HelixGate's audit system is not an afterthought. It is enforced at the database layer — no application code, no administrator, no engineer can alter what happened. When auditors arrive, your evidence is already there — structured, timestamped, and tamper-proof.
Audit records are protected by database constraints, not application code. No process — not even a database administrator — can modify or delete what was recorded. This is physical immutability, not policy.
Every action is tied to an authenticated identity, a timestamp, an IP address, and a user agent. Not just 'what changed' but 'who did it, from where, and when.'
One unified audit trail across all nine governance modules. Business case approvals, supplier changes, contract renewals, ADR decisions, AI governance actions — all in one searchable, filterable stream.
Audit evidence for SOC 2 and ISO 27001 is generated as a byproduct of normal governance work. When auditors ask for proof, it already exists — you don't reconstruct it.
Generate audit evidence on demand. Every governance action across all modules is already recorded, attributed, and immutable. No more pre-audit scrambles.
Structured, tamper-proof evidence that proves governance processes were followed. Database-level enforcement, not just application-level assertions.
Every state change logged with actor, timestamp, IP, and user agent. Separation of duties enforced. No administrator bypass possible.
HelixGate's immutability is not a feature toggle — it is an architectural constraint. The same database rules that prevent tampering also generate the evidence trail that SOC 2 and ISO 27001 auditors require.
Database-layer immutability. Audit tables have no UPDATE or DELETE grants at any role level. PostgreSQL row-level constraints enforce append-only behaviour. No application code — regardless of privilege level — can bypass these constraints. The immutability is enforced by the database engine itself, not by application-layer access controls.
SOC 2 controls addressed. CC7.2 (system monitoring) — every state-changing operation is logged with actor, timestamp, IP, and outcome. CC7.3 (evaluate security events) — the audit stream provides a searchable, filterable record of all governance actions for security event analysis. CC1.2 (board oversight) — audit evidence can be generated on demand for governance reporting to boards and committees.
ISO 27001 Annex A references. A.12.4.1 (event logging) — all governance events are logged with structured metadata. A.12.4.2 (protection of log information) — audit records are protected by database-level constraints that prevent modification or deletion. A.12.4.3 (administrator and operator logs) — administrator actions are logged to the same immutable audit trail as all other actions, with no special bypass available.
GDPR Article 17 handling. Right to erasure is managed through structured retention policies and soft-delete patterns on core tables, while the audit trail itself is preserved for compliance. Personal data subject to erasure is handled through the retention management system — not by deleting audit records.
Separation of duties. The system enforces that submitters cannot approve their own records — ADRs, business cases — at the database constraint level. This is not a UI restriction; it is a server-side enforcement that cannot be bypassed by any user, including platform administrators.
Every business case approval is recorded in the immutable audit trail — from submission through stakeholder sign-off to executive decision. Complete investment governance evidence, always available.
Architecture decisions flow through a seven-phase governed lifecycle. Every phase transition, every reviewer action, and every panel decision is captured in the same immutable audit stream.
AI system registrations, risk assessments, and compliance decisions are all logged to the audit trail — providing the evidence that EU AI Act and internal AI governance frameworks require.
No. Audit tables are protected by database-level constraints that prevent UPDATE and DELETE operations. This applies to every user role, including platform administrators and database administrators. The immutability is architectural, not policy-based.
Personal data in core tables is managed through structured retention policies and soft-delete patterns. The audit trail records that an action occurred and who performed it, but personal data subject to erasure is handled through the retention management system — not by deleting audit records.
The audit system is designed to satisfy SOC 2 Type II (CC7.2 system monitoring, CC7.3 security event evaluation), ISO 27001 Annex A (A.12.4.1 event logging, A.12.4.2 log protection), and UK GDPR Article 17 requirements. Evidence is generated automatically as governance actions occur.
Book a demo and we'll show you the audit trail in action — live, not screenshots.