Continuity & durability
What happens to your proofs if we disappear?
Nothing. That is the design constraint everything else follows from — and the question every serious buyer should ask any evidence vendor.
The one-sentence answer: every receipt you hold verifies against public data alone — the Merkle path in your receipt and the anchor on a public ledger. Verification never requires our servers, our company, or our permission. Delete LedgerProof tomorrow; your evidence still holds.
Why that's true, mechanically
- Receipts are self-contained. A receipt carries the entry hash, the inclusion path, and the anchor reference. Anyone can recompute the chain: content hash → entry → daily root → on-chain commitment.
- The anchor is public. Daily roots are committed to a public ledger replicated by thousands of independent parties. We cannot edit it; neither can anyone else.
- The verifier is open. The verification tooling and SDK are open (Apache-2.0, on npm), and the verifier re-checks everything in your browser — including fetching the anchor transaction from public chain infrastructure, not from us.
- The protocol is Foundation-stewarded. The protocol specification is owned by the LedgerProof Foundation, a California nonprofit (501(c)(3) application in process), separate from the commercial company — so the rules of verification cannot be enclosed.
What would actually stop
If LedgerProof (the company) ceased operating, issuance of new receipts and the managed services would stop — new anchoring, monitoring, the Vault, support — while every receipt already issued keeps verifying. Old proofs don't need us; only new ones do.
Key custody
Signing keys are held in isolated, encrypted infrastructure secrets — never in code, never in the browser, never in backups of user data. Key rotation and revocation are signed, chained events: a compromised key can be publicly superseded without invalidating the history it signed before compromise. A formal ceremony (multi-party, HSM-backed) is on the roadmap as enterprise custody demands it; we will state plainly which stage we are at when asked.
Data durability
- We store hashes, never your content. There is no honeypot of your documents or prompts to lose, leak, or subpoena.
- The public record corpus (the Global Record) is rebuildable from its sources plus the on-chain anchors — the anchors are the ground truth, and those live on the public ledger.
- Operational data (accounts, receipts metadata) is backed up across providers; loss of any single vendor is an inconvenience, not an integrity event.
Assurance roadmap
We are candid about maturity: LedgerProof is an early-stage system with an open protocol at its core. A SOC 2 program and a formal multi-party key ceremony are roadmap items we sequence against enterprise demand. What is not roadmap — what is true today — is the property that matters most: your evidence does not depend on our existence.
Questions a procurement or security review should ask us — and our standing answers — are available on request: veronica@ledgerproofhq.io. See also protocol stewardship & longevity.