Every Captilo capture runs through nine independent, cryptographically-linked steps before the file is ever exported. Each step exists to answer a specific question a claims adjuster, auditor, or opposing counsel will ask: who captured this, when, and has it been altered since.
Face ID or fingerprint via the device’s Secure Enclave gates the camera before capture. A one-way SHA-256 commitment (binding an anonymous user ID, a single-use nonce, and the photo hash) is generated locally afterward as proof authentication occurred. Biometric data never leaves the device’s secure hardware.
Binds a specific authenticated person to a specific capture, without transmitting any biometric data.
SHA-256 hash of the raw photo bytes, plus a separate SHA-256 hash of canonicalized metadata (RFC 8785) — the split V2 hashing scheme.
Any change to a single pixel or metadata field produces a completely different hash — independently recomputable by anyone.
A secp256k1 signature is generated over the exact signed payload, tied to a device-held private key.
Proves the proof was produced by the holder of a specific key — it cannot be plausibly denied after the fact.
A device-bound, single-use nonce with a 60-second TTL is issued before capture and consumed on submission.
Prevents a previously-generated proof from being resubmitted or reused to backdate a new capture.
Both hashes are submitted to the Sonic blockchain (EVM-compatible, sub-1-second finality) via the CaptiloProofRegistryV2 / CaptiloUnifiedRegistry contracts.
Creates a permanent, third-party-verifiable record that cannot be altered or deleted after the fact by Captilo or anyone else.
An RFC 3161 timestamp from a certified Greek APED Trust Service Provider, submitted in parallel with the blockchain transaction.
Qualified timestamps carry legal weight under the EU eIDAS regulation. (In rare cases the TSA response is delayed or empty — the blockchain anchor still provides an independent timestamp in that event.)
A battery of on-device checks runs before submission — swap/substitution detection, screen and print detection, geolocation-integrity checks, and device and emulator attestation. See the attack-by-attack breakdown below.
Produces a confidence score attached to the proof. Like any automated screening, it reduces risk but is not a guarantee — see the note below.
If a device is offline at capture time, the proof is time-stamped from the device clock only, with no nonce-based replay protection until it later syncs.
Offline proofs are explicitly flagged as reduced-trust in the proof record itself — nothing is hidden from a reviewer.
Anyone can re-upload a certificate or photo to the public verifier and have its hashes recomputed and checked against the blockchain record.
No Captilo account, no proprietary software — the proof stands on public cryptography and a public ledger.
Upload any Captilo certificate and watch each of these checks run in real time.
Not every signal blocks a submission — and it shouldn't. A system that hard-rejects every imperfect signal generates false rejections in the field. Below, each defense is labeled for what it actually does: reject outright, or lower the trust score.
Scenario: Swapping in a gallery photo, intercepting the file before it’s hashed, or routing a virtual/injected image into the pipeline.
Capture-timing failure or an EXIF device mismatch rejects the capture outright. Every other signal above lowers the trust score instead.
Scenario: Photographing a screen or a printed image to produce a fake "authentic" capture.
A high-confidence moiré detection blocks submission outright — the one screen-specific hard stop in the system. The other two checks feed the combined score.
Scenario: Using a fake-GPS / mock-location app to misrepresent where a photo was taken.
Not blocked. A flagged location sharply discounts the location component of the trust score. Android-only: iOS does not expose an equivalent signal to any third-party app, so there is no spoof flag on iOS captures today.
Scenario: Running Captilo on a modified OS, or using tooling to inject a fabricated image into a compromised device.
A root/jailbreak signal alone never blocks capture — many legitimate users run modified devices. The real defense is live, per-capture hardware attestation, which a compromised device cannot fabricate.
Scenario: Running the app in a simulator, or routing a virtual/fake camera source into the capture pipeline.
Blocked outright only when a virtual camera is the sole camera present on Android with no genuine built-in camera to fall back on — a narrow condition chosen to avoid rejecting legitimate accessory cameras.
Every proof is scored on a weighted 0–100 scale, shown in the app itself rather than reduced to a pass/fail flag. Offline captures take a flat deduction. Scores fall into four bands: High, Medium, Low, and Minimal.
Honest ceiling: under normal operation today, the achievable band is Medium. The High band is reserved for a depth-sensing (LiDAR) capture mode that has not yet shipped. We'd rather state the real ceiling than round up.
See the full Disclaimer and Privacy Policy & Terms for the binding legal language.
Captilo produces cryptographic integrity, timestamping, and provenance evidence that supports a chain-of-custody argument and can be submitted to a court, insurer, or auditor — not a guarantee that any specific body will admit it. Admissibility is ultimately a legal determination made by the deciding body under the rules that govern that proceeding, not something any technology vendor can promise.
What Captilo can do is make the underlying technical record as strong and as independently verifiable as possible — so that when your counsel lays the evidentiary foundation, they have real cryptography, a real blockchain record, and a real qualified timestamp to point to, not just a claim.
Talk to us about standards compliance and integration details for your procurement or compliance review.