Security & Trust

Cryptographic Timestamp Chaining

Every event in a verified session — start, capture, checkpoint, end — is hashed using SHA-256 and linked to the previous event. This creates an immutable chain where modifying any entry invalidates everything after it.

• SHA-256(previousHash + timestamp + eventType + data)
• Chain validated server-side on session completion
• Timestamp monotonicity enforced (each event must be after the previous)
• Genesis hash anchors the chain — no entry can be prepended

Geolocation Verification

Device GPS coordinates are captured at session start and end, then compared against the property's known geocoded address. Sessions outside the configured geofence are flagged — not blocked — providing transparency without friction.

• Property addresses geocoded during setup
• Configurable geofence radius per property (default: 200m)
• Start and end coordinates captured and stored
• Impossible movement detection (GPS jumps during session)

Tamper-Evident Media Storage

Every photo and video is SHA-256 hashed on the device before upload. The hash is registered in the timestamp chain. Any modification to the file after capture will produce a different hash, making tampering immediately detectable.

• Hash computed on-device before network transmission
• Hash registered in timestamp chain before upload completes
• Server-side hash verification on upload receipt
• Original files stored immutably — no in-place modification

Infrastructure Security

Vetra runs on Google Cloud Platform via Firebase, inheriting GCP's SOC 1/2/3, ISO 27001, and FedRAMP certifications for infrastructure. Application-level security is built to complement these foundations.

• Firebase Auth with multi-factor support
• Firestore security rules enforce role-based access
• Firebase Storage rules prevent unauthorized media access
• All data encrypted at rest (AES-256) and in transit (TLS 1.3)