AuditTrail

Security & trust

Built to be trusted by people whose job is not to trust easily.

Plain language. No security theatre. Here is exactly what we do and why.

How tamper-evidence works

Every sealed record stores the exact bytes that were captured and a SHA-256 hash of those bytes, chained to the previous record. Verification recomputes the chain from the stored bytes — so a record can’t be quietly re-worded and re-sealed. If anything changed after capture, verification shows exactly where.

record 41  hash 9f2c…ab10   prev e7d1…4c88   ✓ sealed
record 42  hash 3b88…01ff   prev 9f2c…ab10   ✓ sealed

The algorithm is published openly at packages/crypto/spec/v1.md. The client-side verifier at audittrail.ca/verify runs entirely in your browser — it does not send data to our servers.

Independent verification

Any third party — examiner, client, custodian — can verify an exported packet in their own browser, with no AuditTrail account.

The algorithm is standard SHA-256 with a published canonical serialization spec. Any developer can implement a verifier in the language of their choice. We encourage it.

You own your data

Your records are encrypted at rest. You control retention. Your conversations are never used to train AI models — not ours, not anyone’s.

You can export everything at any time in an open format (JSON + PDF). You can delete your account and all associated records. No vendor lock-in.

Infrastructure

AuditTrail runs on Vercel (edge, Canada/US) and Render (us-east-1). The database is Postgres with TLS in transit and AES-256 encryption at rest. Authentication is handled by Clerk — we do not store or handle passwords directly.

We do not use third-party analytics, tracking pixels, or ad networks on any AuditTrail page. No cookies beyond session and auth.

Honest scope

AuditTrail records how you used AI and proves the record wasn’t altered. It does not certify compliance, give legal advice, or judge whether your use was appropriate. It gives you the evidence; the judgment stays with you and your regulator.

Want to see the verification in action?

Try the public verifier → or read the full algorithm explanation →