Technical Product Brief

aha!Register

Art inventory and provenance for the people who protect it.

AI-powered capture, archival-grade documentation, and tamper-evident provenance for galleries, museums, institutions, and private collectors. One app. Every object accounted for.

Version1.0 — 2026

PlatformiOS · Android · Web

Data ResidencyEU (Frankfurt) · US available

Contactregister@arthausauction.com

01 — The Product

Point your phone at an artwork. Everything else is automatic.

aha! Register replaces spreadsheets, paper files, and fragmented inventory systems with a single mobile-first platform. Capture an artwork with your camera. AI identifies the artist, medium, dimensions, condition, and style. Every record is anchored with a tamper-evident provenance chain from the moment of capture.

The interface is designed so an intern can use it on day one. The infrastructure beneath it is built so a museum director can trust it with a permanent collection.

📸

AI-Powered Capture

Single photo, multi-angle, 3D scan, or batch mode. AI extracts metadata, assesses condition, classifies style. Review, edit, confirm.

📱

Location-Linked QR

Print QR codes for shelves, walls, and vaults. Scan a location to see everything stored there. Batch capture in context.

🛡️

Tamper-Evident Provenance

Every record is hash-chain anchored at creation. Ownership, exhibitions, condition changes tracked chronologically. Verifiable certificates with QR links to live records.

📊

Museum-Standard Export

Excel, CSV, PDF reports, PDF certificates, JSON, CDWA/LIDO XML, Dublin Core XML, and OAIS-compliant archival packages. Your data in any format, anytime.

👥

Teams & Permissions

Owner, Admin, Intern, Viewer roles. Control who can edit, export, or delete. Audit log tracks every action across your team.

🏷️

Bridge to Market

When you're ready to sell, list directly on the aha! marketplace. Provenance, condition, and documentation transfer automatically.

02 — Trust Architecture

Your collection. Your data. Period.

aha! Register is built for institutions that cannot afford data loss, unauthorized access, or vendor dependency. Every architectural decision prioritizes data sovereignty, portability, and longevity.

Data Sovereignty

EU data residency — All data stored in Frankfurt, Germany (AWS eu-central-1). Compliant with European institutional procurement requirements.
US data residency available — US-based organizations can opt for domestic hosting at the Enterprise tier.
No vendor lock-in — Export your entire dataset in standard formats at any time. One click. No waiting period, no approval process.
Right to deletion — Delete your account and all associated data permanently. Immediate, verifiable, irreversible.
Pre-signed DPA — Downloadable Data Processing Agreement template. Ready for institutional legal review without a sales call.

AI Transparency

AI is optional — Turn off AI analysis entirely in settings. Camera, QR codes, locations, export, provenance, and certificates all work without AI. You type metadata manually. No functionality lost.
Inference only — AI analyzes your photos and returns metadata. Your images are never stored by, used to train, or retained by any AI provider. This is contractually guaranteed by our API agreements.
Transparent labeling — AI-extracted fields are clearly identified. Confidence scores let you trust-but-verify every suggestion. You control what gets saved.
Sub-processor transparency — Complete list of every third-party service that touches your data, available in-app and on our trust page.

The critical distinction: aha! Register uses AI for inference (analyze a photo, return structured data), not training (learn from your images to improve a model). Your collection data remains yours. Full stop.

Provenance Integrity

SHA-256 hash chain — Every record is cryptographically anchored at the moment of capture. Modifications are tracked, not hidden. The chain proves no record has been silently altered.
Device-verified capture — Camera-mode registration embeds GPS coordinates, timestamps, and device identifiers. Higher evidence standard than web upload.
Verifiable certificates — Provenance certificates include cryptographic verification and a QR code linking to the live, current record. Not a static PDF that can be forged.
Tamper-evident, not tamper-proof — We are precise about this claim. No digital system prevents all tampering. Our system ensures that any tampering is detectable. This is the same standard used by the C2PA content provenance framework.

03 — Compliance Matrix

Standards, regulations, and what we meet.

The following table maps aha! Register's features to the regulatory and industry standards relevant to art collection management.

Standard / Regulation	How aha! Register Addresses It	Status	Tier
GDPR EU General Data Protection Regulation	EU data residency (Frankfurt). Right to access, portability, and erasure. Pre-signed DPA template. Sub-processor disclosure. Consent-based data collection.	Compliant	All tiers
EU AI Act Transparency obligations (Aug 2026)	AI-generated fields labeled with confidence scores. Opt-out toggle (full functionality without AI). No prohibited AI practices (no biometric categorization, no emotion detection).	Compliant	All tiers
OAIS ISO 14721 — Open Archival Information System	BagIt-formatted Archival Information Packages available for export. Three-tier storage architecture (hot/warm/cold) with fixity checking and format migration planning.	Supported	Institutional+
CDWA / LIDO Museum cataloging standards	CDWA Lite and LIDO XML export. Fields mapped to standard vocabulary. Compatible with existing TMS and DAMS workflows.	Supported	All tiers
Dublin Core ISO 15836 — Metadata standard	Dublin Core XML export for cross-system interoperability and archival deposit.	Supported	All tiers
CCPA / CPRA California Consumer Privacy Act	Data access, deletion, and portability controls. No sale of personal information. Transparent data practices.	Compliant	All tiers
SOC 2 Type II Service Organization Controls	Infrastructure providers (Supabase, AWS, Vercel) maintain SOC 2 certification. Application-level audit logging for all data access and modifications.	Via providers	Institutional+
SSO / SAML Enterprise identity management	Single Sign-On integration for organizations using existing identity providers (Okta, Azure AD, Google Workspace).	Institutional+	Institutional+
C2PA Content Provenance & Authenticity	Hash-chain provenance model is architecturally aligned with C2PA principles. Capture-mode registration embeds origin metadata (device, location, timestamp).	Aligned	All tiers
WORM Storage Write Once, Read Many	Immutable archival storage (AWS S3 Object Lock) for institutional records. Records cannot be altered or deleted during retention period.	Supported	Institutional+

04 — Technical Infrastructure

What your IT department needs to know.

Application Stack

Frontend: Next.js 14, React, deployed on Vercel (EU region)
Backend: Supabase (PostgreSQL), hosted in AWS eu-central-1 (Frankfurt)
Authentication: Supabase Auth with Row Level Security. SSO available at Institutional tier
AI Processing: Google Gemini API (paid tier, contractual no-training guarantee)
Encryption: TLS 1.3 in transit, AES-256 at rest

Storage Architecture

Tier 1 — Hot: Supabase PostgreSQL + Storage. Active data for daily operations
Tier 2 — Warm: AWS S3 with Object Lock (WORM). Immutable archival copies. Multi-provider redundancy
Tier 3 — Cold: Glacier Deep Archive. Quarterly snapshots. Separate region. ~$1/TB/month
Fixity: Monthly SHA-256 verification across all tiers

Sub-Processors

Provider	Function	Data Region	Certification
Supabase	Database, authentication, file storage	EU (Frankfurt)	SOC 2 Type II
Google Cloud (Gemini API)	AI image analysis (inference only)	EU	SOC 2, ISO 27001
Vercel	Application hosting, edge network	EU (Frankfurt)	SOC 2 Type II
AWS	Archival storage (S3, Glacier)	EU (Frankfurt)	SOC 2, ISO 27001, C5
Stripe	Payment processing	US/EU	PCI DSS Level 1

For European institutions: All primary data processing occurs within the EU. No personal or collection data is transferred to US jurisdictions for standard operations. AI inference uses EU-region endpoints. US-based sub-processors (Stripe, Vercel corporate) maintain EU-US Data Privacy Framework certification.

For American institutions: All providers are established US technology companies with proven enterprise track records. No data is processed by non-US or non-EU entities. AI services are provided by Google, not third-party or offshore providers. US data residency is available at the Enterprise tier.

05 — Export & Interoperability

Your data leaves when you want it to, in the format you need.

aha! Register is not a walled garden. Every record you create can be exported in full at any time. No waiting, no approval, no penalty.

Standard Formats

Excel (.xlsx), CSV, JSON — for spreadsheets, databases, and custom integrations.

PDF Reports & Certificates

Collection reports and individual provenance certificates with cryptographic verification and live QR links.

Museum Metadata

CDWA/LIDO XML and Dublin Core XML. Compatible with TMS, Axiell, Gallery Systems, and institutional DAMS.

Archive Package (OAIS)

BagIt-formatted Archival Information Packages. The same standard used by the Library of Congress, Smithsonian, and national archives worldwide.

06 — Plans & Pricing

From one collector to an entire institution.

Free

25 objects
1 user
AI capture
Basic export

Individual

$9.99

Unlimited objects
1 user
Full export
Certificates

Gallery

$49

Unlimited objects
5 users
Team & branding
Priority AI

What exists. What's missing. What we built.

Capability	Traditional TMS ($50K+/yr)	Artwork Archive ($8–50/mo)	CatalogIt ($10–100/mo)	aha! Register ($0–499/mo)
AI-powered capture	—	—	—	✓ Core feature
Tamper-evident provenance	Partial	—	—	✓ From capture
Works without AI	N/A	N/A	N/A	✓ Full toggle
CDWA/LIDO export	✓	CDWA only	Dublin Core	✓ Both + DC
OAIS archival packages	Some	—	—	✓ BagIt AIP
EU data residency	Varies	US only	US only	✓ EU default
Mobile-first	—	Partial	Partial	✓ Native
QR location system	Varies	—	—	✓ Built-in
Bridge to marketplace	—	—	—	✓ aha! market
On-premises option	✓	—	—	Enterprise tier