Audit trails better than what your engineering team would write themselves.
Hash-chained audit log with agent identity. Every action: who, when, on whose behalf, against which target. CSV / JSONL export to your SIEM.
What matters to compliance & risk teams
- ✓Tamper-evident audit log machinery (prev_hash chained per event, ADR 0005). API submissions + admin retries recorded today; full orchestrator wiring is in progress.
- ✓`actor_is_agent` + `agent_run_id` columns on sf_factory_audit_events — distinguishes human from agent actions
- ✓Per-tenant export to CSV/JSONL via /api/admin/factory/audit/export; pipe into Splunk / Datadog / native SIEM
- ✓DPA published at /factory/dpa (GDPR Art. 28). BAA / SCC / HIPAA-mode templates are roadmap — /factory/security tracks the status.
- ✓EU AI Act readiness in progress — confidence scoring + DAG export per build (no certification claimed)
Objections compliance & risk teams raise — and our answers
We don’t pretend these don’t come up. Here’s how we respond.
Hash chain: each event records the SHA-256 hash of the previous event. Any tamper breaks the chain. The chain is verifiable from any starting point. Auditors can spot-check.
No. We have no FedRAMP authorization and it's not on the roadmap. If you have a USG mandate, we can scope a private deployment in your environment but cannot offer FedRAMP-shared infrastructure. /factory/compliance is explicit on this.
In scope for responsible disclosure (/factory/security/responsible-disclosure). We sandbox tool use, scope prompts per tenant, and disallow cross-tenant context. Bridge workspaces are isolated per job. Reports get a hall-of-thanks entry.