Make your privacy policy structurally true. Deploy a transparent proxy for Postgres, MongoDB, and S3 that generates a cryptographic audit chain for every admin and AI agent action—verifiable by your customers in their own browser.
Every SIG, CAIQ, and custom F500 security review asks for non-repudiation evidence. Operator-controlled logs don't pass that bar — anyone with admin can rewrite them. We produce a per-user, hash-linked chain they verify themselves.
“Are processes, procedures, and technical measures to ensure the logging infrastructure is "read-only" for all with write access (including privileged access roles) defined, implemented, and evaluated?”
Without Unincorporated Protocol
Yes, with caveats. We log to S3 with Object Lock enabled, restrict access via IAM policy, and rotate credentials regularly. Privileged roles can be reviewed in a separate audit pipeline, but the protection is policy-administered.
With Unincorporated Protocol
Yes — by construction. The chain is cryptographically append-only; modifying any past entry mathematically breaks every entry after it and is detected on the next verification pass. No privileged role can silently rewrite history. Your customer’s compliance team verifies this themselves in their browser, in WASM.
“Are processes, procedures, and technical measures defined, implemented, and evaluated to disclose details to the data owner of any personal or sensitive data access by sub-processors before processing initiation?”
Without Unincorporated Protocol
Sub-processor list maintained on our Trust Center; new sub-processors disclosed via DPA notification 30 days before onboarding. Per-access disclosure to the data owner is not provided — the customer sees the list, not the events.
With Unincorporated Protocol
Sub-processor onboarding stays the same. Per-access transparency is added: every actor — including each sub-processor — appears as a labeled actor in the customer’s chain at the moment of access. “Which sub-processor touched my data, when, and why” becomes an on-demand cryptographic record, not a quarterly Trust Center update.
“Does the information system protect audit records from unauthorized access, modification, and deletion?”
Without Unincorporated Protocol
Yes. Audit records stored in S3 with Object Lock (compliance mode); access restricted via IAM policy; deletion requires multi-party approval. Protection is policy-based and operator-administered.
With Unincorporated Protocol
Yes — and the protection is mathematical rather than policy-based. The chain is tamper-evident by construction; any modification or deletion breaks the cryptographic linkage and is detected on verification. Your customer doesn’t have to trust our IAM policy — they verify the integrity themselves.
Same shape appears in SIG, ISO 27001 Annex A, and most Fortune 500 custom questionnaires. Three questions today; the same cryptographic answer scales to all of them.
Get early accessHeads up: EU AI Act Article 12 enforcement starts August 2, 2026 — 95 days from today. Operational logging is no longer optional.
The gap
Your customers can’t see who accessed their data — the controller keeps the log, the regulator sees it on request, the subject never does.
What Unincorporated Protocol changes
"Appropriate" stops being a word you defend in a DPA review and becomes a hash your customer verifies in their own browser.
The gap
Hospitals grade their own homework. Patients have no statutory right to the access log — and §164.528 exempts the exact category where curiosity reads happen.
What Unincorporated Protocol changes
"Minimum necessary" becomes an auditable list, labeled by actor, visible to the patient. Celebrity chart pulls surface the same day.
The gap
"Reasonable" is defined after a breach, by lawyers — the consumer never sees a single access log before or after.
What Unincorporated Protocol changes
Every access is recorded when it happens and visible to the consumer the same day. "Reasonable" becomes measurable before the breach, not after.
The gap
The handler defines "necessary," audits itself, and reports to the regulator. The data subject is not a party to any of it.
What Unincorporated Protocol changes
The chain is visible to the data subject in any browser, in any jurisdiction, without the handler’s cooperation.
The gap
"Legitimate" is an adjective the school applies to its own staff. Three registrars have literally written "curiosity is never a legitimate educational interest" into their own notices.
What Unincorporated Protocol changes
Every access carries the actor and the actor’s stated reason. Curiosity reads surface the same day, not three years later during a news cycle.
The gap
"Business need to know" is defined by the merchant, reviewed by a QSA under NDA, and recorded in a Report on Compliance the cardholder never sees.
What Unincorporated Protocol changes
The cardholder reads a line that says "your card was touched at 14:32 by the fraud review team" — the same day, in their own browser.
Seven more regulations — HIPAA Security Rule, HITECH, 42 CFR Part 2, GLBA, NYDFS Part 500, DORA, EU AI Act — on the full regulations page, plus three university registrars who already admit the clause is aspirational.
See all 13 regulations & how we close each gap| User-visible | Independently verifiable | Tamper-evident | Unbypassable | Inline capture | Agent-aware | |
|---|---|---|---|---|---|---|
| Unincorporated Protocol The user verifies the chain themselves. Nobody — app, admin, or agent — can silently opt out. | ✓ Per-user chain | ✓ Client-side WASM | ✓ Merkle chain | ✓ Only path to DB | ✓ Wire protocol | ~ App labels agent |
| Transparency logs (adjacent) Certificate Transparency · Sigstore / Rekor · VeritasChain VCP Append-only Merkle logs for certs, software artifacts, and AI trading. Same primitives, different domain, different verification principal. | ~ Domain owner / auditor | ✓ Public monitors | ✓ Merkle tree | ~ CA-enforced (CT) | ✗ Submission-based | ~ VCP only |
| Google Access Transparency Shows when a Google employee accessed your data. Closed-source, locked to GCP, visible to customer admins — not end users. | ~ Customer admin | ✗ Trust Google | ~ Google-controlled | ✓ Google-enforced | ~ Google ops only | ✗ Human ops only |
| Cloud provider audit AWS CloudTrail · GCP Cloud Audit Logs Logs control-plane API calls. The vendor controls what is written and how long it is kept. | ✗ Admin-only | ✗ Trust the vendor | ~ Vendor-mutable | ✗ Vendor-scoped | ~ Control plane only | ✗ |
| Database Activity Monitoring Imperva · Varonis · Cyral · Satori Network tap on the database connection. Logs live in a mutable store the admin can still reach. | ✗ Compliance-only | ✗ | ✗ Mutable logs | ~ Tap, bypassable | ✓ | ✗ |
| MCP / agent gateways Tetrate · MintMCP · HashiCorp Boundary Inline gateway for agent tool-use traffic. An agent that bypasses the gateway is invisible. | ✗ CISO-visible | ✗ | ✗ | ~ Gateway-only | ~ MCP layer | ~ Agents only |
| LLM observability Langfuse · Braintrust · LangSmith · Helicone Prompt-trace dashboards for the dev team. No cryptographic integrity, no end-user surface. | ✗ Dev dashboard | ✗ | ✗ | ✗ SDK opt-in | ✗ SDK-instrumented | ~ Prompt traces |
| Audit-log libraries pgaudit · Retraced · django-auditlog The admin picks what to log and can silently rewrite what was recorded. | ✗ | ✗ | ✗ | ✗ Opt-in | ✗ App-instrumented | ✗ |
| Compliance platforms Vanta · Drata · SailPoint · Delve Policy and attestation layer. Does not capture what happened to user data. | ✗ Attestation-based | ✗ Policy checks | ✗ | ✗ Meta-layer | ✗ No capture | ✗ |
The user verifies the chain themselves. Nobody — app, admin, or agent — can silently opt out.
Certificate Transparency · Sigstore / Rekor · VeritasChain VCP
Append-only Merkle logs for certs, software artifacts, and AI trading. Same primitives, different domain, different verification principal.
Shows when a Google employee accessed your data. Closed-source, locked to GCP, visible to customer admins — not end users.
AWS CloudTrail · GCP Cloud Audit Logs
Logs control-plane API calls. The vendor controls what is written and how long it is kept.
Imperva · Varonis · Cyral · Satori
Network tap on the database connection. Logs live in a mutable store the admin can still reach.
Tetrate · MintMCP · HashiCorp Boundary
Inline gateway for agent tool-use traffic. An agent that bypasses the gateway is invisible.
Langfuse · Braintrust · LangSmith · Helicone
Prompt-trace dashboards for the dev team. No cryptographic integrity, no end-user surface.
pgaudit · Retraced · django-auditlog
The admin picks what to log and can silently rewrite what was recorded.
Vanta · Drata · SailPoint · Delve
Policy and attestation layer. Does not capture what happened to user data.
The Unincorporated Protocol reference implementation (AGPLv3), Certificate Transparency, and Sigstore / Rekor are fully open-source. Google Access Transparency is closed. Everything else above is proprietary.
Every path — admin, app, or agent — goes through the proxy.
Who asked, which table, which rows — written to the chain in the same request. There is no code path that serves data without logging it first.
Each entry is hashed together with the previous one (a Merkle chain). Silently modify any record and every record after it is mathematically invalid — and the break is visible to the user, not just to us.
Verification runs client-side in the user’s browser against published algorithms. We are structurally unable to forge a passing result — the math has to work where we don’t control the runtime.
Traditional audit logs (like pgaudit or CloudTrail) ask you to trust the admin who controls them. The chain doesn’t — the end-user verifies it mathematically in their browser. Certificate Transparency shipped this pattern for TLS in 2013; we adapted it for databases. More →
No consensus, no token, no distributed ledger. Each user has their own Merkle hash chain. Delete the account, delete the chain — GDPR-compliant by design. More →
The closest architectural peer. Google logs access to Google Cloud infrastructure, for Google customers, on Google’s closed stack. We are the open version — AGPLv3, running in front of your database, verifiable by the affected user instead of an internal Google reviewer. More →
Lakera, Robust Intelligence, and NeMo Guardrails block AI behavior at runtime. We don’t. The proxy doesn’t decide whether the agent should have made the query — it records the query, so the affected user can verify what the agent did with their data. Camera, not the locked door. Most deployments need both; we ship the one nobody else does. More →
swipe horizontally to pan →
Two independent defenses against a compromised proxy: a chain-MinIO quorum replicated across every database replica, plus an Observer VM that reads the database's own replication stream and cross-checks the proxy's chain.
v1 caveat. This is about observer count, not replica count — DB replicas are already 3 (standard) or 5 (custom shape). Today's managed deployment ships one observer VM per customer: meaningful hardening over proxy-only designs, but not yet a multi-observer Byzantine quorum. That commitment lives in ROADMAP v1.1, alongside cross-customer observer pooling and external transparency-log publication.
The same cryptographic artifact runs everywhere. Choose based on your data sovereignty requirements, not feature gating.
AGPLv3 · Free Forever
Run the full Rust proxy and chain engine on your own metal. Complete data sovereignty, same cryptographic artifact.
Serverless · Metered
A REST endpoint for AI agents and distributed services. Post events, get back a hash-linked cryptographic proof.
Free (100K) · Pro $20 (1M)
Dedicated VPC
We host the full 5-VM transparency proxy topology. You change one DATABASE_URL connection string.
Read the code. Run it yourself. Or hand us the keys and book a security walkthrough with our team.
AGPLv3 · Open-source code is the trust anchor.
Palette