What does 'audit-grade PDF' mean for compliance?

An audit-grade PDF for compliance is a document that meets four criteria:

1. **Hash-bound content.** The PDF carries a SHA-256 hash of the canonical content (the data that produced the cert) printed in the footer. Re-computing the hash from the source data confirms the PDF hasn't been edited since issue.

2. **Public-verifiable.** A public URL (typically /verify/<hashPrefix>) lets any third party re-confirm the cert exists in the issuer's records + matches the PDF in hand. The verifier surface deliberately doesn't expose party PII; it only confirms the cert's existence + the verdict + the list-version timestamps.

3. **List-version stamped.** Every screening source named on the cert carries the list-version timestamp at the moment of issue. OFSI / UN / EU / OpenSanctions / FCA Warning List + EPC / postcodes.io for the property side. This pins the screening to a specific moment so the audit-trail can be re-walked years later.

4. **Retention-compliant.** The cert + the hash record are retained for 7 years per MLR-2017 + 5 years per GDPR's standard retention floor. The Stratum cert hash table + S3 bucket carry 7-year TTLs.

Why it matters: when HMRC inspects a regulated firm's records (LSAG-2025 letting agent, MLR-2017 accountant, etc), the inspector wants to see the screening evidence for a specific transaction from years ago. A PDF screenshot of FCA Connect doesn't meet that bar. A Stratum-issued cert + the public verifier URL does — the inspector can re-verify the cert with no involvement from the firm.

The Stratum letting-agent-suite, conveyancer-suite, and (forthcoming) accountant-onboarding suite all issue audit-grade PDFs as the canonical output.

Last updated 2026-05-06.