Scenarios · Compliance desk

Hand examiners an audit package they can verify themselves.

Risk and internal audit teams schedule a nightly pull from HASP's API, land the payload in their own archival storage, and hand examiners a published verification recipe they run on an isolated workstation. The signature and hash chain check independently of HASP — no access request, no vendor cooperation, no screenshots.

Where the work happens

  • Public API — the date-windowed audit endpoint your scheduler pulls from, plus alerting webhooks into your SIEM.
  • Audit & Trust — the published recipe an examiner runs locally to verify the package.
  • Assistant — readable narratives summarizing what changed between checkpoints, citing exact ledger rows.

How it works

  1. Your scheduler pulls a signed package each night.

    Your job calls the authenticated audit endpoint with a date window, picks up every audit event from the last 24 hours, and keys the result to the chain checkpoint hash — not a timestamp you control. Each event carries the signed integrity hash from the chain.

  2. The archive lives in storage you control.

    The payload lands in your own archival storage — your bucket, your retention policy, your encryption at rest. HASP never holds the archived copy, so a vendor-side breach or vendor-side access request cannot expose it.

  3. Examiners verify on their own workstation.

    Hand the examiner the archived payload and the published chain verification recipe. They re-run verification with standard tooling on an isolated machine. The signature and hash chain check independently — HASP cannot alter the result, and you don't have to ask permission.

  4. "Why did this agent do that?" gets a traceable answer.

    For probes into automated decisions — which agent took an action, which human approved a delegated step — a compliance officer opens a chat that cites specific ledger rows, mapping each agent identity back to the underlying prompt hash.

Try this as a Studio template.

Use this template → Start free →

Why this survives governance

  • HIPAA's Audit Controls standard asks for mechanisms, not policies.

    45 CFR 164.312(b) calls for technical, implementable mechanisms — not statements that logs should be kept. HHS Office for Civil Rights enforcement actions have cited logs that lacked integrity controls, logs administrators could delete, and timestamps the operator controlled. The mechanism is what's enforceable; the policy is not.

  • Self-attestation collapses in contested situations.

    When a payer audits, when OCR opens an inquiry, when a patient alleges a breach — you cannot use your own systems to prove the integrity of your own records. Independent verification by the examiner, on their hardware, is the difference between a tamper-evident trail and one that could have been edited.

  • Admissibility, not presentability.

    A signed export plus a reproducible verification recipe makes the package something a regulator can accept on its own terms — not a screenshot you have to defend.

Deploy this workflow in your environment.

Talk to us → See Audit & Trust → Verification recipe →