Security
A record you can verify yourself.
Kestrel hash-chains the audit trail and digitally signs case exports. You do not need to trust us. You can check.
Each block’s hash covers every block before it
How it works
What sits between your data and the outside.
Hash-chained audit log
Actions in a Kestrel matter write to an append-only log. Each entry hashes the one before it with SHA-256, so altering a past record breaks the chain and shows on the record. Database triggers block UPDATE and DELETE at the engine level.
SHA-256 · append-only · trigger-enforced
Signed exports
When you export a case, Kestrel signs the bundle with Ed25519. Anyone who receives it can confirm where it came from and that nothing has changed since, offline, without calling us.
Ed25519 · detached signatures · offline verification
Encryption
TLS 1.3 on connections. AES-256 on data at rest. Evidence files get a second encryption layer at the storage tier, so a compromised disk yields nothing readable.
TLS 1.3 · AES-256 · storage-layer encryption
Tenant isolation
PostgreSQL row-level security policies sit between your data and the application. Queries are scoped to the requesting organisation at the database, not the app, so an application bug cannot leak data across tenants.
PostgreSQL RLS · tenant-scoped queries
Mandatory MFA
Two-factor authentication is enforced at the database layer through Supabase AAL2 policies. Your administrators cannot turn it off. A stolen session cookie is not enough to get in.
TOTP · AAL2 · non-bypassable
Malware scanning
Uploaded files pass through ClamAV before anyone can open them. Infected files are quarantined and never enter the case record. Clean files move into encrypted storage.
ClamAV · pre-access · auto-quarantine
Tamper-evident evidence
Each uploaded file picks up a SHA-256 hash on arrival. Any later change to the file is visible on the record. Download links are time-limited and scoped to the party who should have access.
SHA-256 · time-limited · party-scoped
Full attribution
The audit log records who did what, when, and from where. It is the source of truth for a contested matter. Export it, hand it to the court, or keep it for your own files.
hash-chained · append-only · exportable
Verification
Check it yourself.
Case exports carry an Ed25519 signature and a full hash chain. You can confirm the record is genuine and unaltered without calling us, offline if you need to.
The verification checks the signature, walks the chain link by link, and matches each evidence file against its SHA-256 hash. If someone has changed something, the check fails.
Export bundle received
kestrel-export-2026-04.zip
Ed25519 signature verified
sig: 4cf720b1d8e3…9f2c OK
Hash chain walked
247 events · 247 valid links
Evidence hashes match
14 files · 14 SHA-256 match
Record is authentic
VERIFIED
Why it matters
The credibility of the record.
Dispute work lives or dies on the record. When someone contests what happened, the question is whether the evidence holds up. Kestrel is built so that question has a clear answer: the audit trail is hash-chained, the evidence is hashed on upload, and the export is signed. It checks out or it does not.
We did not bolt security on after building the workflow. The hash chain, the RLS policies, the MFA enforcement, the signed exports: these are the foundation. The rest of the platform sits on top of them.
Next step
We are happy to go further.
If your firm has compliance or infosec requirements this page does not cover, we are happy to walk through the architecture in detail. Start with a conversation.