Tamper-Evident Audit Trails
Storage-agnostic, cryptographically verifiable audit logging with Merkle tree proofs and post-quantum signatures. Like SQLite for audit logging — embed it, run it as a service, or scale it to a cluster.
AWS deprecated QLDB in 2025, leaving enterprises without a reliable open audit ledger. ZenoAudit fills that void with a Rust-core engine that makes audit integrity mathematically provable.
From basic hash chain integrity to blockchain-anchored proofs. Choose the assurance level your compliance requirements demand.
BLAKE3 hashing (~1 GB/s) creates a tamper-evident sequential chain. Any modification breaks the chain.
RFC 6962-style inclusion proofs. Efficiently verify any single event belongs to a signed batch without downloading all events.
Ed25519 digital signatures over Merkle tree roots. Cryptographic proof that the tree was produced by an authorized signer.
Multiple independent co-signers witness the tree head. No single party can forge the audit trail.
Bitcoin anchoring via OpenTimestamps. Publicly verifiable, immutable proof that your audit trail existed at a specific point in time.
All the cryptographic complexity is hidden behind a clean, intuitive API. Log events in one line, verify them in another.
Developers should never need to understand Merkle trees or Ed25519 to use audit logging.
ZenoAudit abstracts all cryptographic operations behind a familiar
actor, action, resource
model.
Your verification layer is independent of your storage choice. Start with SQLite, scale to PostgreSQL, archive to S3 — all with the same API.
Single-file deployment with zero external dependencies. WAL mode, monthly file rotation. Ideal for embedded and edge deployments.
Monthly RANGE partitioning with BRIN + B-tree + GIN indexes. High-throughput COPY protocol inserts at 150K+/sec.
S3 Object Lock for WORM compliance (SEC 17a-4, FINRA). Lifecycle policies and cross-region replication for long-term retention.
Pluggable storage trait supports any backend. Azure Table Storage, MongoDB, Cassandra, and MS SQL Server planned.
Hybrid classical + post-quantum signatures from day one. Your audit trails remain verifiable even when quantum computers arrive.
ZenoAudit maps audit events directly to compliance framework controls. Generate evidence reports for auditors with cryptographic proofs attached.
Automated mapping to CC6.1, CC6.2, CC7.1, CC7.2, CC8.1 and other trust service criteria controls.
Crypto-shredding for right-to-erasure without breaking audit integrity. HIPAA §164.312 audit controls built in.
Full mapping to PCI DSS 10.2–10.7 audit controls and NIST 800-53 AU-2, AU-8, AU-9, AU-10 requirements.
WORM compliance for financial records, DORA Articles 9–11 for EU financial entities, ISO 27001, eIDAS 2.0, and NIS2 Directive.
Same Rust binary, four deployment models. Start embedded, scale to a global cluster — without changing your application code.
SQLite backend, in-process, zero external dependencies. Ideal for desktop apps, edge devices, and single-server deployments.
gRPC + REST API server with any storage backend. Service discovery, health checks, and production-ready configuration.
Multi-node high availability with witness co-signing across nodes for maximum tamper resistance.
Inject audit logging into any pod as a sidecar container. Capture infrastructure events alongside application audit trails.
Audit logging should adapt to your architecture, not the other way around.
| Feature | ZenoAudit | immudb | Trillian | Basic Logs (ELK) |
|---|---|---|---|---|
| License | Commercial | BSL 1.1 | Apache 2.0 | Various |
| Storage Backends | 8+ (pluggable) | Proprietary only | Configurable | Elasticsearch |
| Embeddable | Yes (SQLite) | No | No | No |
| Post-Quantum | ML-DSA-65 hybrid | No | No | No |
| Compliance Mapping | 7+ frameworks | Basic | None | None |
| Cryptographic Verification | 5-level model | Hash chain only | Merkle proofs | None |
| Language SDKs | 6 languages | 4 languages | Go, Java | Various |
Deploy cryptographically verifiable audit logging in minutes. Start with SQLite, scale to enterprise. No vendor lock-in.