Verification Methodology
Verified at the moment. Provable forever.
Kindness Counts replaces self-reported volunteer hours with a record that is captured at point of service, cryptographically sealed, and independently verifiable by anyone holding the receipt.
1. Presence verified at the location
Every check-in and check-out captures a location signal at point of service. The volunteer is confirmed to be inside the event geofence at the moment they tap the button. Coordinators can override with a documented reason; overrides are audit-logged and produce a different confidence band.
2. Identity bound to a time-bound code
Check-in requires a one-time code generated from a shared secret using the TOTP standard (RFC 6238). The code is only valid in a 90-second window around its generation, so a check-in record is forensically anchored to the moment it claims.
3. Tamper-evident credential hash
At check-out we serialize every verification factor into a canonical string and produce a SHA-256 hash. The hash is stored on the record and printed on the volunteer's receipt. Any change to the underlying record changes the hash, so tampering is mathematically detectable.
4. Append-only public ledger
Every credential hash is appended to an append-only ledger with a link hash chained from the previous row. The database itself blocks updates and deletes via triggers. Editing any past row breaks every link hash after it. The full ledger is publicly readable.
5. Time anchored to public sources
Server clocks are synced to multiple independent public time services using cryptographically authenticated NTP (Network Time Security, RFC 8915). The latest ledger state is published on a regular cadence to a public, web-archived surface, providing tamper-evidence beyond our own systems.
What this gives an auditor
A public verification surface
Any third party can verify any single credential by visiting /verify/[hash]. No login. No PII exposed.
A public hash chain
The append-only ledger is readable at /api/ledger. Anyone can pull the chain and verify integrity end-to-end.
An audit-grade reconciliation workflow
When a volunteer forgets to clock out, the system auto-closes the record and routes it to a coordinator review queue. Adjustments require a documented reason and produce a fresh credential hash plus a new ledger entry. Volunteers can dispute their own records; resolution flows through the same workflow. Every action is audit-logged.
Documented controls
A full System Description Report covering the implementation specifics is available to qualified auditors and enterprise buyers under NDA. Email trust@kindnesscounts.io to request access.
Privacy posture
Raw GPS coordinates are not retained
At check-out, raw latitude and longitude are nulled. Only the geofence-confirmation booleans persist. The credential hash uses these booleans, not raw coordinates, so the record stays auditable while the location data is purged.
Volunteer Impact Portfolios are off by default
A volunteer's record is private until they explicitly turn the public Impact Portfolio on. Even when public, only display name, city/state, an optional bio, and aggregate verified-hour data are visible. Email, phone, and date of birth are never shown.
The ledger contains no personal information
Public ledger rows contain only sequence numbers, hashes, and timestamps. To correlate a hash with a volunteer or organization, a viewer must query the verify endpoint, which enforces its own redaction rules.
What we do not claim
We are not a court-of-law expert system
The verification methodology is designed for grant-reporting, ESG-disclosure, and donor-trust use cases. It is not a substitute for forensic investigation in cases of suspected fraud.
Not every record reaches the highest confidence band
Some volunteers will forget to clock out. Some events lose connectivity. Confidence levels (verified, confirmed, partial, unverified) reflect the actual factor coverage of each record. Reports surface the breakdown.
This page describes our verification system at a high level. The full control documentation is available to qualified auditors and enterprise buyers under NDA.