Audit trails and compliance

This document explains how Verify creates audit records and how they support compliance requirements.

What gets recorded

Every significant action in Verify creates an audit record:

Records are immutable. Once created, they cannot be modified or deleted.

The audit chain

Each production change has a complete chain:

Intent Approved → Implementation Created → Verification Passed → Merged
     ↓                    ↓                       ↓               ↓
 Spec record         Commit SHA            Results record    Merge record
 (who, when,         (what code)           (what passed)    (final state)
  what intent)

This chain answers compliance questions:

• What was intended? → Spec record

• Who approved it? → Approval record

• What was built? → Commit reference

• Was it verified? → Verification record

• What was checked? → Results detail

Segregation of duties

Compliance frameworks often require segregation of duties—the person who writes code shouldn’t be the only one who approves it.

Verify enforces this naturally:

The author and approver are tracked separately. If allow_self_approval is disabled (default), authors cannot approve their own specs.

This is stronger than traditional code review, where a reviewer might “approve” a PR they also committed to.

Traceability

Every production change links back to:

• An approved spec (the intent)

• A verification result (the proof)

• External references (tickets, requirements)

If an auditor asks “why was this change made?”, you can show:

1. The spec that described the intent

2. Who approved that intent

3. Verification proving the implementation matches

4. The ticket or requirement that motivated it

Compliance framework mapping

SOC 2

ISO 27001

HIPAA

Generating compliance reports

On-demand export

1. Go to Verify → Audit

2. Filter by date range, repository, or author

3. Click Export

4. Choose format: JSON, CSV, or PDF

PDF reports are formatted for auditor review.

Scheduled reports

Configure automatic exports in Verify → Settings → Scheduled Reports:

• Weekly or monthly frequency

• Filtered by criteria

• Delivered via email or webhook

What’s included

Reports include:

• All spec approvals in the period

• All verification runs and results

• Actor information (who did what)

• Timestamps

• Result details

Retention

Audit records are retained indefinitely by default.

For specific retention requirements, contact support to configure:

• Retention period

• Archival policies

• Data export before deletion

Immutability

Audit records cannot be:

• Modified after creation

• Deleted by users

• Backdated

This ensures audit trails are trustworthy. What you see is what happened.

What Verify doesn’t do

Verify provides audit trails for code changes. It doesn’t:

• Replace your ticketing system

• Provide runtime audit logs

• Track infrastructure changes

• Monitor production access

Integrate Verify with your other compliance tools for complete coverage.

See also

• How to export audit logs

• Reference: Configuration options

• Why intent-driven verification