Append-only by construction
The event ledger accepts inserts only. Update, delete, and truncate operations are refused at the database layer by triggers that reject the operation — with the application role designed to hold no update or delete privileges on the ledger — not merely discouraged by application code. A correction is a new event that supersedes an earlier one, which means the act of correcting is itself documented, with its own timestamp and actor.
Per-property hash chain
Every event carries a SHA-256 hash computed over its semantic content — property, event type, method, time, party, signer details, document fingerprint, payload — and over the hash of the property's previous event. Each property's history is therefore a chain: altering any stored event, even with direct database access, produces a hash that no longer matches its successor's recorded lineage. A verification routine recomputes the chain for any property and reports any link that fails. The expected result of that verification, at any time, is zero discrepancies — and the verification itself can be run for an auditor.
Document fingerprinting
When a right-of-entry instrument is executed, the system renders the final document, computes its SHA-256 fingerprint, stores the fingerprint in the signature event, and archives the document to storage governed by a multi-year retention policy. The fingerprint in the tamper-evident ledger and the archived document can be compared at any point in the record's life: a match demonstrates the archived instrument is byte-identical to the document fingerprinted at the moment of execution. Uploaded field evidence (meter photographs, pre- and post-work photographs) is fingerprinted the same way, and an object whose stored bytes do not match the declared fingerprint is quarantined rather than accepted.
The electronic-signature ceremony
Signature events are bound to a structured ceremony aligned with ESIGN/UETA electronic-transaction practice: the disclosure is presented and affirmatively accepted before the signature step is offered; the acceptance is itself a ledger event; the ceremony is single-use and bound server-side to the session that performed it; and the signature event records the signer's typed legal name, claimed role, authority attestation, and connection facts (IP address as observed by the server, user agent, timestamps). Role rules are enforced at submission: ownership-authority roles may grant the property interest; occupants are routed to an acknowledgment flow instead.
Access design
Homeowner access uses single-property scoped links: the credential a resident receives is valid for exactly one property, is stored server-side only as a keyed hash (a database disclosure alone can neither verify nor forge one), expires, and is rate-limited. Administrative access is identity-gated infrastructure with no anonymous path. Evidence uploads go directly to retention-governed storage over short-lived signed URLs bound to the declared content type and exact byte length; file bytes do not transit the application.
What this design is intended to support
These properties — contemporaneous capture, systematic recording, append-only storage, verifiable integrity — are chosen to support the use of the record where it matters: in primacy-agency review, in program audit, and in dispute. The record structure is designed to support admissibility as business records, to produce a complete, tamper-evident count of attempts and methods, and to rebut claims that outreach did not occur or that records were assembled after the fact.
Tamper-evident does not mean tamper-proof. It means retroactive changes are designed to be detectable through verification.
The record and verification structure is designed with counsel's authentication work in mind, including certification pathways such as Federal Rules of Evidence 902(13) and 902(14) where applicable. Those rules address authentication of electronic-system records and digitally identified data; they do not guarantee admissibility, resolve hearsay or relevance objections, or replace state-specific evidentiary review.
To evaluate ES-R records against your program's requirements: structured pilot review.