Governance · Audit trail

The receipt your auditor walks away with.

Every decision Ed25519-signed. Every receipt stored on YOUR infrastructure. SIEM-exportable. Auditor-readable. Article 26 evidence-ready.

The receipt shape

Every /api/protect call writes a signed audit record.

Append-only log. Ed25519 signature over the canonical bytes of the record body. prev_hash chains every record to the previous, so tampering with history is detectable, not just disallowed.

{
  "record_id": "rec_2026_05_09_00_a3b1f9...",
  "timestamp": "2026-05-09T00:14:32.418Z",
  "agent_id": "agent_b3a9f1...",
  "operator_id": "op_acme_corp",
  "jurisdiction": "EU",
  "action": { // the original /api/protect input },
  "decision": "BLOCK",
  "reason_codes": ["GDPR_ART_6_NO_LAWFUL_BASIS"],
  "layers_evaluated": 12,
  "pack_versions": { // resolved at decision time },
  "prev_hash": "sha256:...",             // chains to previous record
  "signature": "ed25519:..."          // over canonical bytes of body
}

Customer-cloud invariant

This is the differentiator. Rule packs evaluate inside your infrastructure. The decision happens in your VPC, in your jurisdiction, against your data. Only signed receipts return to AiEGIS — never the action payload, never the PII, never the prompt.

This is what closes the GDPR cross-border conversation (Art. 44–49): the data never moved. It's what closes the Article 26 conversation: the audit log lives on your infrastructure, the deployer obligation is satisfiable. Cloud-only competitors can't make this claim.

Retention

You decide how long, where, who can read.

Default deployment writes signed records to your infrastructure with append-only file permissions. Retention is operator-configured. EU AI Act Article 12 sets the retention floor at 1825 days (5 years) for high-risk deployments — operators routinely extend per sectoral rules.

SIEM export over JSONL or syslog. Splunk, Elastic, Wazuh, Sentinel — pick yours. The signature travels with the record so downstream verifiers can re-check authenticity even after export.

Auditor handoff

Walk into the audit with a signed log.

SOC2 + ISO 27001: the receipt log demonstrates control operation over the audit period. Every agent action accountable to a real operator under a real policy bundle.

GDPR DPO: records of processing under Art. 30 — agent_id, operator_id, lawful_basis, data classes touched, decision. Per-record + aggregate.

EU AI Act Art. 26: deployer log of high-risk AI usage. Identifiable operator, auditable timeline, signed decisions, retention compliant.

The audit conversation gets shorter when the answer is "here's the signed record."