Skip to main content
CauseFlow is built to support compliance requirements for engineering and operations teams. This page covers the audit trail, SOC 2 readiness controls, GDPR/LGPD alignment, and how to report security vulnerabilities.

Audit trail

Every action taken in CauseFlow — by users, AI agents, or automated processes — is recorded in an immutable audit log.

Coverage

CauseFlow tracks 67 action types across 8 categories:
CategoryExamples
tenant.*Tenant created, configuration changed
incident.*Incident created, severity updated, status changed
investigation.*Investigation started, agent dispatched, findings submitted
remediation.*Remediation proposed, approved, rejected, executed
credential.*STS credentials issued, revoked
auth.*User signed in, token issued, API key created or revoked
github.*GitHub installation connected, PR created
notification.*Alert sent, approval request delivered

Tamper-proof hash chain

Each audit record includes a SHA-256 hash that chains to the previous record. Modifying any record — even retroactively — breaks the chain and is immediately detectable. 
Record N-1: { ..., hash: "abc123" }

      └── SHA-256(Record N-1 hash + Record N content) = "def456"
Record N:   { ..., prev_hash: "abc123", hash: "def456" }
You can verify chain integrity at any time from Dashboard > Audit > Verify integrity.

Exporting the audit trail

Export your audit trail for SIEM integration or compliance reporting:
  1. Go to Dashboard > Audit.
  2. Click Export.
  3. Select a date range and click Download.
Exports are in NDJSON format (one JSON object per line), suitable for ingestion into Splunk, Datadog, Elastic, or any log management platform.
Export your audit trail regularly for compliance reporting. Automate exports using the Audit API for continuous SIEM ingestion.

SOC 2 readiness

CauseFlow implements controls aligned with SOC 2 Trust Services Criteria across all five categories.
Trust Services CriteriaControls in place
SecurityRBAC, JWT authentication, API key management, rate limiting, input validation, CORS restrictions
AvailabilityHealth endpoints, multi-region infrastructure, rate limiting to prevent abuse
Processing IntegrityZod input validation at all boundaries, immutable audit trail, HMAC webhook verification
ConfidentialityKMS envelope encryption, tenant data isolation, temporary credentials, TLS in transit
PrivacyPII masking via Relay, right to deletion, data processing agreements, minimum-permission agents
For SOC 2 audit support — evidence packages, control documentation, or auditor questionnaires — contact security@causeflow.ai.

GDPR and LGPD

CauseFlow’s architecture is designed around data minimization and purpose limitation — the same principles underpinning GDPR and LGPD.
RequirementHow CauseFlow addresses it
Data minimizationAI agents access only the data needed for the specific investigation task
Purpose limitationCredentials are scoped to investigation tasks and revoked immediately after
Right of accessAll investigation data is accessible via the dashboard and API
Right to erasureFull tenant data deletion available on request (30-day SLA)
Data processing agreementsAvailable on request
PII protectionRelay masking prevents raw PII from leaving your infrastructure
Data residency: CauseFlow infrastructure is hosted on AWS. Contact sales@causeflow.ai if you have specific data residency requirements for Enterprise plans. For data processing agreements, DPA templates, or privacy impact assessments, contact privacy@causeflow.ai.

Responsible disclosure

CauseFlow takes security vulnerabilities seriously. If you discover a security issue, please report it responsibly. How to report:
  1. Email security@causeflow.ai with a description of the vulnerability.
  2. Include steps to reproduce, the potential impact, and any supporting evidence (screenshots, logs, proof-of-concept code).
  3. Do not publicly disclose the issue until CauseFlow has had reasonable time to investigate and remediate.
What to expect:
  • Acknowledgement within 2 business days
  • Status updates every 5 business days during investigation
  • Credit in our security acknowledgements (if desired) upon resolution
CauseFlow does not operate a formal bug bounty program at this time, but we genuinely appreciate responsible disclosure and will recognize contributors who help improve our security.
For non-security support issues, contact support@causeflow.ai or use the in-dashboard help widget.