How the proof works

Written for the person who has to trust the report: an auditor, a security reviewer, a compliance lead. No cryptography background required.

01The problem with monitoring evidence

Anyone can claim they were watching.

The usual answer to "how do you monitor your vendors?" is a screenshot, a spreadsheet, or a promise. All three share a flaw: they can be edited after the fact, and nothing about them proves when the checking actually happened or whether any of it was skipped.

Dormouse is built so that the record it keeps is hard to alter without the alteration being obvious, and so that an independent party can confirm the record for themselves. Three mechanisms do the work. None of them require you to take our word for anything.

02Content-addressed snapshots

Every page version is stored under its own fingerprint.

When dormouse fetches a page, it computes a SHA-256 hash of the exact bytes and stores the page under that hash. The hash is a fingerprint: change a single character of the stored page and its fingerprint no longer matches, which is immediately detectable.

This means the report can say "on July 13 this vendor's subprocessor page said X," and the stored copy can be re-hashed by anyone to confirm it has not been quietly edited since.

03The hash-chained audit trail

Every check is linked to the one before it.

Each check dormouse runs, whether it found a change, found nothing, or failed, is written to an append-only log. Each entry carries a hash computed from its own contents plus the hash of the previous entry. The entries form a chain, the way each link depends on the last.

The consequence is the important part: altering or deleting any past entry changes every hash after it. You cannot quietly remove the check that would have shown a gap, or backdate one that never happened, without breaking the chain from that point forward. The break is detectable by recomputing the chain.

Silence is recorded too. A check that found nothing, and a check that failed, are both entries in the chain, so "we watched and nothing changed" is as provable as "we caught a change."
04The integrity sweep

Anyone can re-run the verification.

The report ships with the result of an integrity sweep run at the moment it was generated: every snapshot re-hashed against its fingerprint, every recorded observation confirmed to reference a real snapshot, and the entire chain recomputed from its first entry to its head.

$ dormouse verify snapshots: 412 checked, 0 corrupt observations: 398 checked, 0 orphaned audit trail: 1,204 entries, 1,204 chain-verified, 0 broken ok

The chain head printed on every report is the hash of the newest link. Recomputing the chain from the beginning must reproduce that exact value. If it does, the history is intact. If a single entry was altered, inserted, or removed, it will not, and the sweep names the broken entry.

Because the verification tooling ships with the engine, and the engine is source-available under the Business Source License, a technical reviewer can audit the verification code itself. You do not have to trust that our math is right. You can read it.

05What the proof does and does not claim

Evidence, stated honestly.

Dormouse produces compliance-grade evidence that you monitored the sources you said you would, on the cadence you promised, and that the record has not been tampered with. That is what auditors ask for under vendor-management controls, and that is what the report proves.

Dormouse does not claim to discharge a specific legal obligation for you, decide whether a given change requires action, or replace your own review. It gives you a trustworthy record and an early, classified signal. The judgment stays yours; the proof that you had the information is ours to keep honest.

See a live sample report

Become a founding customer