AI governance evidence ledger
Provara seals every AI decision into a tamper‑evident ledger, witnesses it nightly into write‑once storage, and turns it into signed evidence packets your auditors can verify — without trusting anyone, including us.
Built for the EU AI Act’s August 2026 high‑risk obligations · ISO/IEC 42001 · NIST AI RMF · SOC 2
“Show us every decision your AI made about this person — and prove the records weren’t edited afterwards.”
Four steps, fully automatic. Your engineers change two lines of code; your compliance team changes nothing.
A two-line SDK records every AI event — model calls, outputs, human overrides. Metadata only: your prompts and customer data never leave your systems.
Each record is cryptographically chained to the one before it, like numbered pages in a sealed notebook. Edits don't get hidden — they get exposed.
Every night the chain is re-verified and witnessed into write-once storage that nobody — including Provara — can alter for seven years.
One click exports a signed evidence packet, pre-mapped to the regulation it satisfies and verifiable against our published key.
from provara_sdk import Provara
async with provara.record("claims-triage-llm", "model.invocation"):
result = await llm(...) # that's the integrationThe architecture answers the questionnaire before you send it.
Your IdP, your groups, your roles — OIDC or SAML 2.0. No Provara passwords exist anywhere.
Row-level security keyed to your verified identity. A cross-tenant read returns zero rows even if application code has a bug.
Your AI systems authenticate with 24-hour keys that can append events and do nothing else. A leaked key reads nothing.
Ledger writes are append-only at the database layer; nightly seals live in 7-year write-once storage under compliance lock.
Encryption at rest on dedicated keys with BYOK, TLS 1.3 only, and single-tenant private deployment for regulated workloads.
Evidence packets carry an RS256 signature anyone can check against our published public key. The seal is the proof.
SOC 2 Type II observation in progress · independent penetration test scheduled · evidence for both produced by Provara itself — we are our own first tenant.
Annual contracts. Volume grows with your AI footprint; the meter is the ledger itself — unimpeachable by construction.
$60k per year
AI compliance built to pass your first regulatory audit
$100k per year
For AI portfolios under active supervisory review
Custom annual contract
For systemically important institutions where compliance is non-negotiable
No. The SDK ships metadata — event type, timestamps, system identifiers, redaction statistics. What your AI said and what your customers said stays inside your systems. This is structural, not a policy: the payload your engineers send is the payload we seal.
Keep it. Governance platforms document policies, workflows, and attestations. Provara is the sealed system of record those attestations point to — the layer that turns “we assert” into “we can prove.” They get stronger together.
Ordinary logs can be edited by admins or applications, which gives them weak evidentiary value. Provara records are append-only, cryptographically chained, and externally witnessed nightly into write-once storage — alterations don't get hidden, they get exposed.
A signed evidence packet (PDF or machine-readable) summarizing sealed records per regulatory control, with the witness date and a signature verifiable against our published public key. No raw internals, no spreadsheet archaeology.
One AI system is typically sealing events the same day: connect SSO, mint a write-only application key, add two lines of code. Evidence accrues from the first hour — and it can't be backfilled later, which is why teams start before their audit, not during it.
Your AI keeps working. The SDK queues events locally and replays them losslessly when connectivity returns. For genuinely high-risk decision paths there's a strict mode that refuses to proceed until the event is sealed — your lawyers may want exactly that.
Tell us about one AI system in a regulated workflow. We’ll show you, on your use case, what sealed evidence looks like — and what your first audit export would contain.