HOW IT WORKS · THE INTEGRITY MODEL

A measurement is a draft until it is proven.

EV·Surveys does not ask anyone to trust the installer. It produces evidence that checks out on its own: written once, hashed at capture, signed on the device, anchored to a trusted time. This is exactly how that works, in the order it happens.

From camera to signed pack

Five stages. The first three happen on the device with no signal. The last two anchor and assemble the evidence the moment a connection is available.

  1. 01

    Capture

    ON DEVICE · OFFLINE

    The camera writes one immutable original to local storage. There is no edit path, no “save a copy,” no filter. What the sensor recorded is what stays. Metadata (device, lens, the surveyor's session) is attached but cannot be detached without breaking the next stage.

    WRITE-ONCE · NO EDIT PATH · ORIGINAL PRESERVED

  2. 02

    Hash

    ON DEVICE · OFFLINE

    A SHA-256 digest is computed over the original at the moment of capture, before the file is ever touched again. Change a single byte and the digest changes completely. The digest, not the photo, is what the rest of the chain protects, so the maths is cheap and the proof is exact.

    IMG_0042.DNG  →  77AD0C44 9F2C71A8 D34B0E59 1E60B391
  3. 03

    Sign

    SECURE ENCLAVE

    The digest is signed with a private key generated inside the device's secure enclave. The key never leaves the hardware and cannot be exported, so a valid signature places that specific device at the capture. Each new entry also signs over the previous one, linking the ledger into a chain where nothing can be removed or reordered without detection.

    DEVICE KEY · NON-EXPORTABLE · CHAINED ENTRIES

  4. 04

    Timestamp

    WHEN SIGNAL RETURNS

    A device clock can be wound back; a trusted timestamp cannot. When a connection is available, the signed ledger is submitted to a trusted timestamp authority, which returns an RFC 3161 token proving the evidence existed, in this exact form, no later than that moment. The ledger records both the on-device capture time and the independent anchor.

    RFC 3161 TOKEN · INDEPENDENT AUTHORITY

  5. 05

    Export

    SELF-CONTAINED

    Originals, ledger and timestamp tokens are assembled into one pack in open formats. It needs no EV·Surveys account to verify, now or in ten years. A DNO, OZEV submission, insurer or court expert can check it with standard tooling and reach the same answer you would.

    See what is inside the pack →

What tampering looks like

Edit one pixel of one photo and re-run the check. The recomputed hash no longer matches the ledger, and verification names the exact file. There is no quiet failure: a pack is either intact or it points straight at what changed.

This is why the installer never needs to be in the room. The evidence answers the question without them.

VERIFY · IMG_0042.DNG

LEDGER DIGEST

77AD0C44 9F2C71A8 D34B0E59 1E60B391

RECOMPUTED · ORIGINAL

77AD0C44 9F2C71A8 D34B0E59 1E60B391

MATCH ✓ · INTACT

RECOMPUTED · AFTER 1-BYTE EDIT

0B91F7E2 4C88A105 6D2E9930 AA47C218

MISMATCH ✗ · IMG_0042.DNG ALTERED

Why it works with no mobile signal

Integrity is created on the device, not in the cloud. A data connection only ever adds the timestamp anchor; it is never required to capture, hash or sign. A plant room or depot edge with no signal changes nothing.

ON DEVICE · NO SIGNAL

  • Capture original
  • Compute SHA-256
  • Sign in secure enclave

WHEN SIGNAL RETURNS

  • Anchor trusted timestamp
  • Back up encrypted ledger
  • Sync to operations view

NEVER REQUIRED

  • A connection to capture
  • A server to sign
  • An account to verify a pack

See it run on a real survey.

25 minutes, capture to verified pack, with your most sceptical engineer trying to break the chain.

Book a demoSecurity & compliance