Vupt Docs

Logs de auditoria assinados são um recurso Business

Logs de auditoria assinados com Ed25519 e exportação para SIEM requerem o plano Business — pronto para ANPD e mapeamento SOC 2.

Fazer upgrade →
Compliance

Signed audit logs

Tamper-evident audit log signed with Ed25519. Per-event signatures, hash-chained entries, and SIEM export. Business tier feature.

Signed audit logs

The signed audit log records every privileged operation (data access, RBAC change, license activation, agent provider key write) with a per-event Ed25519 signature plus a hash chain that links each entry to the previous one. Tampering is detectable: a single edited entry breaks the chain and the verifier rejects the log.

Signed audit logs are a Business tier feature. The base audit log (read-only viewer, last 30 days) is available on Team.

Threat model

The log is designed to satisfy two requirements:

  1. Detection of tampering — even an admin with database access cannot modify entries without breaking the chain.
  2. Non-repudiation — Vupt customers can prove to auditors that an event occurred at a given time without trusting Vupt.

Cryptography

ElementAlgorithm
Per-event signatureEd25519
Hash chainSHA-256 over `(prev_hash
Time anchorRFC 3161 trusted timestamp every 24 hours

Signing keys are generated per-customer at deployment time and stored in the customer's KMS (AWS KMS, GCP KMS, Azure Key Vault, or HashiCorp Vault). Vupt never has access to the private key.

Verifying a log

vupt audit verify --since 2026-05-01 --pubkey customer.pub

The verifier returns 0 if every signature checks out and the chain is unbroken. A non-zero exit code includes the offending sequence number for forensic follow-up.

SIEM export

Stream entries to your SIEM in JSON Lines format:

curl -s "https://api.vupt.dev/v1/audit/stream?from=2026-05-15T00:00:00Z" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Accept: application/x-ndjson"

Sample entry:

{
  "seq": 42,
  "ts": "2026-05-15T12:34:56.789Z",
  "actor": "user_01H...",
  "action": "rbac.role_assigned",
  "subject": "user_01H...",
  "resource": "project_01H...",
  "diff": { "role": ["viewer", "admin"] },
  "prev_hash": "sha256:...",
  "self_hash": "sha256:...",
  "sig": "ed25519:..."
}

ANPD-ready disclosure

The signed log is accepted as ANPD-grade evidence for LGPD Article 37 record-keeping requirements. The same log is accepted under SOC 2 CC7.2 (system monitoring) and ISO 27001 A.12.4 (logging).

Retention

Default retention: 7 years (Business tier), customizable to 1-25 years on Enterprise. Logs are stored encrypted at rest; encryption keys are customer-managed (BYOK).

Edit on GitHub

LGPD

How Vupt handles personal data under Brazil's LGPD (Lei Geral de Proteção de Dados) — controller obligations, subject rights, ANPD-ready logs.

Agents

The 6 supported provider adapters: Claude Code, Codex CLI, Cursor CLI, Aider, Cline, OpenCode — plus Ollama for offline.

Vupt — Execute agentes de IA em paralelo