Audit Trail

Immutable Audit Trail
SHA-256 Hash Chain

Every agent action is logged with a cryptographic hash chain. 15 action types tracked. Tamper-proof. Auditor-ready. No compliance action goes unrecorded.

Deploy Full Compliance → $299/mo

How the Hash Chain Works

Agent performs action

Any compliance action — scan, policy generation, training assignment, BAA signing — triggers a log entry.

Entry is hashed

The action data (timestamp, type, details, actor) is combined with the previous entry's hash and run through SHA-256.

Chain is extended

The new hash links to the previous entry, creating a tamper-evident chain. Modifying any entry invalidates all subsequent hashes.

Auditors verify integrity

Any auditor can verify the chain by recomputing hashes from the first entry. If every hash matches, the record is proven unaltered.

15 Tracked Action Types

Every compliance-relevant action the agent takes is categorized and logged.

SCAN_COMPLETEDCompliance scan finished with grade and findings count

FINDING_IDENTIFIEDNew compliance gap or vulnerability discovered during scan

REPORT_DELIVEREDRisk posture report generated and emailed to practice

POLICY_GENERATEDHIPAA policy document created and customized for practice

POLICY_SIGNEDPolicy attestation completed via magic-link signature

SRA_INITIATEDSecurity Risk Assessment questionnaire started

SRA_COMPLETEDFull SRA documentation generated with risk ratings

TRAINING_ASSIGNEDTraining module sent to staff member via email

TRAINING_COMPLETEDStaff member passed module quiz and certificate issued

BAA_GENERATEDBusiness Associate Agreement template created for vendor

BAA_SIGNEDVendor signed BAA via magic link

BAA_EXPIREDBAA reached expiration date without renewal

EVIDENCE_COMPILEDAudit-ready evidence package assembled on demand

GRADE_CHANGEDHIPAA Agent Compliance Score™ changed from previous value

REMEDIATION_VERIFIEDPreviously identified finding confirmed as resolved

Sample Audit Ledger

TimestampActionDetailHash

2026-02-28 09:14:22 UTCSCAN_COMPLETEDGrade: B+ | 12 findings | scan_id: sc_7f3a9ba3f8c1...d92e

2026-02-28 09:14:23 UTCFINDING_IDENTIFIEDSPF record missing — email_auth_spfb7e2d4...1a3f

2026-02-28 09:14:23 UTCFINDING_IDENTIFIEDDMARC not enforced — email_auth_dmarcc1f9a8...e4b2

2026-02-28 09:15:01 UTCREPORT_DELIVEREDPDF emailed to admin@practice.comd4a3b7...f8c1

2026-02-28 10:30:00 UTCGRADE_CHANGEDB+ → A- | 2 findings remediatede8b1c3...a7d9

Every Action. Logged. Verified.

The agent maintains a tamper-proof record of every compliance action. When auditors ask for proof, the hash chain speaks for itself. Included in the HIPAA Compliance plan.