Picture the moment a lawyer asks you, across a tribunal table, to produce the minutes from a meeting that took place eighteen months ago. You open the shared drive. The file is there. It has a modified date from last week. The metadata shows four different editors over the past year. The lawyer asks, quite reasonably, how you can be sure the document in front of you says the same thing it said on the day it was approved.
You cannot. Not really. You can swear to it. You can produce witnesses. You can point to version history inside your word processor, which anyone with edit permissions can also modify. What you cannot do is hand the tribunal a mathematical proof that the text is unchanged.
This is the problem ācta's hash chain solves. And it is the feature almost nobody asks about until they need it, by which point it is usually too late to retrofit.
The Trouble With Silently Editable Documents
Most governance records in the UK live inside Word documents on a shared drive. Some live in Google Docs. A smaller but growing number live inside purpose-built board portals. All of them share a fundamental property: the text can be changed, and the change can be made to look like it never happened.
Word tracks revisions if you remember to turn the feature on. Google Docs keeps a version history, accessible to anyone with edit rights, deletable by administrators. SharePoint retains versions for a configurable window. Each of these mechanisms is useful for collaboration. None of them were designed to survive adversarial scrutiny. They rely on the honesty of the custodian and the integrity of the platform. Which is fine, until honesty or integrity is the disputed point.
The risk is not that someone will commit obvious fraud. The risk is subtler. A director misremembers a decision and asks for a small clarification. A secretary tidies up an ambiguous sentence weeks after the fact. An action item gets quietly reassigned. Each individual change feels innocuous in isolation. Together, they mean the document in your hand today is not the document that was approved at the time.
A record you can silently edit is not a record. It is a draft that never stopped being a draft.
What Tamper-Evidence Actually Means
Tamper-evidence is not the same as tamper-proof. A locked physical filing cabinet is tamper-proof, until someone with bolt cutters decides otherwise. A wax seal on an envelope is tamper-evident. The seal does not prevent you from opening the envelope. It just makes sure everyone can tell you did.
For a digital record, the equivalent of that wax seal is a cryptographic hash. A hash is a fixed-length fingerprint of a document. Feed the same document through the same hash function and you get the same fingerprint every time. Change a single character, a comma, a space, anything, and the fingerprint changes completely. The fingerprint is short. The document can be arbitrarily long. There is no way to work backwards from the fingerprint to recover the document, and no practical way to find two different documents that produce the same fingerprint.
ācta uses SHA-256, the same algorithm that secures HTTPS connections, Git commits, and every Bitcoin transaction ever made. When your minutes are generated, reviewed, amended, and eventually locked, each version is hashed. The hash is stored. If anyone ever changes the stored document, the fingerprint no longer matches, and we can say so immediately.
From Fingerprint to Chain
A single hash protects a single version. That is useful but limited. It tells you whether the document in front of you is identical to the document that was hashed. It does not tell you anything about how the document got to be that way.
Governance records need more than a snapshot. They need a history. The question in a dispute is rarely "is this file corrupted?" It is "what did the minutes say at each step of the approval process?" To answer that, you need every version, and you need to prove that the versions are connected to each other in the right order, with no gaps and no substitutions.
This is where the chain comes in. Each version of a document stores not just its own hash, but the hash of the version before it. Version 2 carries a pointer to version 1. Version 3 carries a pointer to version 2. Version 4 carries a pointer to version 3. The pointers are the previous-version hashes, embedded into the header of each new version.
The practical consequence is that tampering with any single version in the chain invalidates every version that comes after it. Edit version 2 and its hash changes. Version 3 still points to the old hash, so the chain breaks at the very next step. There is no way to rewrite history quietly. You would have to rewrite every subsequent version, and each of those rewrites is itself visible.
This is the same structural idea used by Git to track source code and by blockchains to track transactions. The pattern is sometimes called a Merkle chain or, more loosely, a linked hash list. ācta uses it for a narrower purpose: one document, one lifecycle, one chain.
The Four States of an ācta Record
Every set of minutes in ācta moves through a defined lifecycle. Each transition produces a new block in the chain, hashed against the previous state.
1. Draft
The first generation, usually produced from an audio recording by our transcription pipeline. The draft is hashed the moment it is committed for review. This is block one: its previous-hash pointer is null, its own hash becomes the anchor for everything that follows.
2. Review
Reviewers make edits, leave comments, and request changes. Each time the minutes are saved during review, the revision is hashed and linked. Nothing in this phase is silent. A reviewer cannot open an earlier version, change a number, and slip it back into place. The chain will not accept it.
3. Amended
If the minutes need to change after the initial review, typically because a new correction surfaces at the next meeting, the amendment is recorded as its own block. The chain preserves both the original text and the amended text. You can always show what the minutes said before the amendment and what they say now, with dates and attribution.
4. Locked
Once approved by the responsible parties, the minutes are locked. The final block closes the chain. From this point on, no in-place edits are possible. If a further correction becomes necessary, it must open a new chain with an explicit reference to the locked record. The locked version stays exactly as it was on the day it was approved, and its hash is the proof.
Nothing in ācta is ever silently overwritten. Every state transition is hashed, chained, and dated. The history is the record.
Amendments, Not Edits
The distinction between an amendment and an edit is one of the most underappreciated points in governance practice. An edit rewrites history. An amendment adds to it.
Robert's Rules of Order, Charity Commission guidance in the UK, IRS governance expectations for nonprofits in the US, and virtually every credible source on committee procedure treat amendments the same way. A correction to approved minutes is made at the next meeting, noted explicitly, and attributed to whoever proposed it. The original text remains visible. The correction sits alongside it. Anyone reading the record later can see both, and can tell the difference.
ācta enforces this structurally. Locked minutes cannot be edited in place. If you need to change them, the system requires you to produce a formal amendment, signed off by the appropriate role, which becomes its own block linked to the locked record. The chain grows. Nothing is lost.
Contrast this with a Word document. You open it, make the change, save, and nothing is noted. Even with track changes enabled, a user with sufficient permissions can accept all changes and discard the history. There is no structural barrier. The discipline has to come from the people, and people forget, or worse, do not.
Why Regulators and Tribunals Care
The value of a tamper-evident record is invisible right up to the moment it is tested. When it is tested, the difference between having one and not having one is usually the difference between a ten-minute conversation and a six-month investigation.
Audit evidence
Auditing standards — the Financial Reporting Council's in the UK and the PCAOB's in the US — require auditors to gather sufficient appropriate evidence, including evidence of governance decisions. An auditor asking to see the minutes for a board's approval of a related-party transaction is not satisfied by a Word document with ambiguous provenance. A hash-chained record, on the other hand, gives the auditor something they can verify independently: the document today produces the same fingerprint as the one recorded on the approval date.
Data protection
Data protection law requires personal data to be processed with appropriate integrity and confidentiality. The GDPR (Article 5(1)(f), applicable in both the EU and UK) makes this explicit, and US frameworks including HIPAA and state privacy laws impose comparable integrity obligations. Minutes often contain personal data: attendance, decisions about individuals, disciplinary references. A tamper-evident chain provides a demonstrable control for the integrity half of that requirement, which is otherwise a matter of policy rather than proof.
Retention
The Charity Commission in the UK expects trustees to keep records for a minimum period, and the IRS expects 501(c)(3) boards to do the same. Financial services firms have stricter duties still. SEC Rule 17a-4 in the United States has long required broker-dealers to keep certain records in a non-rewritable, non-erasable format, known as WORM storage, precisely because regulators stopped trusting the integrity of ordinary file systems decades ago. A hash-chained record goes one step further: it is not only non-rewritable, it is self-verifying.
Tribunals and disputes
Employment disputes — whether before a UK tribunal or a US court — frequently turn on what was said and decided in a meeting. Shareholder disputes hinge on the minutes of a contested vote. Regulatory inquiries, from the Charity Commission in the UK or state attorneys general in the US, pivot on the documented basis for a governing board's decision. In each case, the side with a credible, unalterable record has a structural advantage. The side relying on "we can show you the file" is operating on trust, not evidence.
Scenarios Where the Chain Earns Its Keep
Three illustrations make the point better than any abstract explanation.
The contested action item
A trustee claims they never accepted responsibility for a particular piece of fundraising work. The chair believes otherwise. With ordinary minutes, the conversation ends in a stalemate, or in a long scroll through email threads. With ācta, the locked minutes for the meeting in question show the action item, the owner's name, the date of approval, and a hash that can be re-computed from the document. The hash has not changed. The record has not changed. The conversation ends.
The late correction
Six weeks after a board meeting, the company secretary notices a typo in a financial figure. On a shared drive, the temptation is to fix it and say nothing. In ācta, the locked minutes cannot be silently edited. The secretary raises the correction at the next meeting, it is minuted as an amendment, and the new block is hashed onto the chain. Both versions remain visible. Anyone auditing the record a year later can see exactly what was corrected, when, and by whom.
The departing custodian
A long-serving secretary leaves under difficult circumstances. Their replacement cannot be certain that every historical record is untouched. With a hash-chained archive, the question is answered in seconds. Every chain can be re-verified end to end. If any document has been tampered with, the chain surfaces it. If nothing has been touched, there is no lingering doubt. The organization inherits provable history, not rumored history.
What This Is Not
Honesty about capabilities matters. A hash chain is a strong integrity control, but it does not solve every problem.
It does not prove that the minutes are accurate. Garbage in, garbage out. If the draft is wrong, the chain faithfully preserves the wrong draft. Accuracy is a human responsibility, addressed by the review step, not by cryptography.
It does not prove who wrote or approved a given version. That is the job of authentication, which ācta handles separately through Clerk-backed identity and signed audit events.
It does not, by itself, defend against a sophisticated attacker with unrestricted access to every system, including the hash storage. No system does. What it does is raise the cost and visibility of tampering by several orders of magnitude, making casual or opportunistic alteration effectively impossible and deliberate alteration detectable.
Tamper-evidence does not make you immune to disputes. It makes you the party holding the evidence when the dispute arrives.
Why General-Purpose Tools Do Not Do This
Word, Google Docs, Notion, SharePoint, and every meeting note app you have ever used are optimised for something different. Their job is to make collaboration frictionless. Friction is the enemy of the product metric. The whole point of a word processor is that anyone with access can change anything, instantly, without ceremony.
Tamper-evidence adds ceremony by design. It draws a line between draft and record, and it refuses to let you cross that line silently. That is the opposite of frictionless. It is also what governance requires.
A general-purpose tool can bolt on some version history, some access controls, some audit logs. None of these are the same as a hash chain that is mathematically bound to the content. The collaboration tools have their place, and for most of what organizations write, they are perfectly adequate. For minutes, for decision registers, for regulated records, they are not.
How To Check The Chain Yourself
One of the properties of a good tamper-evident system is that you do not have to take anyone's word for it, including ours. Every version of every document in ācta carries a unique fingerprint, a SHA-256 hash, in its audit export. Think of it as a digital seal: if even a single character of the document changes, the fingerprint changes completely. You can check that seal independently, without trusting our system, by comparing the fingerprint we stored against the one the document produces today.
The chain works the same way. Each version's fingerprint is built from the previous version's fingerprint plus the current content, creating a sequence where every link depends on the one before it. If someone altered a record in the middle of the chain, every fingerprint after it would break. Checking the whole history is like pulling a thread: one tug tells you whether the fabric is intact.
ācta's document verification tooling will make this even simpler. Drop a PDF onto the page, or paste its fingerprint, and ācta will confirm whether the document matches what was approved, who approved it, and when. No account required, no technical knowledge needed. The goal is that anyone, an auditor, a board member, a regulator, can verify a record's integrity in seconds, without asking us or anyone else to vouch for it.
The Bottom Line
Tamper-evidence is the feature you hope you never need. It is also the feature that turns a document into a record. Without it, minutes are a helpful summary. With it, minutes are evidence.
Most organizations will go their whole lives without being asked to prove that their governance records are unaltered. A few will be asked, and when the question arrives, they will learn very quickly which side of the line they were on. The work to put a proper chain in place costs nothing once it is built into the tool. The work to reconstruct a defensible record after the fact is, at best, expensive and embarrassing. At worst, it is impossible.
If someone asked you today to prove what your minutes said on the day they were approved, could you? If the answer is anything other than yes, your records are not yet records.
ācta was built on the belief that the answer should be yes, automatically, for every meeting, without anyone having to think about it. The hash chain is how we keep that promise.