CredaScan resource

CredaScan Guide

How to create, keep, and verify replay-verifiable integrity records for scanned legal, governance, and compliance documents.

What CredaScan does

CredaScan helps create a simple, independently verifiable record that a scanned document file has not changed since the CredaScan record was made. It is intended for wet-signed scans, legal documents, governance records, credentialing files, audit materials, compliance documents, and formal submissions.

CredaScan does not upload or store the document. The file is processed locally in the browser to calculate a SHA-256 hash and generate user-downloaded proof records.

Why this is stronger than only saving the file

  • File dates, screenshots, email attachments, and ordinary metadata can be changed or disputed.
  • A SHA-256 hash is a verifiable fingerprint of the exact file bytes.
  • Anyone with the original file and CredaScan manifest can recompute the hash and compare it later.
  • The CredaScan manifest creates a structured evidence record, not just a loose hash value.

How to create a CredaScan record

  1. Open the CredaScan create tool.
  2. Select the scanned document file on your device.
  3. Add optional context such as document title, matter/reference ID, custodian/issuer, document role, and notes.
  4. Select Generate Record.
  5. Download and keep the CredaScan Manifest JSON, document hash file, and verification report.
What to keep: keep the exact scanned document file and the CredaScan Manifest JSON. The manifest is the primary proof container. The report is a human-readable summary.

How to verify a CredaScan record

  1. Open the CredaScan Verify page.
  2. Select the document file being tested.
  3. Select the matching CredaScan Manifest JSON.
  4. Select Verify Record.
  5. CredaScan recomputes the SHA-256 hash and compares it to the hash stored in the manifest.

A Verified result supports that the tested file is identical to the version recorded in the manifest. A Mismatch result indicates the file differs from the recorded version, the wrong file was selected, the wrong manifest was selected, or the file was modified by scanning, compression, OCR, metadata changes, cropping, rotation, or other processing.

What CredaScan proves

CredaScan supports verification that a scanned digital evidence object is identical to the file version used to create the CredaScan record.

  • Integrity: if the file hash matches the manifest hash, the file is byte-for-byte identical to the recorded version.
  • Replay verification: the same verification method can be repeated later using the original file and manifest.
  • Manifest consistency: the manifest provides structured context for the evidence record.

What CredaScan does not prove

CredaScan does not, by itself, prove authorship, ownership, possession, chain of custody, wet-signature authenticity, signer identity, signer intent, legal enforceability, notarization, or admissibility.

CredaScan does not provide legal advice. Legal assessment depends on applicable law, rules of evidence, chain-of-custody documentation, and case-specific circumstances.

Privacy and storage

  • The selected file is processed locally in the browser.
  • The document is not uploaded, transmitted, stored on a server, or retained by CredaScan after close, refresh, or reset.
  • CredaScan does not create a copy of the document.
  • The only records that persist are the files the user chooses to download and keep.

Technical verification note

The CredaScan manifest JSON is the primary proof container. Independent verification can be performed without CredaScan by computing SHA-256 over the subject file bytes and comparing the result to the document hash stored in the manifest.

Future versions may optionally support RFC 3161 timestamp evidence. In that case, the timestamp token would support that the file hash existed at the timestamp recorded in the token, subject to the applicable timestamp authority trust and validation policy.