Communication

Messaging & Audit Trail

Every conversation between venues, artists, agents, and crew lives in one place — with a tamper-evident audit log that protects everyone when disputes arise.

Why This Exists

Most show conversations happen across five different channels: email, text, WhatsApp, Slack, Instagram DM. When something goes wrong — a guarantee dispute, a no-show, a damaged green room — the people who need to resolve it have to piece together months of fragmented messages to figure out what was actually agreed to. Sometimes screenshots are doctored. Sometimes messages are deleted. Sometimes one side has receipts, the other doesn't.

We built a single threaded messaging system that lives next to the show itself. Every message, every edit, every contract signing, every status change is recorded in an immutable audit log. If a dispute happens, both parties have access to the same verified history.

Threads

A thread is a conversation. Three types:

Type
Created When
Participants
Event thread
A show is booked
Auto: venue staff + artist + tour manager + agent · expandable
Direct thread
You start a DM with another org
Whoever you invite
Support thread
You open a ticket with the platform
You + BandPass support

Event Threads Come with Context

Event threads automatically pull in the show details, ticket sales pace, payout configuration, and contract status. Conversation happens with the show context always visible.

The Audit Log

Every action in a thread creates an immutable audit entry:

  • Messages sent, edited, or deleted
  • Participants joining or leaving
  • Contract signings (each carries the terms hash the signature binds)
  • Thread freezes (legal holds) and archives
  • Exports generated

Tamper-Evidence

Each audit entry stores the SHA-256 hash of the previous entry, forming a hash chain. If anyone modifies a past entry, the chain breaks and any subsequent verification fails. Every export comes with a chain root hash that can be independently verified against the live audit log.

audit entry shape
{
  "id": 14,
  "thread_id": "th_wild_rivers_06_06",
  "actor_user_id": "u_zach",
  "actor_name": "Zach Mendelsohn",
  "action": "contract_signed",
  "details": {
    "memo_id": "dm_wild_rivers_offer",
    "terms_hash": "0xa83f...2b91",
    "signature_hash": "0x51c0...77de",
    "party_role": "venue_admin",
    "org_type": "venue"
  },
  "ip_hash": "0x3f4d...",          // SHA-256 of IP, never raw
  "user_agent": "desktop/Mac",
  "occurred_at": "2026-04-12T19:47:00Z",
  "prev_entry_hash": "0x9bf2...",
  "entry_hash": "0xfae3..."
}

If a dispute is filed — or a venue/artist requests a freeze for any reason — the thread can be frozen. When frozen:

  • No new messages can be added
  • No existing messages can be edited or deleted
  • The full message history and audit log remain accessible to all original participants
  • Any participant can still request a sealed export of the record

What Freezing Doesn't Do

Freezing a thread is not a legal claim. It just preserves a snapshot of the record. Any actual dispute, mediation, or legal action happens externally (or through our optional dispute resolution service). The frozen thread is just evidence — it cannot be used to compel a payout or refund on its own.

Exports for Legal Use

Any participant can request a sealed export of an entire thread, delivered as a downloadable snapshot. The export includes:

  • The full message history with edit metadata
  • The complete hash-chained audit log, where every edit, deletion, freeze, and export is a linked entry
  • The participant list
  • The verified chain root hash, recomputed at export time and recorded in BandPass's append-only platform event log, held outside the messaging tables

An export only seals if the thread's hash chain verifies end to end. The sealed root is also copied into a separate append-only platform log outside the messaging tables, so a rewritten thread can't be made to match a previously sealed fingerprint. That recomputable fingerprint is what a dispute relies on to show the record wasn't altered after the fact.

Privacy

Other parties' messages are visible only to other thread participants and (for compliance reasons) BandPass administrators with audit-access role. We do not train AI models on message content. We do not share message content with third parties except in response to a valid legal subpoena, and we will notify you of any such request unless legally prohibited.

IP addresses are hashed before storage — we never log raw IPs. User-agent strings are coarsened to desktop/Mac, mobile/iOS, etc.