ProofCycle
by SVCM
← Back to home
Security

Security and Trust

Our security model is designed for transparency, not obscurity. We explain exactly how our chain-of-custody works, what our hash structure looks like, and what we do and do not claim about our verification process.

What we do not claim

We do not claim blockchain verification, decentralized storage, or zero-knowledge proofs. Our certificates are signed and hash-chained using standard cryptographic primitives (SHA-256, ECDSA). Our verification infrastructure runs on our own servers. We believe this is the right level of assurance for physical asset disposition, and we are transparent about the trust model rather than hiding behind buzzwords.

Security practices

Hash-chained custody events

Every custody event (pickup, transport, intake, processing, certification) generates a SHA-256 hash that includes the previous event's hash as input. This creates a tamper-evident chain: modify any event and all subsequent hashes become invalid. The chain is verified automatically when a certificate is checked.

Tamper-evident certificates

Certificates are signed with our facility key and include the full hash chain. The signature covers the certificate ID, event chain, evidence manifest, and issuance metadata. Altering any field after issuance invalidates the signature, which is checked on every verification.

Independent verification

Anyone with a certificate ID or QR code can verify a certificate at verify.proofcycle.com. Verification checks: (1) the certificate exists in our registry, (2) the hash chain is intact, (3) the signature matches our public key, (4) custody event counts match, and (5) evidence files are linked.

Operator accountability

Every custody event records the operator ID and name. All operators are background-checked employees, not contractors. Photo evidence is timestamped and geotagged at our facility. Witness attestations are recorded directly on the certificate when a customer representative is present.

Hash structure

Simplified view of our chain structure.

// Event hash computation
event_hash = SHA256(
previous_event_hash +
event_type +
timestamp +
operator_id +
location_id
)
// Certificate signature
signature = ECDSA_sign(
private_key,
SHA256(certificate_id + final_event_hash + evidence_manifest)
)
// Verification check
ECDSA_verify(public_key, signature, computed_hash)
// Returns: valid | invalid

Trust model

Our system requires you to trust that SVCM honestly records custody events and issues certificates. The hash chain and signature guarantee that certificates cannot be altered after issuance without detection, but they do not independently verify that the physical events occurred. That assurance comes from photo evidence, weight tickets, operator identity, and the optional witness attestation.

We believe this is the honest framing. Our certificates prove that we committed to a specific sequence of events and locked that commitment with cryptographic evidence. If any event is later disputed, the hash chain provides an unforgeable record of what we attested to and when.

SHA-256 hash chainECDSA signaturesPhoto evidenceOperator accountabilityOptional witness
Try the verifier Security questions