Skip to content
DeCA Platform

We don't ask for your trust — we hand you the proof

Anyone can write “bank-grade security” on a website. We would rather show you how ours works and give you the means to check it: every operation on your documents is sealed into a hash chain you can verify yourself.

The hash chain: evidence you can prove, not promises

Everything that happens to a document — activation, in-route changes, incidents, inspection downloads — is written to an append-only history. And every entry is cryptographically sealed to the previous one.

The first link (genesis) is derived from the document's unique identifier. From there, every operation records what happened, when, and what changed — always preserving the previous value — and is sealed with a SHA-256 hash that incorporates the hash of the preceding link.

The consequence is mathematical, not commercial: the past cannot be rewritten without breaking every later seal. Not one of our employees, not an attacker, not even we ourselves can alter a recorded operation without the chain failing to add up.

You may have seen the word “blockchain” used as decoration in this industry: a badge on a website with nothing the customer can actually check. Our position is the opposite:fewer buzzwords, more verification. The chain exists in every document, it is yours, and it verifies with standard tooling — no tokens, no cryptocurrency, no faith required.

In a dispute or a claim, that sealed history is your evidence: who changed the plate, when the PDF was downloaded at a roadside inspection, and which version was current at every moment.

Link 0 · Genesis

Derived from the document’s unique identifier. It anchors the chain: nobody can “start over” without it showing.

SHA-256 hash: 4c81f0a2d9e6…

Operation 1 · Activation

previous hash: 4c81f0a2d9e6…

Document activated · PDF v1 generated · 2026-10-06 07:41:02 UTC

SHA-256 hash: a97e30c5b1d4…

Operation 2 · Plate change

previous hash: a97e30c5b1d4…

Field: plate · previous value preserved · reason recorded · PDF v2

SHA-256 hash: f2154d8be07a…

Operation 3 · Roadside inspection download

previous hash: f2154d8be07a…

Current PDF downloaded from the public URL (QR) · kept as evidence

SHA-256 hash: 08d39cc471f6…

Every link includes the hash of the previous one: if anyone alters a past operation, every later hash stops matching. Tampering is not just “detected” — it is provable.

How verification works, in three steps

  1. 1

    Get the history

    Every document keeps its full operation history, including the hash of every link.

  2. 2

    Recompute the seals

    With any standard SHA-256 implementation — yours, not ours — recompute the chain link by link.

  3. 3

    Compare

    If every recomputed hash matches the recorded one, the history is intact. Had anyone touched anything, none of the later hashes would match.

Encryption and isolation

The baseline measures, described without fog: what we protect, where, and how.

Encryption in transit

All communication travels over HTTPS with TLS 1.2 or higher: the panel, the API, the driver view and the public inspection URL. For the latter it is not just good practice — it is a requirement of Spain's technical resolution of 5 June 2026, and inspectors check it.

Encryption at rest

The database and PDF storage are encrypted at rest (AES-256) on infrastructure with EU data regions. API keys are never stored in plain text: we keep only their hash.

Multi-tenant isolation with RLS

Account isolation is enforced with row-level security policies inside the database engine itself. We do not rely on every query in the code “remembering” to filter: the database demands it, always — including for partners operating multiple end customers.

Access and keys

Scoped API keys, rotatable and instantly revocable. Webhooks signed with HMAC-SHA256 so your system can verify the origin of every notification. Support access is exceptional and audited, with no visibility of your keys.

Custody and continuity

A transport document does not end when the journey ends: the law requires keeping it and being able to produce it.

Legal custody ≥ 1 year

Issued documents are retained for at least one year, the legal minimum for the contractual shipper and the effective carrier in Spain. The repository is shared: if one party issues, the other can download throughout the whole period.

Versioned PDFs

Every in-route modification generates a new PDF version, preserving the previous ones and the reason for the change, exactly as the regulation requires. Nothing is overwritten: everything is kept and chained.

Backups

Automatic daily database backups and redundant PDF storage, with a documented restore procedure.

The inspection download: our most critical component

If an officer scans the QR and the document does not download, the problem is yours and your driver's. So this component is treated differently from everything else.

At the edge of the network, close to the road

Each document's public URL is served from a globally distributed delivery network (edge), not from a single server. The availability objective is 99.9% monthly — published with its definition and service credits in ourSLA.

Direct download, as the law requires

The QR leads to a direct download of the current PDF: no login, no credentials, no intermediate buttons — exactly as Spain's resolution of 5 June 2026 requires. Verified TLS and a unique URL per document.

Every download becomes evidence

Every download from the public URL is recorded in the document's sealed history: date, time and version served. If you are inspected, you hold the proof of what was shown and when.

Real-time inspection alert

When your document's QR is scanned, you know immediately: an alert in the panel and, if you configure it, a webhook to your system. No regulation requires this — but knowing your truck is being inspected right now is priceless.

Responsible disclosure

If you have found a vulnerability, we want to know — and we make it easy.

Write tosecurity@deca.examplewith the technical details and reproduction steps. We commit to acknowledging within 48 working hours, to taking no legal action against good-faith research, and to informing you of the resolution. This information is also published in the standard format at/.well-known/security.txt.

Looking for the SLA, the DPA or the subprocessor list? The whole due-diligence pack is published on thetrust & due diligence page.

Security FAQ

Can I verify the hash chain myself?
Yes — that is the whole point. Each document's operation history includes the hash of every link: with any standard SHA-256 tool (or your own code) you can recompute the chain and confirm nothing was altered. You do not need to trust our word, or even our software, to check it.
What happens to roadside inspection if your panel goes down?
The inspection download (the public QR URL) does not depend on the panel or the API: it is served from a globally distributed delivery network, designed for a 99.9% availability objective. It is our most critical component and it is isolated from everything else for exactly that reason. You can check it live on the service status page.
Who can see my data inside the platform?
Every account is isolated by row-level security (RLS) policies enforced by the database engine itself, not just by application code. A programming mistake in a query is not enough to cross tenant boundaries: the database refuses. Support access is exceptional, audited, and never includes your API keys.
Do you keep backups? What if I delete something by mistake?
The database has automatic daily backups and PDFs are stored versioned: every in-route modification creates a new version while preserving the previous ones. Issued documents are also retained for at least 1 year — the legal minimum in Spain — even if your account is closed.

89daysuntil 5 October 2026

Issue documents whose evidence stands on its own

10 free documents when you sign up. Each one carries its hash chain from the very first second.