Volidator Logo
SOC2 · HIPAA · ISO-27001 · Compliance-Ready by Design

Verifiable audit trail
infrastructure.

A cryptographically verifiable, privacy-preserving audit trail engineered for edge functions, micro-services, and autonomous AI agents. Write from any system, read client-side, without trusting the server.

Start building free
<5msp99 ingestion
ZK-Proofstorage model
1-lineSDK integration
SOC2+HIPAAcompliance-ready
7-Dayauditor rooms

The Build vs Buy Math

The compliance cost of homegrown audit logs.

Building a compliant log engine takes months of database planning, KMS setup, and frontend design. Maintaining it is an everlasting task. Failing an audit takes seconds.

01 // Ingestion Latency & DB Bloat
The Pain

Writing millions of high-frequency audit events directly to your core PostgreSQL/MySQL database chokes application API performance and triggers disk limit alarms.

The Solution

Ingest events asynchronously via Cloudflare edge isolates in sub-5ms. Volidator stores the hot data in a light, optimized D1 ledger and archives historical records to R2, keeping your core database completely unaffected.

02 // Plaintext PII Leak Liability
The Pain

Storing raw user emails, customer names, system prompts, or IP addresses in cleartext database logs makes your logging infrastructure an instant liability for SOC 2, GDPR, and HIPAA.

The Solution

Volidator SDK executes zero-knowledge encryption (AES-256-GCM) and blind hashing locally on your server before dispatch. Volidator's network and databases only hold ciphertext; raw PII never leaks.

03 // Bespoke Auditor Frontend Views
The Pain

Frontend teams spend weeks coding paginated tables, search bars, filters, export systems, and secure read-only portals for external CPAs and B2B customers.

The Solution

Generate scoped, cryptographically signed Embed Tokens in one backend call. Mount the complete, pre-built, interactive audit log table in an iframe. Client-side browser decryption keeps it zero-trust.

Live Audit Trail

See every action.
Miss nothing.

Every login, data export, role change, and deletion, captured automatically. Filter by user, action type, or date. Flag anomalous events for compliance review.

Filter by user, action, or date range
Flag and alert on suspicious events
Export to CSV, JSON, or stream to SIEM
Real-time SIEM forwarding to Datadog & Splunk
Auto-sync compliance evidence to Vanta & Drata
Audit Trail: Live
Streaming
Timestamp
Actor (Subject)
Action Event
Encrypted at rest · Breach-proof by architectureOpen dashboard →

How the Privacy Guarantee Works

Breach-proof by architecture,
not by policy.

This is client-side encryption with server-blind storage, not a marketing claim. Your encryption key never reaches our servers. A full database breach exposes only ciphertext. There is nothing readable to steal.

01Client-Side

Your SDK encrypts

AES-256-GCM encryption runs on your server. HMAC-SHA-256 blind indexes are computed for actor and action. Plaintext never leaves your process.

02Edge Runtime

Edge ingestion in <5ms

The encrypted payload hits a Cloudflare Worker at the edge. Your API key is validated via a 3-layer pipeline. A 202 is returned before any write completes.

03Server-Blind

Server-blind storage

Cloudflare D1 stores only HMAC blind indexes and AES-256-GCM ciphertext. No plaintext column. No PII column. This is called server-blind storage, our database cannot leak what it never held.

04In-Browser

Browser decrypts locally

Your customers' browsers receive ciphertext and decrypt locally via WebCrypto. The AES key travels only in the URL hash fragment, architecturally invisible to any server.

Ingestion Flow

volidator.log()AES-GCM + HMAC on your serverPOST /v1/logCRC32 → SHA-256 → KV → D1202 Accepted

SDK Guide

First log in
under 5 minutes.

@volidator/node is a zero-dependency TypeScript package. Works anywhere Node 18+ runs: Express, Fastify, Next.js API routes, Lambda, Workers.

Package

@volidator/node

Zero dependencies

Node.js ≥ 18

TypeScript native

ESM + CJS

bash
bash
# Install via your package manager
npm install @volidator/node

# or pnpm
pnpm add @volidator/node

# or yarn
yarn add @volidator/node
Environment Variables
VOLIDATOR_API_KEYrequired

val_live_<20-hex><6-crc32>

Bearer token for the Ingestion Worker. Structurally validated via CRC32 checksum before any crypto or I/O.

VOLIDATOR_ENCRYPTION_KEYrequired

any string (min 32 chars)

Symmetric AES-256-GCM key. Derived via SHA-256. Also passed as the URL hash fragment for browser-side decryption. Never stored by Volidator.

VOLIDATOR_PROJECT_IDoptional

prj_live_<hex>

Required only for generateEmbedToken(). Embedded in the HS256 JWT as the pid claim.

VOLIDATOR_CLIENT_SECREToptional

any secret string

Required only for generateEmbedToken(). Used to sign and verify HS256 JWTs for the embeddable widget.

01Install
npm i @volidator/node

Zero-dependency TypeScript package. Works on Node 18+, Edge, Lambda, and Workers.

02Initialize
new VolidatorClient({ apiKey, encryptionKey })

One-time setup. Your encryption key never leaves your server.

03Declare PII (optional)
redactKeys: ['actor', 'metadata.email']

List any fields that contain PII or PHI. Volidator scrubs them before encryption, no AI needed.

04Log an event
await volidator.log({ actor, action, target })

One call. Encrypted at source, stored in Cloudflare D1, dispatched to your SIEM.

05Embed the widget
<iframe src={embedUrl} />

Drop a scoped, decrypting audit widget into your UI. Your customers see their own logs.

typescript · complete example
import { VolidatorClient } from "@volidator/node";

const volidator = new VolidatorClient({
  apiKey:        process.env.VOLIDATOR_API_KEY!,
  encryptionKey: process.env.VOLIDATOR_ENCRYPTION_KEY!,
  redactKeys:    ["actor", "metadata.email"],   // optional PII scrubbing
});

// That's it, call this anywhere in your app:
await volidator.log({
  actor:  req.user.id,          // e.g. "usr_alice"
  action: "EXPORT_DATA",
  target: "report_2026_Q2.pdf",
  req,                          // auto-extracts IP, user-agent, geo
});
Compliance-Ready · SOC2 · HIPAA · ISO-27001

Compliance-ready audit logs,
without the integration headache.

Every log event you emit is automatically structured for SOC 2, HIPAA, and ISO 27001 evidence. Give your auditor a 7-day access room. No raw logs leave your perimeter.

Zero-Knowledge Storage

Evidence-Grade Audit Tags

Every call to volidator.log() stores a tamper-evident, cryptographically sealed record with a verifiable HMAC chain. This satisfies SOC 2 CC6.1, HIPAA §164.312, and ISO 27001 Annex A.12 audit controls, out of the box.

Encrypted AES-256-GCM payload per event
HMAC-SHA256 blind index per actor & action
Continuous coverage verifiable by auditors
Zero plaintext, server is cryptographically blind

Zero raw logs leave your perimeter. Auditors see decrypted logs in their browser, not on our servers.

Auditor Access

7-Day Secure Auditor Rooms

Generate a scoped, time-limited access link for your CPA or auditor. The AES decryption key travels only in the URL hash fragment, architecturally invisible to our servers. Audit sessions expire automatically after 7 days.

Scoped to audit periodBrowser-only decryptionNo VPN requiredAuto-expires 7 days

SIEM Integration

Real-Time Log Forwarding

Every audit event is dispatched to a Cloudflare Queue and forwarded to Datadog or Splunk in real-time. HMAC-signed payloads. Non-blocking ingestion. Your SIEM gets the full encrypted metadata, your privacy model stays intact.

Datadog

Logs API v2

Splunk

HEC Endpoint

Custom

Webhook + HMAC

Standards Volidator Audit Logs Are Structured For

SOC 2 Type II

CC6.1 - CC9.2 controls

HIPAA

§164.312 audit controls

ISO 27001

Annex A.9 + A.12 controls

FDA 21 CFR 11

Electronic records & audit

Capabilities

Built for production.
From day one.

Searchable Blind Indexes

HMAC-SHA-256 per-project blind indexes let you filter logs by actor or action server-side with zero decryption required. Fast queries, zero exposure.

AES-256-GCM Encryption

Every event gets a random 12-byte IV. GCM authentication tags prevent tampering. Layout: [IV 12B][Ciphertext][Auth Tag 16B].

Hash-Fragment Key Isolation

The AES key lives only in the URL hash fragment, which browsers never send in HTTP requests. This makes keys invisible to our servers.

Autonomous Agent Auditing

Log system prompts, reasoning steps, tool calls, and model tokens under client-side E2EE. Fulfill compliance auditing needs for LLM autonomy safely.

SIEM Queue Forwarding

Every ingested log dispatches to a Cloudflare Queue for Datadog or Splunk. Batched writes, max_concurrency=1, DLQ for partial failures. Zero data loss.

Restricted Auditor Rooms

Generate secure guest access tokens valid for up to 7 days. Isolates the decryption keyring strictly to the auditor's browser URL hash fragment.

Embeddable Audit Widget

Drop a branded audit trail widget into your app with one <iframe> tag. Customers see their own decrypted logs with zero server overhead.

Any Language, Any Platform

Integrate Volidator into Next.js, Cloudflare Workers, Python, Go, Rust, or installed client gateways. Edge-native scale for any tech stack.

Pricing

Simple pricing.

Start free. Scale as you grow. No credit card required. Paid plans require an active subscription to maintain log retention (cancelled/unpaid accounts enter a 14-day soft-delete grace period before compliance history is pruned).

Starter

$0/mo

Side projects and prototypes.

  • 10,000 logs / month
  • 7-day log retention
  • Basic embeddable widget (Locked columns)
  • Community support

Pro

$49/mo

Production SaaS applications.

  • 1,000,000 logs / month
  • 1-year log retention (Unlocks compliance)
  • Sub-5ms edge ingestion
  • Customizable embed widget (Columns & paths)
  • 7-Day Auditor Access Links
Most Popular

Scale

$149/mo

Mid-market SaaS scaling up.

  • 5,000,000 logs / month
  • 1-year log retention
  • Customizable embed widget (Columns & paths)
  • Saved compliance views
  • SIEM queue forwarding (Datadog/Splunk)
  • 7-Day Auditor Room Access Links
  • 60s edge-wide key revocation

Enterprise

Custom

High-throughput with custom SLAs.

  • Unlimited logs & retention
  • Dedicated ingestion endpoint
  • SLA-backed uptime & priority support
SOC2 · HIPAA · ISO-27001 · Compliance-ready by design

Your enterprise customers
need this on day one.

Give them a cryptographically verifiable audit trail and a 7-day auditor room link their CPA can read. No plaintext on our servers. No integration headache.