Skip to content

Evidence Integrity Statement (For Auditors)

Last Updated: 19 May 2026 | Version 2.0

This document is for independent AML/CTF auditors (for example, those conducting Part 8.6 reviews) or AUSTRAC compliance officers assessing a Firm's use of the duely platform. It explains the technical mechanisms duely uses to demonstrate that verification records have not been altered after the recorded timestamp.

1. The Challenge of Digital Evidence

In an AML/CTF context, a Reporting Entity must be able to demonstrate that it verified a customer's identity at a specific point in time, and that the evidence relied on (for example, a scanned passport or a PEP screening result) has not been altered since that verification occurred.

duely addresses this through cryptographic hashing and append-only audit logs.

2. What is Cryptographic Hashing? (Plain-English summary)

A cryptographic hash acts as a digital fingerprint for a file.

  • When an AML/CTF verification workflow is completed in duely, all collected documents, screening results, and risk assessments are bundled into a single PDF document called an Evidence Pack.
  • duely runs this finalised Evidence Pack through a mathematical algorithm called SHA-256.
  • The algorithm produces a 64-character string of letters and numbers (the "Hash").
  • Even the smallest change to the Evidence Pack (for example, altering a single pixel on a scanned ID or changing a date from "2024" to "2025") will produce a different Hash.

3. How We Support Non-Repudiation

  1. The Hash is logged. At the moment the Evidence Pack is created, its SHA-256 Hash is recorded in duely's append-only audit log alongside the timestamp of creation and the identity of the user who performed the verification.
  2. The document is locked. The Evidence Pack PDF is read-only within the Platform.
  3. Independent verification. If an auditor downloads an Evidence Pack at a later date, the auditor can independently run that PDF file through any standard SHA-256 hashing tool (freely available online or built into modern operating systems).
  4. The result. If the Hash generated by the auditor matches the Hash recorded in duely's audit log at the time of creation, the auditor has strong cryptographic evidence that the document is identical to the one created at the time of verification, supporting non-repudiation.

duely does not warrant the validity of evidence outside its own chain of custody, including evidence handled, copied, or altered after export from the Platform.

4. Immutable Audit Logging

Alongside Evidence Packs, duely maintains an append-only event stream for every matter.

  • "Append-only" means new events (for example, "User Jane Doe assigned Risk Rating High at 2:04pm") can only be added to the end of the log.
  • Existing events cannot be edited or deleted through the application interface, by users with the AMLCO role, or by duely engineers.
  • This creates a tamper-evident chain of custody for actions taken in relation to a specific customer.

5. Summary for Independent Reviewers

When reviewing a Firm that uses duely, you can treat digital Evidence Packs generated by the Platform as faithful representations of the verification procedures recorded at the stated timestamp, subject to independent SHA-256 verification against the Hash recorded in duely's audit log. Modifying an Evidence Pack without producing a different Hash is computationally infeasible without detection.

This Statement is informational only and does not form part of the Master Subscription Agreement. It is not a warranty by duely as to the legal sufficiency of the Firm's underlying compliance program.