Written for the person who has to trust the report: an auditor, a security reviewer, a compliance lead. No cryptography background required.
The usual answer to "how do you monitor your vendors?" is a screenshot, a spreadsheet, or a promise. All three share a flaw: they can be edited after the fact, and nothing about them proves when the checking actually happened or whether any of it was skipped.
Dormouse is built so that the record it keeps is hard to alter without the alteration being obvious, and so that an independent party can confirm the record for themselves. Three mechanisms do the work. None of them require you to take our word for anything.
When dormouse fetches a page, it computes a SHA-256 hash of the exact bytes and stores the page under that hash. The hash is a fingerprint: change a single character of the stored page and its fingerprint no longer matches, which is immediately detectable.
This means the report can say "on July 13 this vendor's subprocessor page said X," and the stored copy can be re-hashed by anyone to confirm it has not been quietly edited since.
Each check dormouse runs, whether it found a change, found nothing, or failed, is written to an append-only log. Each entry carries a hash computed from its own contents plus the hash of the previous entry. The entries form a chain, the way each link depends on the last.
The consequence is the important part: altering or deleting any past entry changes every hash after it. You cannot quietly remove the check that would have shown a gap, or backdate one that never happened, without breaking the chain from that point forward. The break is detectable by recomputing the chain.
The report ships with the result of an integrity sweep run at the moment it was generated: every snapshot re-hashed against its fingerprint, every recorded observation confirmed to reference a real snapshot, and the entire chain recomputed from its first entry to its head.
The chain head printed on every report is the hash of the newest link. Recomputing the chain from the beginning must reproduce that exact value. If it does, the history is intact. If a single entry was altered, inserted, or removed, it will not, and the sweep names the broken entry.
Because the verification tooling ships with the engine, and the engine is source-available under the Business Source License, a technical reviewer can audit the verification code itself. You do not have to trust that our math is right. You can read it.
Dormouse produces compliance-grade evidence that you monitored the sources you said you would, on the cadence you promised, and that the record has not been tampered with. That is what auditors ask for under vendor-management controls, and that is what the report proves.
Dormouse does not claim to discharge a specific legal obligation for you, decide whether a given change requires action, or replace your own review. It gives you a trustworthy record and an early, classified signal. The judgment stays yours; the proof that you had the information is ours to keep honest.