Security & trust

Immutable means immutable.

A compliance platform earns exactly as much trust as its weakest guarantee. Attrace's guarantees are cryptographic, not contractual — built into the architecture from day one, because they can't be bolted on later.

The trust layer

Four guarantees.

Tamper-evident hash chain

Every ledger entry — import, mapping, validation, review, approval, submission, auditor access — carries a SHA-256 hash computed over its contents and the hash of the previous entry. Alter any historical record and every subsequent hash breaks. The chain can be independently recomputed by your auditor, or by you.

Trusted timestamps

Entries are timestamped under RFC 3161 by an independent timestamping authority — legally admissible proof that a record existed at a point in time, not just a database column claiming it did.

Digital signatures

Approvals are signed, not clicked. Biometric confirmation on mobile binds a specific person to a specific document version — the approval chain holds up because each link in it does.

Time-scoped external access

Auditor access is read-only, scoped to engagement entities and periods, and expires automatically. Every access event is itself written to the ledger — the audit trail includes its own audience.

Platform security

The unglamorous list, done properly.

Encryption

TLS 1.2+ in transit, AES-256 at rest. Enterprise customers can bring their own keys (BYOK), keeping key custody inside the firm.

Data residency

UK-only or EU-only residency options on Enterprise — submission data, evidence and ledger entries stay in the jurisdiction you choose.

Tenant isolation

Strict per-firm data isolation enforced at the database layer with row-level security — designed for regulated multi-tenancy, not retrofitted to it.

Access control

Role-based permissions mirror the approval chain — preparers prepare, reviewers review, approvers sign. SSO and enforced MFA for every account.

GDPR

UK and EU GDPR compliant, with data processing agreements as standard for every customer and documented sub-processor lists.

Availability

Deadline-critical software gets deadline-critical operations — monitored around the clock, with status transparency and tested recovery procedures.

Certification roadmap

SOC 2, in the open.

Attrace is built to SOC 2 Type II control standards from the start, with certification targeted within 18 months of launch. Enterprise customers get evidence sharing along the way — control documentation, penetration test summaries and audit progress, not a "trust us" page.

  • Controls designed against SOC 2 criteria from day one
  • Independent penetration testing before general availability
  • Evidence shared with Enterprise customers during certification
Trust report
Wayfield AM · generated 9 Jun
Ledger integrityFull chain · 8,214 entries
INTACT
EncryptionAES-256 · BYOK active
ACTIVE
ResidencyUK-only
ENFORCED
SOC 2 Type IIControls in observation
IN PROGRESS
Download trust report
"Audit log immutability needs to be real, not theatrical. Cryptographic guarantees take careful design — which is why they're the first thing we designed."
From the Attrace product principles
Put it to the test

Watch the chain build itself.

Every action you take in the demo writes a hashed ledger entry, live.

Open the demo The auditor view