Products

Immutable Ledger

The audit, evidence, and compliance surface backed by the distributed, tamper-evident ledger.

The Immutable Ledger product is the query and export surface on top of the tamper-evident ledger described in Core Concepts → Immutable Ledger. It is where administrators, compliance officers, and incident responders actually work with the audit record.

What you can do

Query across the ledger by any combination of data object, principal, policy, time window, outcome, and classification.

Export a signed evidence pack for a specific scope — a single object, a specific principal, a tenant-wide compliance window. The pack includes every relevant ledger record, the policy versions that applied, and a cryptographic proof that the pack has not been modified since export.

Subscribe to event streams. A tenant can wire ledger events into its SIEM, its security operations center, or its own audit database. The outbound stream is tenant-scoped and carries only the events authorized for the subscribing destination.

Monitor for signal. Standard dashboards surface unusual patterns — denials on specific classifications, repeated failed attempts from specific principals, classification changes that warrant review.

Typical uses

Regulatory evidence. For a HIPAA audit, an administrator can export a signed evidence pack for a specific date range showing every access to PHI, with the policy that governed each access and the outcome. For a CMMC assessment, an analogous export covers CUI handling. The pack is a single artifact suitable for direct submission.

Incident investigation. When an incident affects a specific set of records, the ledger is the authoritative source for "who accessed these, when, and under what authority." The query is scoped to the affected CIDs and the relevant time window.

Vendor or coalition accountability. When data was shared with a third party or coalition partner, the ledger shows every access the third party made, including access attempts that were denied. The third party receives only the portion of the ledger they participated in; they cannot see unrelated activity.

Legal hold. When a set of records enters legal hold, the ledger freezes their access history and applies a retention lock. The records remain queryable but cannot be purged until the hold is lifted — with the lift itself recorded as a ledger event.

What the ledger can answer

  • Who accessed object X between date A and date B?
  • Under what policy version?
  • What was the decision rationale for denied access attempts on object X?
  • What was the sequence of classification changes to object X?
  • Has object X ever been accessed by a principal outside our organization?
  • Which principals have accessed any Restricted-class object in the last 30 days?
  • Was access to object X denied or simply never requested?

These are the questions regulatory and operational workflows actually ask.

What it cannot answer

The ledger is an access and decision record. It cannot answer questions about:

  • What did the data contain? — the payload is not in the ledger.
  • What did a principal do with the unwrapped data after decryption? — actions inside the consuming application are outside the ledger's scope unless that application emits its own events.
  • What was the full content of a policy at a point in time? — the ledger references the policy version; the version itself is held in the policy repository.

When the question requires data outside the ledger's scope, the answer comes from the cooperating system (the application, the policy engine), cross-referenced through the ledger's identifiers.

Retention and jurisdiction

Retention periods are configurable per tenant, with tighter limits for specific classifications. For regulated industries, retention is often measured in years. For specific data that must be purged under data-protection laws, the tenant can configure an earlier purge of the ledger entries themselves — with the purge event anchored to the remaining record.

Purge controls are the single operation that reduces ledger state. All other operations append.

Relationship to concepts

Key Management

The administrative surface for configuring KMS backends, key lifecycles, and rotations.

Connectors

Integrations with the cloud storage and applications where your data already lives.

On this page

What you can doTypical usesWhat the ledger can answerWhat it cannot answerRetention and jurisdictionRelationship to concepts