Compliance & Audit
Cryptographically signed evidence ledger with full reconstructability for every agent action.
# Compliance & Audit
BrainstormRouter maintains a cryptographically signed evidence ledger that records every request, routing decision, and model interaction. This enables full reconstructability -- the ability to replay and audit any agent's actions after the fact.
Evidence Ledger
Every API request generates a ledger entry containing:
- Request metadata: Timestamp, request ID, API key hash, source IP
- Routing decision: Which model was selected, which strategy was used, and the scoring breakdown
- Input/output: Full request and response payloads (configurable retention)
- Tool calls: Every tool invocation with arguments and results
- Security events: Any guardrail triggers, PII detections, or trust level changes
- Cost: Actual token usage and cost in USD
Cryptographic Signatures
Each ledger entry is signed with an Ed25519 key. Entries are chained -- each entry includes the hash of the previous entry, creating a tamper-evident log similar to a blockchain. If any entry is modified after the fact, the chain breaks and the tampering is detectable.
``json
{
"id": "evt_abc123",
"timestamp": "2026-03-29T14:30:00Z",
"previous_hash": "sha256:9f86d081...",
"signature": "ed25519:a1b2c3d4...",
"payload": {
"request_id": "req_xyz789",
"model": "claude-opus-4-6",
"tokens_in": 1250,
"tokens_out": 890,
"cost_usd": 0.0342
}
}
`
Full Reconstructability
For any agent session, you can reconstruct the complete sequence of events:
1. Every prompt the agent received
2. Every model response generated
3. Every tool call made and its result
4. Every routing decision and its rationale
5. Every security check and its outcome
This is critical for regulated industries where AI agent actions need to be auditable, and for debugging complex multi-step agent failures.
Audit Export
Export audit data in standard formats for integration with your security and compliance tools:
CEF (Common Event Format)
`bash
curl "https://api.brainstormrouter.com/v1/audit/export?format=cef&from=2026-03-01&to=2026-03-29" \
-H "Authorization: Bearer br-your-api-key"
`
ECS JSON (Elastic Common Schema)
`bash
curl "https://api.brainstormrouter.com/v1/audit/export?format=ecs&from=2026-03-01" \
-H "Authorization: Bearer br-your-api-key"
`
Both formats are compatible with common SIEM platforms: Splunk, Elastic Security, Datadog, Sumo Logic, and others.
Retention Policies
| Plan | Ledger Retention | Payload Retention |
|------|-----------------|-------------------|
| Free | 7 days | None (metadata only) |
| Pro | 90 days | 30 days |
| Team | 1 year | 90 days |
| Enterprise | Custom | Custom (up to indefinite) |
Payload retention controls whether full request/response bodies are stored. Metadata (timestamps, costs, routing decisions) is always retained for the full retention period.
Compliance Standards
BrainstormRouter's audit system is designed to support:
- SOC 2 Type II: Tamper-evident logs with cryptographic integrity
- GDPR: Data retention controls and right-to-deletion support
- HIPAA: Full audit trail with access controls (Enterprise plan with BAA)
- ISO 27001: Information security management evidence
Per-Agent Audit
Filter audit data by agent identity to review a specific agent's behavior:
`bash
curl "https://api.brainstormrouter.com/v1/audit?agent_id=agent_123&limit=100" \
-H "Authorization: Bearer br-your-api-key"
``
This returns the complete action history for that agent, making it straightforward to investigate incidents or verify that an agent operated within its expected boundaries.