C2PA Guide: Content Provenance, AI Transparency, and Where SiteTrust Fits

If you have heard the term C2PA and want to know what it actually is, what it does, and how it relates to AI disclosure, this guide covers the foundations. By the end, you will understand what C2PA proves about a digital file, who is building the standard, where its limits are, and how organizational certification through SiteTrust fits alongside it.

What C2PA Is

C2PA stands for the Coalition for Content Provenance and Authenticity. It is an industry-led technical standard for embedding verifiable origin information directly into digital content. Photos, videos, audio recordings, and documents can carry a C2PA-signed record that travels with the file wherever it goes.

The standard solves a specific problem. Generative AI can now produce photo-realistic images, videos, and audio that look authentic to the human eye. Audiences need a way to verify where content actually came from. C2PA verifies the files at that level. A C2PA-signed image carries a small block of metadata that records who created it, what tool produced it, whether AI was involved, and what edits have happened since.

The standard does not stop fake content from being created. It gives readers, viewers, and verification tools a way to confirm the chain of custody on content that is legitimate. The absence of a C2PA signature in certain digital formats poses a risk, especially as adoption spreads across cameras, editing software, and publishing platforms.

How C2PA Works

C2PA defines three building blocks that work together: assertions, claims, and manifests.

Assertions are individual facts about a piece of content. An assertion might state the date the file was created, the camera that captured it, the software that edited it, the name of the person credited, or whether generative AI was used. Each assertion is a discrete statement, structured so that machines can read and verify it.

Claims are signed packages of assertions. An actor creates a claim in the content's history (a camera, an editing tool, a publishing platform) and is cryptographically signed by that actor. The signature proves that the claim came from a known source and has not been tampered with.

Manifests are the full record attached to a file. A manifest contains the chain of claims that document the file's history from creation through every modification. When a new actor edits the file, they add a new claim referencing the previous one, building a verifiable chain of custody.

When someone wants to verify a C2PA-signed file, they use a compatible tool to read the manifest and check the signatures. The tool can confirm the original creator, see every modification along the way, identify whether the file was produced by or modified with AI, and flag any inconsistencies.

The manifest travels with the file across platforms, embeds, and copies. Stripping the manifest is detectable. A file with no manifest signals one of two things: it predates C2PA adoption, or someone removed the record.

The Organizations Behind C2PA

C2PA is a project under the Joint Development Foundation, which sits under the Linux Foundation. The coalition was formed in 2021 by Adobe, Microsoft, the BBC, Intel, Truepic, and Arm. Membership has grown to include dozens of major media, technology, and standards organizations.

Active members now include Adobe, Microsoft, the BBC, Intel, Sony, the New York Times, Reuters, the Washington Post, Truepic, Arm, Akamai, Cloudflare, Nikon, Leica, and Publicis Groupe. Both Google and Meta have signaled support and are attaching C2PA signals to AI-generated content from their tools.

The broader ecosystem effort connected to C2PA is the Content Authenticity Initiative, often referred to as the CAI. The CAI is an Adobe-led membership organization with thousands of members that drives adoption of content authenticity practices across the media industry. C2PA produces the technical standard. The CAI builds the ecosystem of tools and adoption around it.

The coalition matters because adoption is the whole game. A standard with two members is a niche. A standard with the major camera makers, the major editing tools, the major newsrooms, and the major platforms is infrastructure. C2PA is on the infrastructure path.

What C2PA Covers, and What It Does Not

C2PA covers content-level provenance. The standard is precise about the things it is designed for and clear about the things it is not.

C2PA covers:

  • The origin of a specific file, including the camera, software, or generative model that produced it
  • The history of edits and modifications made to the file over time
  • Whether and where generative AI was involved in production
  • The identity of an actor in the chain, when that actor chooses to disclose it
  • The cryptographic integrity of the metadata itself

C2PA does not cover:

  • Whether the company behind the content uses AI responsibly across its operations
  • Whether the organization publishing the content has a public AI policy
  • How the company governs AI internally, manages risk, or trains employees on AI use
  • Whether the company's public AI disclosures match its actual practices
  • The reputation, accountability, or compliance posture of the entity behind the file

C2PA tells you where a file came from. It does not tell you whether the company that made the file can be trusted with AI more broadly. Those are two different questions, both worth answering.

How SiteTrust Works Alongside C2PA

C2PA operates at the content layer. SiteTrust operates at the organizational layer. The two are complementary, not competing.

C2PA verifies the file. A signed image carries proof of where it came from and what happened to it. SiteTrust verifies the company. A certified organization carries a verified trust badge on its website that links to a public registry listing. The badge tells customers, partners, and regulators that the company has published an AI policy, completed a disclosure review, and met a documented standard.

The parallel is similar to how product-level and company-level trust signals already work in other industries. A USDA Organic stamp on a single product tells you that product meets a defined standard. A B Corp certification on the company that makes the product tells you the company meets a broader set of practices. Both signals carry meaning. They answer different questions for different decisions.

In the AI context, a news organization might publish C2PA-signed photographs to verify the source of each image. The same organization might also display a SiteTrust badge on its site to demonstrate that it has an AI policy, discloses AI use to readers, and submits its practices to independent review. The reader gets two layers of verification: one for the artifact, one for the publisher.

SiteTrust certification covers four pillars of responsible AI: transparency, governance, regulatory compliance, and workforce sustainability. Certification operates across three plans: Disclose at $1,500 per year, Verify at $3,000 per year, and Audit at $6,000+ per year. All plans include the badge and the public registry listing.

For the full vocabulary of AI transparency and disclosure terminology, see the SiteTrust AI Transparency Glossary.

When You Need C2PA, SiteTrust, or Both

The right combination depends on what you produce and who needs to trust you.

Use C2PA when content authenticity is core to your work. News organizations publishing photographs and video. Photographers selling licensed work. Documentary filmmakers establishing source records. Stock content libraries. Camera manufacturers and editing tool vendors building the standard into their products. Any context where the provenance of individual files matters more than the credibility of the company.

Use SiteTrust when your customers, partners, or regulators need to verify how you use AI. Companies deploying AI in customer-facing decisions, hiring, healthcare, financial services, education, or any high-risk category. SaaS vendors whose customers ask about AI policies during procurement. Brands using AI in marketing and content production. Service businesses where customers want to know whether AI is involved in the work they are paying for. Companies in jurisdictions with active AI laws like the California AI disclosure framework or facing EU AI Act disclosure obligations.

Use both when you produce content and operate as a brand. Media companies, publishers, marketing agencies, AI vendors, and content platforms benefit from layering content-level provenance with organizational-level transparency. The pairing addresses both questions a careful reader asks. Can I verify this specific piece of content? Can I trust the company behind it?

The cost of getting either wrong is rising. The SEC has flagged AI-washing as an enforcement priority. The FTC is enforcing against deceptive AI claims. Cases like the Medvi deepfake incident show how AI-generated content can damage organizational reputation when transparency safeguards are missing. Verified disclosure at both layers is becoming the baseline, not the differentiator.

Getting Started

If you want to learn more about C2PA itself, the canonical resource is c2pa.org. The site publishes the technical specification, the list of member organizations, and adoption resources. The Content Authenticity Initiative offers broader ecosystem resources, member tools, and verification utilities you can try.

If you want to demonstrate organizational AI transparency through certification and a public registry listing, SiteTrust certification starts with the Disclose tier at $1,500 per year and a 3 to 5 business day review. You publish an AI usage policy, complete a self-assessment, designate a transparency contact, add point-of-use disclosures, and receive a verified trust badge plus a public registry listing anyone can search.