A deletion certificate is a signed, tamper-evident record proving that a specific person's data was removed from an AI system's configured retrieval layers — a vector store, plus any RAG index or cache you connect — and re-queried to confirm the records are absent at the moment it was issued. It is verified against the operator's published public key, so a third party can check it without access to the underlying data.
Deleting a source row doesn't remove the embedding you already wrote to your vector store. The person is gone from Postgres and still perfectly searchable in pgvector, Pinecone, or Qdrant — and often copied again into a RAG index or a downstream cache. So a "delete me" request isn't done when the row is gone; it's done when every copy is gone and you can show it.
That second half is the gap. Most vector databases can delete, but none of them natively prove the deletion happened — which is exactly what a regulator, or an enterprise customer's security review, asks for. The deliverable isn't the deletion; it's the evidence.
A Lethe Delete certificate (schema lethe.cert/2) is an Ed25519-signed payload that records:
The subject (as a hash), the retrieval layers swept, and per layer the deleted count and the declared_scope — the stores Lethe was configured to check, so a reader can see what was in scope and infer what wasn't.
Each layer carries residual_count (how many records the post-delete re-query still found — 0 backs the absence claim) and verify_method (the exact query behind it). Absence is auditable, not asserted.
issued_at plus valid_until — a deletion certificate is not eternal; it asserts absence at issue time and tells you to re-verify past its freshness bound, because the underlying index can change.
You pin the operator's published public key and check the signature against it. This matters: a certificate carries the key that signed it, so a self-verifying check ("does the embedded key validate the embedded signature?") only proves internal consistency — an attacker can mint a fully self-consistent certificate with their own key. Only a check pinned to the operator's out-of-band key proves authenticity. An AI agent can do this with zero infrastructure via Lethe's verify-only mode. Try it on three live certs →
pip install lethe-delete. Source.