit trail. Synthetic operational data only.

Aurora DSQL, active-active

Two-region link

strong consistency

Region A

us-east-1
primary
consentstandby
spendstandby

Region B

us-east-2
peer
consentstandby
spendstandby

Spend cap

per minor
spend / capno cap set

Parent actions

server actions

Platform gate

reference integration

The call a platform makes at the gate. It reads the strongly-consistent projections, so the decision is identical in both regions. Reference integration contract, synthetic data.

curl -X POST custody-zeta.vercel.app/api/authorize?region=west \
  -H 'content-type: application/json' \
  -d '{"userId":"...","minorId":"...","action":"spend","amountMinor":1800}'

Tamper-evident ledger

sha-256 hash chain
verify offlineloading live chain

Concurrency

occ under contention
live ยท sqlstate 40001
committed 0/8real 40001 conflicts 0chain forks 0

Fires real concurrent appends against the live Aurora DSQL cluster. A hot key makes them collide on the composite primary key, returning real SQLSTATE 40001 conflicts that the retry wrapper resolves into one unforked chain. Random keys (hot key off) spread writes so they do not conflict. Synthetic throwaway subjects.

Age verification

sd-jwt selective disclosure

issuer credential

date of birth
2012-**-**
age bracket
13-15

disclosed to platform

run the proof

Compliance mapping

supported regimes

Custody supports compliance with these regimes. It is a neutral system of record, not a legal certification, and the regulated platform remains the responsible party. Each row links a built, live feature to the obligation it provides evidence for. Click a row to jump to the feature.

EU Digital Services ActReg (EU) 2022/2065, Art 28(1)

Platforms accessible to minors must take proportionate measures for a high level of minors' privacy, safety, and security.

GDPRReg (EU) 2016/679, Art 7(3)

Withdrawing consent must be possible at any time and as easy as giving it.

GDPRReg (EU) 2016/679, Art 8(1)

Below the applicable age (16, or as low as 13 by member state), consent-based processing of a child's data is lawful only with verified parental authorization.

GDPRReg (EU) 2016/679, Art 5(1)(c)

Personal data must be limited to what is necessary for the purpose (data minimisation).

GDPRReg (EU) 2016/679, Art 17

On withdrawal of consent with no other legal ground, the controller must erase the personal data without undue delay.

US COPPA Rule16 CFR 312.5

Operators must obtain verifiable parental consent before collecting a child's personal information.

UK Online Safety Act 2023c.50, s.12

Services likely to be accessed by children must apply highly effective age assurance and proportionate protection, enforced by Ofcom.

Architectural note: Amazon QLDB ends support on 31 July 2025. Custody rebuilds its tamper-evident, hash-chained ledger capability in the application layer on Aurora DSQL.