How Policy Versioning Works

Policy Identifiers

Each policy in BaseState is uniquely identified by three components:

• Policy ID: A unique UUID that identifies this specific policy record.
• Version: A human-readable version string (e.g., "v1.0", "2026-01", "Rev A").
• Document Hash: A SHA-256 hash of the exact policy content at the time of creation.

Why Document Hash Matters

The document hash proves the exact content of the policy that was acknowledged:

1. When a policy is created, BaseState computes a SHA-256 hash of the entire policy text (or URL).
2. This hash is stored with the policy and included on all certificates.
3. If even a single character changes, the hash would be completely different.
4. This proves to auditors exactly which version of the policy the employee acknowledged.

Policy Immutability

Once a policy is created, its content is immutable. This is by design:

• The hash would change if content changed, invalidating existing acknowledgments.
• To update a policy, create a new version with a new version string.
• Old versions remain in the system for audit purposes but can be deactivated.
• Employees who acknowledged an old version will have that specific version on their certificate.

Effective Date

The effective date indicates when this policy version became (or will become) the official company policy. This is separate from:

• Created Date: When the policy was added to BaseState.
• Acknowledgment Date: When an employee acknowledged the policy.

Attestation Text Version

The attestation text (the checkbox statement employees agree to) is also versioned. This ensures:

• We can track exactly what legal language the employee agreed to.
• If attestation language is updated, old acknowledgments remain valid with their original language.