Trust, without exposing survivors
DuckShield stores each system action in a tamper-evident audit chain. Each entry includes a hash that links to the previous entry, and a signature generated by Cloud KMS.
This makes it extremely difficult to alter historical records without detection.
Privacy-first
Anonymous reporting uses Case ID + Access Code. Access Code is never placed in URLs.
Integrity
Every update appends a signed audit entry. Verification detects mismatches.
Least exposure
Audit records only store redacted payloads (description hashed), not raw sensitive narrative.