Financial Services & Compliance

You operate under regulatory oversight. Auditors ask questions. Evidence must be complete, unaltered, and independently verifiable.

What decisions matter here?

In financial services, decisions carry legal weight:

Who accessed what data? Customer records, transaction history, account balances.
What policy was in effect? At the moment of access, what rules governed the decision?
Can you prove it wasn’t altered? Months later, can you demonstrate the audit record is intact?
Who changed the policy? When entitlements shifted, who authorized it and why?

These aren’t just technical questions. They’re compliance obligations.

What goes wrong today?

Reconstructed audit trails Auditor asks for access logs from Q2. You export from three databases, correlate timestamps, and produce a spreadsheet. The auditor asks: “How do I know this wasn’t edited after the fact?”

Policy version ambiguity “What policy was active on March 15th at 2:14 PM?” You check the git history, cross-reference deployment logs, and estimate. The answer is “probably this version.”

Manual attestation Compliance team manually certifies that controls are in place. The certification is a document, not a technical verification. If the system drifts, the document is wrong.

Sensitive data in logs Audit logs contain PII. To share evidence, you redact. The redacted version can’t be verified against the original. Trust me, you say.

What Hexarch changes structurally

Tamper-Evident Audit Chains

From the cryptographic hash linking in AuditLog:

interface AuditLog {
  id: string;
  entry_hash: string;      // SHA-256 of this record
  prev_hash: string;       // Hash of previous record
  merkle_root: string;     // Commitment to all fields
  signature?: string;      // Authority signature
}

Each audit record commits to the previous record. Alter any record, and every subsequent hash breaks. The verify_chain() function returns ok: false the moment tampering is detected.

Before: “We logged it” (trust us) After: “Here’s the chain, verify it yourself”

Policy Version Pinning

From the LifecycleHistoryEntry in ApiVersion:

interface LifecycleHistoryEntry {
  from: LifecycleState;
  to: LifecycleState;
  timestamp: string;
  actor: string;
  reason?: string;
}

Every policy state change is recorded with who made it and why. On March 15th at 2:14 PM, the active policy was version X. The history is immutable.

Before: “Check the git log and deployment timestamps” After: “Policy history is in the audit chain with cryptographic proof”

Selective Disclosure

From the Merkle proof verification model:

When sharing evidence with auditors, you don’t have to expose everything. Merkle proofs let you reveal specific fields while proving they were part of the original record:

Show the actor_id and decision without the full request payload
Prove a timestamp without exposing internal identifiers
Satisfy audit requirements without leaking PII

Before: Full log or redacted log (unverifiable) After: Partial disclosure with cryptographic proof of membership

Immutable Decision Records

From the PolicyDecision stream event:

interface PolicyDecision {
  id: string;
  timestamp: string;
  decision: 'ALLOW' | 'DENY';
  reason: string;
  matchedPolicies: string[];
  entry_hash: string;
}

Every authorization decision is recorded with the policies that produced it. The hash links it to the chain. Months later, you can prove exactly what decision was made and why.

Before: “The log says access was denied” After: “Here’s the signed, hash-linked decision record with the policy version”

Compliance Mapping

Requirement	Traditional Approach	Hexarch Approach
Access logging	Database logs, log aggregation	Hash-chained audit events
Policy documentation	Word documents, wikis	Policy history in audit chain
Change management	Ticketing systems, approvals	Justification in audit records
Evidence retention	Database backups	Immutable chain with 90-day archival
Third-party audit	Export logs, attestation	Verifiable evidence bundles
Data minimization	Full logs or redacted (unverifiable)	Selective disclosure via Merkle proofs

The 90-Day Archival Note

From the AuditLogs.tsx component:

// Compliance note: Logs older than 90 days are archived to long-term storage
// per SOC2 retention requirements

The system acknowledges regulatory retention requirements. Older records are archived, not deleted. The chain remains verifiable.

Try It

Proof Demo — generate a decision and export verifiable evidence
Cryptographic Audit Chains — how hash linking works
Audit & Compliance Posture — evidence lifecycle and export