Skip to content

Audit & compliance

What the audit log covers.

Append-only, HSM-signed, hash-chained, externally verifiable. The system of record for what your agents did, what they touched, and which human they acted for.

What gets logged

Nothing summarized.

  • Every agent action

    The action taken, the agent that took it, the user it ran for, the arguments passed, the result returned, the time it happened. Nothing aggregated, nothing summarized.

  • Every system call

    Outbound RFC, REST, and database calls made by any agent in the runtime. Includes the request payload (hashed for sensitive fields), the response code, and the latency.

  • Every policy decision

    When the guardrail engine allowed or denied an action, the reason it cited, the policy version in effect at the time. Useful when you need to explain why an agent didn't do something.

  • Every approval

    Who approved what, when, from what device, with what justification. Linked back to the original agent action that triggered the approval request.

Tamper evidence

Why you can trust the log.

The log is append-only at the database level. The role that writes log entries can insert and read. It can't update or delete. Changing that grant requires two engineers to approve.

Each row is signed by an HSM at write time and chained to the hash of the previous row. Tampering with a single entry breaks the chain in a way that can be verified from outside the system. The chain is checked continuously by our infrastructure and re-verified quarterly by a third-party auditor whose report is available under NDA.

Read more in the security architecture, which includes the database schema and the grant policy.

Standards

What we're audited against.

  • SOC 2 Type II

    Security, Availability, Confidentiality. Renewed annually.

  • ISO/IEC 27001:2022

    Information security management system covering Spaceflow Core and the MCP Gateway.

  • TISAX AL 3

    Automotive industry standard for handling high-protection data.

  • GDPR

    Controller and processor compliance for EU data subjects.

  • KVKK

    Turkish data protection (Kanun No. 6698).

Reports available under NDA through your account contact.