Every AI call, signed and accounted for.
DVARA writes every LLM and MCP request to a tamper-evident audit log — each event HMAC-signed and hash-chained to the one before it, so a single altered record breaks the chain. Generate SOC 2, HIPAA, and GDPR reports on demand and stream every event to your SIEM.
Immutable audit & compliance reporting ship in every DVARA install — see pricing.
“We use AI responsibly” has to be provable.
Who sent which prompt, to which model, under which policy, and what came back — with a guarantee the log wasn't edited after the fact. Application logs don't carry policy decisions, aren't tamper-evident, and aren't shaped for an auditor. That gap is the difference between an interesting pilot and a deal security will sign off on.
Append-only, hash-chained, and exportable
Chain-continuity plus strictly monotonic sequence numbers prove the log is intact. Edit or delete one row and verification fails.
Not just “a call happened,” but which policy allowed, warned, downgraded, or denied it — the context an auditor actually asks for.
Every audit query is tenant-scoped at the application layer; one tenant can never see another tenant’s events.
Query by tenant, event type, and date range; export the results as CSV or JSON for your GRC workflow.
Stream every event in real time to Splunk (HEC), AWS CloudWatch Logs, or Kafka.
Generate SOC 2 Type II, HIPAA, and GDPR reports on demand or on a cron schedule, with retention controls and PDF output.
Record, chain, export, report
- 1
Record
Every LLM and MCP call writes a signed audit event carrying its policy decision, tenant, model, provider, and outcome.
- 2
Chain
The event is HMAC-SHA256 signed, and the signature incorporates the previous event’s hash — sequence numbers are strictly monotonic, so the log is tamper-evident.
- 3
Export
Events stream to your SIEM — Splunk, CloudWatch, or Kafka — in real time, alongside the append-only store.
- 4
Report
Generate SOC 2 / HIPAA / GDPR reports on demand or on a schedule, downloadable as PDF for your auditor.
Every call, recorded in DVARA Flightdeck


Common questions about AI audit & compliance
Each event is HMAC-SHA256 signed and the signature incorporates the previous event’s hash, forming a chain with strictly monotonic sequence numbers. Altering or deleting any record breaks chain verification, so tampering is detectable.
Yes. Reports are generated on demand or on a schedule from the audit and usage data and downloadable as PDF.
Yes. Splunk (HEC), AWS CloudWatch Logs, and Kafka are supported export targets, and events stream in real time.
Yes. Audit access is tenant-scoped at the application layer, so a tenant can never see another tenant’s events.
Yes. Each event carries the policy decision — allowed, warned, downgraded, or denied — not just the fact that a call occurred.
Make AI provable for your auditors.
Immutable audit and compliance reporting ship in every DVARA install. Start a free 30-day trial, or read how it works.