What evidence-grade actually means in a sustainability report

The cobbling problem

Most enterprises produce ESG reports the same way today. A small team — typically the CSO's office plus an external consultant — pulls utility bills, exports ERP data into spreadsheets, requests narrative inputs from operations leads, hand-curates PDFs from supplier disclosures, and assembles the final report in Word or PowerPoint over the course of weeks. The result is months stale by the time it ships, expensive to defend in front of an audit committee, and impossible to reproduce: ask for the same report two months later and you get a different document because the underlying spreadsheets have moved on.

This is the cobbling problem. It's how 90% of corporate ESG disclosure is produced today, and it's the reason most ESG reports do not survive contact with a regulator, auditor, or sophisticated investor — because there is no chain of custody from source data to disclosed claim.

Sustainability disclosure has a credibility problem because of this. PDFs can be edited after issuance. There is no cryptographic guarantee that a quarterly disclosure was written when it claims to have been written, with the data it claims to have used, by the entity it claims to come from.

What evidence-grade requires

An evidence-grade report needs three properties at the same time: (1) every disclosed value resolves to a source reading or document, not to a spreadsheet cell with no provenance; (2) the report content is content-hashed so two renders against the same dataset produce bit-identical fingerprints; (3) the report carries a third-party-issued timestamp that anyone can verify independently of the platform vendor.

How EcoVeraZ delivers each property

We bind every value in the report to a dataset_id traceable to the originating ingestion event. We content-hash the full report payload using SHA-256. We anchor the hash via RFC 3161 trusted timestamping (FreeTSA in development; DigiCert or equivalent in production), so the customer's audit committee can run openssl ts -verify and confirm the report existed in its current form on the issuance date - without needing to trust EcoVeraZ at all.

What this enables

Audit committees can demonstrate to regulators that the disclosure they signed off on is exactly what was issued. Customers can re-render any historical report and confirm the same content fingerprint emerges. Regulators investigating after the fact have an externally-anchored timestamp they did not have to trust the platform vendor for. The chain is the product.

What it does not do

Evidence-grade is not the same as certified. Trusted timestamping certifies that the report content existed at the timestamped moment - it does not certify the truth of the underlying measurements. Formal certification, assurance, or validation remains with authorized third parties. EcoVeraZ provides readiness intelligence and evidence traceability; the assurance opinion is a separate engagement with a qualified firm.