Security & trust
Built to be trusted by people whose job is not to trust easily.
Plain language. No security theatre. Here is exactly what we do and why.
How tamper-evidence works
Every sealed record stores the exact bytes that were captured and a SHA-256 hash of those bytes, chained to the previous record. Verification recomputes the chain from the stored bytes — so a record can’t be quietly re-worded and re-sealed. If anything changed after capture, verification shows exactly where.
record 41 hash 9f2c…ab10 prev e7d1…4c88 ✓ sealed record 42 hash 3b88…01ff prev 9f2c…ab10 ✓ sealed
The algorithm is published openly at packages/crypto/spec/v1.md. The client-side verifier at audittrail.ca/verify runs entirely in your browser — it does not send data to our servers.
Independent verification
Any third party — examiner, client, custodian — can verify an exported packet in their own browser, with no AuditTrail account.
The algorithm is standard SHA-256 with a published canonical serialization spec. Any developer can implement a verifier in the language of their choice. We encourage it.
You own your data
Your records are encrypted at rest. You control retention. Your conversations are never used to train AI models — not ours, not anyone’s.
You can export everything at any time in an open format (JSON + PDF). You can delete your account and all associated records. No vendor lock-in.
Infrastructure
AuditTrail runs on Vercel (edge, Canada/US) and Render (us-east-1). The database is Postgres with TLS in transit and AES-256 encryption at rest. Authentication is handled by Clerk — we do not store or handle passwords directly.
We do not use third-party analytics, tracking pixels, or ad networks on any AuditTrail page. No cookies beyond session and auth.
Honest scope
AuditTrail records how you used AI and proves the record wasn’t altered. It does not certify compliance, give legal advice, or judge whether your use was appropriate. It gives you the evidence; the judgment stays with you and your regulator.
Want to see the verification in action?
Try the public verifier → or read the full algorithm explanation →
