How we protect
your records
This page is for technical teams, compliance officers, and anyone who wants to understand the cryptographic foundations behind SoilVector's tamper-proof guarantees.
Architecture overview
SoilVector treats every field record as an entry in an append-only, cryptographically linked ledger. Records flow through four states — each adding a layer of integrity that makes retroactive tampering detectable and provable to third parties.
Recorded
Captured on-device with timestamp, GPS coordinates, and user attribution. Stored locally in an encrypted queue.
Synced
Transmitted to backend via idempotent API. Appended to the organization's SHA-256 hash chain with a server-assigned sequence ID.
Secured
Chain head submitted to an RFC 3161 compliant Timestamp Authority (TSA). External proof that the ledger state existed at that moment.
Verified
Reviewed and approved by a second authorized user. Verification metadata (actor, timestamp, outcome) appended to the chain.
Hash-chained ledger
Every record in SoilVector is appended to a per-organization hash chain. Each entry includes the SHA-256 digest of the previous entry, creating a tamper-evident sequence. Altering any past record changes its hash, which breaks the chain from that point forward.
Algorithm
SHA-256 (NIST FIPS 180-4)
Scope
One chain per organization. All record types (operations, verifications, membership changes) are interleaved in a single chain.
Chain input
Each hash covers: previous hash, record type, timestamp, actor ID, payload, and sequence number.
Immutability enforcement
Database-level triggers prevent UPDATE and DELETE on ledger rows. The application layer never issues mutations against committed entries.
External timestamp anchoring
Every hour, SoilVector submits the current chain head to an independent Timestamp Authority (TSA) using the RFC 3161 protocol. The TSA returns a signed timestamp token that proves the ledger state existed at that point in time — without needing to trust SoilVector.
Protocol
RFC 3161 — Internet X.509 PKI Time-Stamp Protocol. The same standard used in legal archiving, code signing, and regulated industries.
Frequency
Hourly. Each anchor covers all records committed since the previous anchor.
What is anchored
The SHA-256 digest of the chain head at anchor time. This single hash transitively covers every prior entry in the chain.
Verification
Anyone with the timestamp token and the ledger data can independently verify that the records existed at the anchored time. No SoilVector access required.
Digitally signed exports
Compliance exports are signed with a detached digital signature. Recipients can verify the integrity of the export without contacting SoilVector or having system access.
Signature algorithm
Ed25519 (RFC 8032). A modern, high-performance signature scheme used in SSH, TLS, and blockchain systems.
What is signed
The full export payload: activity log, hash verification results, membership history, and chain integrity proof.
Deterministic output
Exports are deterministic — the same underlying data always produces the same content hash. This means you can re-export at any time and verify it matches a previously signed copy.
Detached signature
The signature is delivered alongside the export as a separate file. Third-party tools can verify the signature independently using SoilVector's public key.
Database-level immutability
Immutability is not just an application-level promise. PostgreSQL triggers enforce that ledger rows cannot be updated or deleted, even by SoilVector engineers with direct database access.
Storage
PostgreSQL with append-only constraints enforced via database triggers on all ledger tables.
Protection scope
INSERT is the only permitted operation. UPDATE and DELETE are blocked at the database level, not just the application layer.
Separation of concerns
The application never issues mutating queries against committed ledger entries. Even if the application had a bug, the database would reject the operation.
Summary
| Layer | Mechanism | What it proves |
|---|---|---|
| Record integrity | SHA-256 hash chain | No record has been altered or reordered since creation |
| Time proof | RFC 3161 timestamp anchoring | The ledger existed in this state at a specific time |
| Export authenticity | Ed25519 digital signatures | The export has not been modified since generation |
| Storage protection | PostgreSQL immutability triggers | Even database administrators cannot alter committed records |
Questions about our security model?
We're happy to walk through the technical details with your compliance or IT team.