Data Integrity & Audit Readiness
سلامة البيانات وجاهزية التدقيق
Last updated: 13 July 2026 · For business owners, accountants and auditors
Every number in Rakam can be traced to its source document, every change to it is recorded
permanently, and the record itself is cryptographically verifiable. This page explains, in
plain language, why the figures Rakam produces can be trusted — by the owner, by the
accountant, and by an external auditor.
1. Every change is recorded — automatically, at the database level
Each create, edit and delete on the ledger is captured by a database trigger, not by
application code. It fires no matter where the change comes from — the dashboard, the
WhatsApp bot, or a direct API call — recording who made the change, when, and the exact
before/after value of every field. There is no code path that touches the books without
leaving a record.
2. The audit log is append-only and tamper-evident
- Append-only: the log rejects all edits and deletions at the database level — including from the application's own service credentials. History can only grow.
- Hash-chained: every entry stores a SHA-256 hash of its own content combined with the previous entry's hash. Altering or removing any historical entry — even with direct database access — breaks every hash after it.
- Verifiable on demand: the "Verify Integrity" check in the app recomputes the entire chain server-side and reports either a clean pass or the exact entry where the chain broke. An auditor can run it at any time.
3. Nothing is ever truly deleted
Real deletion of ledger records is blocked at the database level. "Deleting" a transaction
or Z-Report only removes it from active view — the record stays inspectable and restorable
in the audit trail, satisfying the UAE Federal Tax Authority's 5-year record retention
requirement by construction, not by policy.
4. Every entry traces back to its source document
When a receipt or invoice arrives via WhatsApp, Rakam stores the original image in private,
access-controlled storage and links it to the ledger entry it produced. Users cannot upload,
replace or delete these stored documents — only the intake system writes them. An auditor can
open any ledger line and see the actual paper it came from.
5. AI extracts — code calculates — people approve
The AI reads documents and extracts raw figures only. All arithmetic — VAT math,
reconciliation, variance checks — is done deterministically in code, and entries land as
pending for the owner or accountant to review, correct and approve. Every correction
is itself captured in the audit trail, so the reviewer's judgement is part of the permanent
record, not a way around it.
6. Access is enforced by the database, not the interface
- Row-level security scopes every read and write to the user's own company.
- Invited staff and accountants see nothing until the company owner approves them.
- Accountants access client companies through an explicit, owner-granted link that can be revoked.
What this means in an audit: for any figure in a VAT return or P&L, Rakam can
produce (a) the source document image, (b) the extraction and every subsequent correction
with who/when/what, and (c) a cryptographic proof that this history was not altered after
the fact.