The hash on your sealed documents is a SHA-256 — a one-way fingerprint of the exact bytes. Everything below runs the real algorithm, live in your browser. Type, tamper, and watch it react.
Edit a single character above — even a space — and the entire fingerprint scrambles. That's why a sealed hash proves the bytes are untouched.
Every audit event hashes the previous hash into its own. Edit any event's text to forge the record — and watch the chain break from that point on.
Because each hash folds in the previous one, changing event #2 changes its hash — which breaks #3's prev link, which breaks #4, and so on. You can't rewrite one line of history without rewriting all of it, and the server keeps the original.
When the last party signs, the finished PDF's bytes are hashed into a single sealedHash and stamped on the certificate. Anyone with that hash can confirm the document is authentic — without ever seeing its contents.