unTamper
All use cases
Use CaseMarch 15, 2025

Auditor-Ready Exports

One-click exports with cryptographic verification proofs attached — your auditors verify integrity without touching your infrastructure.

The audit export problem

When your SOC 2 auditor, enterprise customer, or regulator asks for an audit trail, you face a trust problem. You hand them a CSV or JSON export. They have no way to verify that the file contains the complete, unmodified record.

Could you have filtered out inconvenient events? Could a bug have deleted records? Could someone have altered a timestamp? The answer to all of these is: technically yes — and your auditor knows it.

This is why SOC 2 and ISO 27001 controls require not just that you have logs, but that you can demonstrate those logs have integrity. Most teams pass this control by arguing "we have access controls on the database." unTamper makes it mathematically verifiable instead.

How unTamper exports work

Every unTamper export includes the full event chain with hashes. The export format includes:

  • Canonical event payload — the exact data that was hashed
  • Event hash — SHA-256 of the canonical payload + previous hash
  • Previous hash — reference to the preceding event in the chain
  • Chain position — sequence number for easy verification

An auditor (or your own tooling) can verify the export by walking the chain and recomputing each hash. This works completely offline, with no access to your infrastructure.

Export formats

JSON export — best for programmatic verification:

{
  "exportedAt": "2025-03-15T10:00:00Z",
  "projectId": "proj_abc123",
  "events": [
    {
      "id": "evt_001",
      "hash": "sha256:abc...",
      "prevHash": "sha256:xyz...",
      "actor": { "id": "user_admin", "type": "admin" },
      "action": "role.grant",
      "target": { "id": "user_456", "type": "user" },
      "timestamp": "2025-03-14T09:23:11Z",
      "metadata": { "role": "billing_admin" }
    }
  ],
  "chainVerification": {
    "status": "verified",
    "totalEvents": 1,
    "chainIntact": true
  }
}

CSV export — best for spreadsheet review with hash columns included.

Verification by your auditor

Your auditor doesn't need your credentials or access to your database. They need:

  1. The export file you provide
  2. Read-only API access (a scoped read key is sufficient)

With those, they verify the chain directly using the SDK:

import { UnTamperClient } from 'untamper-sdk'

const client = new UnTamperClient({ projectId: PROJECT_ID, apiKey: AUDITOR_READ_KEY })
await client.initialize()

const { logs } = await client.logs.queryLogs({ limit: 50000 })
const result = await client.verification.verifyLogs(logs)

// result.valid === true  →  chain intact, 0 breaks
// result.brokenAt        →  sequence number of first break if any

What this gives you

The ability to say "here is our audit log, and here is a mathematical proof that it is complete and unmodified" — to any auditor, at any time, without giving them infrastructure access.

Filtering exports for scope

Not every audit requires the full log. You can scope exports to specific time windows, actors, actions, or target resources:

# Export admin actions for Q1 2025
curl "https://app.untamper.com/api/v1/logs/export" \
  -H "Authorization: Bearer $API_KEY" \
  -d '{
    "format": "json",
    "filters": {
      "actorType": "admin",
      "dateFrom": "2025-01-01",
      "dateTo": "2025-03-31"
    }
  }' > q1_admin_audit.json

Scoped exports include chain position metadata so auditors can verify that the exported subset is contiguous and unmodified within the full chain.

Who this is for

  • Teams undergoing SOC 2 Type I or Type II audits
  • Products with enterprise contracts requiring verifiable audit trail exports
  • Applications in regulated industries (healthcare, finance, legal) with mandatory audit requirements
  • Any team that has been asked "can you prove this log hasn't been modified?" and wants a better answer than "trust us"