Verification: two forms of assurance
Softcrow offers two forms of verification. Key verification gives immediate assurance that the beneficiary’s encryption key matches the deposit, a quick check that prevents a mismatch from surfacing only in an emergency. A verification audit goes further and confirms that a working version of the software can be built from the deposit.
The usability of a deposit stands or falls with the quality of the delivery; a verification audit gives assurance about what the deposit contains at that moment. That is why we recommend repeating it periodically, certainly after major updates to your software.
1. Key verification
After receiving a new deposit, the beneficiary can check free of charge whether the encryption key made available to them matches the checksum stored with the deposit. This gives immediate assurance that the correct key is available, without Softcrow having access to the key itself. A practical first check that fully aligns with the zero-knowledge principle.
Key verification confirms that your key matches the checksum Softcrow received with the deposit. The correctness of that checksum depends on the delivery by the supplier. Softcrow receives and stores the checksum as delivered, without any ability to verify it.
How does the process work?
- Activation: after a new deposit file has been uploaded, the option to perform key verification becomes available in the beneficiary’s Dashboard
- Verification: using the tool supplied by Softcrow, the beneficiary verifies the key
- Reporting: the beneficiary reports the result in the Dashboard
Result: verified key
The result is an early confirmation that the beneficiary holds the correct key, well before it is ever needed. If a mismatch comes to light, it can be resolved with the supplier in good time instead of only during an emergency. In this way, access to the deposit is demonstrably secured before the moment it matters.
2. Verification audit
A verification audit goes further: the supplier builds a working environment from the deposit while an independent NOREA IT auditor oversees the process.
A verification audit is not a standard part of an escrow agreement: it is an optional service carried out at the request of the beneficiary or the supplier.
In a verification audit, the supplier builds a working environment based on the deposit and a step-by-step compilation guide supplied in advance. An independent NOREA IT auditor oversees (virtually) and assesses whether the build follows the supplied description. A beneficiary can request it, but a supplier can also initiate it themselves. The outcome depends on the completeness and quality of the delivery by the supplier. Softcrow coordinates the process but is not a party in the assessment.
How does the process work?
- Request: the beneficiary or the supplier requests a verification audit through Softcrow
- Coordination: Softcrow engages an independent NOREA IT auditor and aligns the process with supplier and beneficiary
- Execution: the supplier builds a working environment based on the deposit and the compilation guide supplied in advance; the independent NOREA IT auditor oversees (virtually) and assesses whether the build follows the supplied description
- Upload: if any changes have taken place, the verified deposit is uploaded to Softcrow
- Reporting: the auditor draws up a verification report and shares all findings with the parties involved
- Verified storage: Softcrow officially marks the deposit as verified; the deposit is thereby kept separate and cannot be deleted automatically
Who carries out the verification audit?
A verification audit is always carried out under the supervision of an independent external IT auditor. That is a deliberate choice. Softcrow stores the deposit but has no access to the contents. The verification audit tests the delivery by the supplier. For efficiency, and to save travel and accommodation costs, audits are usually carried out remotely.
The IT auditors Softcrow engages are registered with NOREA, the Dutch association of Register EDP Auditors. That is a protected professional title with its own quality standards and disciplinary law. NOREA’s code of conduct for Register IT auditors (Reglement Gedragscode Register IT-Auditors) applies.
Softcrow coordinates the process and acts as the point of contact for all parties involved.
Result: verified storage
Afterwards, supplier and beneficiary receive a verification report from the independent NOREA IT auditor. This report describes the findings and states whether a working application can be compiled from the deposit.
The report gives the beneficiary a substantiated, independent picture of what could be built from the deposit at the time of the audit. For the supplier, it is a confirmation that the delivery meets the requirements set.
The deposit thereby gains the status of verified storage. That status distinguishes it from deposits whose usability has not been confirmed: of a verified deposit it has been established that a working version of the software can be built from the contents. Softcrow records this status in the Dashboard. That is precisely the assurance escrow is meant for.
Costs
Key verification is free of charge. The costs for a verification audit can be found on our pricing page.