Documentation

Governance & compliance

Audit logs, signature ledger, SOC 2 controls, DPA, and regulator-ready reports.

Audit log

Every API request, metric resolution, and administrative action is logged with a timestamp, actor, and content hash. The audit log is append-only — entries cannot be modified or deleted.

Entries include: actor (user ID or system), action type, resource ID, content hash (SHA-256), timestamp (UTC)
Retention: 7 days on Open tier, 90 days on Pro, 7 years on Enterprise
Export: JSON or CSV via the admin dashboard

Signature ledger

When a validator certifies or rejects a metric definition, their decision is recorded on the public signature ledger. Every signature includes the validator identity, the metric version hash, and the reasoning.

Signatures are cryptographically linked to the metric content hash — any change to the definition invalidates the signature
Rejection reasoning is published verbatim so submitters can revise and resubmit
The ledger is publicly queryable via the REST API

Compliance pack

Enterprise customers can generate compliance documentation for their regulators and auditors. The pack includes metric provenance chains, validator credentials, and API access logs.

PDF certificates for individual metrics showing full provenance chain
SOC 2 Type II certification is on our roadmap — current controls documentation available on request
Data Processing Agreement (DPA) available for Enterprise tier
No personal data is stored in metric definitions — the registry contains only regulatory formulas, citations, and structural metadata