Packaging a PageCrawl Audit Trail for a Regulator

Last updated: 8 May, 20264 min read

When a regulator requests evidence of a public-facing webpage at a specific point in time, they expect three things: the archive itself, proof that it existed at that time, and a chain of custody that they can independently verify. PageCrawl produces all three by default on Ultimate plans.

This guide explains how to assemble and hand off a complete evidence bundle.

What's in a PageCrawl evidence bundle

For each tracked change, PageCrawl retains:

  • The WACZ archive (archive.wacz), a self-contained, replayable archive of the captured page including HTML, screenshots, and linked documents.
  • An embedded WACZ Auth signature inside the WACZ.
  • Sidecar proof files from independent providers: archive.wacz.ots (OpenTimestamps), archive.wacz.digicert.tsr (DigiCert AATL), archive.wacz.sectigo.tsr (Sectigo AATL), and on Custom plans, archive.wacz.qtsa.tsr (eIDAS qualified).
  • The raw underlying WARC (capture.warc) for ingestion into other archival systems.
  • A manifest hash and per-resource SHA-256 hashes inside the WACZ datapackage.
  • An access audit log recording every download, view, verify, and export of the archive.

Building an evidence bundle

From the PageCrawl dashboard, on any tracked change:

  1. Select the checks to include in the bundle.
  2. Click "Export evidence bundle".
  3. PageCrawl produces a single zip containing each WACZ, every available sidecar proof, a manifest.json with per-archive integrity fingerprints, and a README.txt with verification instructions.

The bundle is portable. Hand it to the regulator on a USB stick, attach it to a regulatory submission, or share it via the customer's own secure file transfer.

The public verification page

For regulators who prefer to inspect each archive interactively, generate a public verification link from any tracked archive. The link is a signed URL that grants read-only access to a verification page. The recipient does not need a PageCrawl account.

The verification page shows:

  • The source URL and capture timestamp.
  • The manifest hash.
  • Every cryptographic attestation present (embedded signature plus each sidecar provider).
  • Download buttons for each raw proof file with verification command hints (e.g. ots verify ..., openssl ts -reply -in ...).

Anonymous access is logged in the firm's archive access log so chain of custody is preserved.

Sector-specific guidance

SEC examinations (broker-dealers, 17a-4)

Pair the evidence bundle with the firm's recordkeeping policy and the designated executive officer's attestation. The 2022 amendments to 17a-4(f) explicitly contemplate audit-trail-based tamper evidence as an alternative to WORM storage. PageCrawl's manifest hashes plus multiple independent timestamp providers satisfy the structural tamper-evidence requirement.

For relevant FRE 902(13) / 902(14) framing in a parallel litigation context, see our verification guide.

FDA 21 CFR Part 11 inspections (life sciences)

The validation summary your regulated firm maintains for the PageCrawl system should reference: the URS describing what records the system retains, the audit-trail mechanism (manifest hashes plus timestamp proofs), the retention period, and the retrieval procedure. The bundle gives the inspector everything they need to validate the claim that the firm has accurate copies and audit trail per 11.10.

HIPAA OCR investigations (healthcare)

OCR investigators typically request the version of a Notice of Privacy Practices, breach notice page, or business-associate sub-processor list as it existed on a specific date. The public verification link is the single easiest artefact to share: the investigator clicks through, sees the manifest hash, and verifies the timestamp without needing access to internal systems.

EU DPA inspections (GDPR, DORA)

For data protection authority inspections under GDPR or DORA, the eIDAS-qualified-timestamp layer (Custom plan) provides Article 41(2) statutory legal presumption of accuracy. Even without it, the OpenTimestamps Bitcoin anchor plus DigiCert and Sectigo AATL timestamps give the supervisory authority sufficient evidence of the archive's existence at the recorded time.

Why multi-provider matters

Single-provider proofs are vulnerable to the provider's lifecycle: a TSA can revoke a key, sunset a service, or be compromised. Layering attestations across an open blockchain (OpenTimestamps), AATL providers (DigiCert, Sectigo), and optionally an eIDAS QTSP gives the firm independent backups. If any one layer becomes unverifiable in the future, the others still attest. This redundancy is itself a defensive credential.

Ready to Track Changes?

Set up monitoring in under 60 seconds and never miss important updates again.

Track a New Page