Provable custody. By default.
Every artifact entering the Bastion perimeter is hashed, versioned, classified, and audit-logged. Retrieval is gated, time-boxed, and recorded.
The seven controls.
Hash
SHA-256 fingerprint computed on intake. Any byte-level change produces a new artifact, never a silent overwrite.
Version
Linear, immutable version chains. The original is preserved; revisions are appended, never replaced.
Anchoring
Document hashes are anchored to external time references on a defined cadence. Existence-at-time becomes provable.
Access
Signed-URL retrieval with TTL. No public buckets. No standing links. Every download is an event.
Audit
Every read, every issuance, every verification is written to an append-only audit log scoped by role and organization.
Classification
Confidentiality tier and counsel-sensitivity flags travel with the artifact, not as a separate spreadsheet.
Storage
Private object storage. Row-level security on metadata. Service-role access reserved for verified server operations.
Why this matters.
Most operators discover their evidence system the week they need it — and discover it does not survive scrutiny. The Bastion Evidence Protocol is built so that custody is provable on the first day, not reconstructed on the worst day.