Keldric gives compliance, engineering, and finance teams a tamper-proof record of every event in their systems — immutable, hash-chained, and regulator-ready in minutes. Not spreadsheets. Not log files. Evidence.
Trusted by compliance and engineering teams
Regulators don't care that your logs were in a spreadsheet, a ticketing tool, or someone's inbox. When the request arrives, you need a verifiable, tamper-evident record — fast.
"We can prove what happened, but we can't prove it wasn't changed after the fact."
Regulatory audits demand evidence chains that demonstrably haven't been altered. Existing tools store logs — but any database admin can edit them. When a regulator asks for your CBAM submission trail or your change history, you need mathematical proof, not a printout.
"Building our own audit system is a week of work every time a new service needs it."
Compliance logging is repetitive infrastructure. Every microservice, every internal tool, every integration needs the same pattern: write event, store before/after state, prove it's unchanged. A single API that does this correctly — with SHA-256 chaining, locking, and verification — shouldn't require your team to reinvent it.
"We spent €80k on a compliance consultant to reconstruct a trail we should have had automatically."
Non-compliance fines, emergency legal work, and consultant-led reconstructions all cost multiples of what prevention costs. CBAM penalties alone can reach 3× the avoided carbon price. A tamper-proof audit trail is now a financial control, not an IT convenience.
Keldric is API-first. You call an endpoint when something happens — a document changes, a calculation runs, a report is submitted. We handle the cryptographic chaining, storage, and verification. Your team ships compliance in days, not months.
// Log a field change — auto-generates diff await fetch('/api/entries/field-change', { method: 'POST', body: JSON.stringify({ field_name: 'Status', before: 'Draft', after: 'Approved', resource_type: 'report', resource_id: 'RPT-2024-Q3' }) }); // Response — sealed and chained immediately { entry_id: "a3f8c1d2-...", content_hash: "7d4e9f2a...", chain_hash: "1b8c3e7f...", description: "Field 'Status' changed from \"Draft\" to \"Approved\"" }
Add a single HTTP call to any event you want to record. Field changes, document edits, calculation runs, approvals, file uploads — anything. The API accepts structured before/after state, generates a human-readable description automatically using our diff engine, and seals the entry with a SHA-256 content hash.
Each entry's hash is computed from its content plus the previous entry's chain hash — creating a linked sequence where altering any historical record invalidates every subsequent hash. Database-level triggers enforce append-only at the SQL layer. Concurrent writes are serialised with row-level locking to prevent chain forks.
When a regulator, auditor, or internal review requests the trail, hit export. You receive a self-contained JSON package with every entry, chain verification embedded, and a SHA-256 package fingerprint. Recipients can independently recompute every hash to confirm nothing was altered in transit or storage. No trust required.
Run a full chain recompute at any time. Every SHA-256 hash is validated against its content and predecessor. Broken links are surfaced immediately with the exact entry and reason.
Mark entries with CBAM, standard, or custom retention classes. Apply legal hold flags to freeze records for litigation or regulatory investigation — enforced at the storage layer.
Export a self-auditing JSON bundle containing every entry, embedded verification, and a package fingerprint. Hand it to a regulator. They can verify it without accessing your systems.
Filter by action type, resource, user, date range, or retention class. Full-text search across descriptions, resource names, and entry IDs. Find any event in seconds.
Pre-built action types for CBAM workflows: IMPORT, CALCULATION_RUN, CALCULATION_APPROVED, REPORT_GENERATED, REPORT_SUBMITTED. Mapped to regulatory evidence requirements out of the box.
Attach PDFs and CSVs to audit entries. Each file's SHA-256 hash is stored as tamper evidence. Database triggers block deletion. Files become permanent, verifiable supporting documents.
POST /entries for general events. POST /entries/diff for document changes with auto-generated descriptions. POST /entries/field-change for lightweight field updates. One integration pattern covers every use case.
Send before and after content — Keldric generates character-level diffs with human-readable descriptions including document location inference (Section X, Clause Y, line N). No description writing required.
HTTP-only cookies, SameSite=Lax, bcrypt cost-12. Sessions are server-side revocable — logout invalidates the token immediately regardless of JWT expiry. Brute force protection via IP rate limiting.
Concurrent writes are serialised with SELECT FOR UPDATE locking on the chain head. No two entries can fork from the same predecessor — even under high-throughput parallel inserts.
Python FastAPI serverless functions behind Vercel's CDN. Zero cold-start configuration. Same domain as the frontend — HTTP-only cookies work natively without CORS complexity.
Full OpenAPI documentation at /api/docs. Every endpoint documented with request/response schemas, example payloads, and live test capability. Disabled in production by default.
CBAM penalties reach 3× avoided carbon price. Legal and consultant reconstruction of audit trails for a single incident commonly exceeds €50k. Keldric's annual cost is a fraction of one incident.
No per-event charges that grow unpredictably with usage. Flat monthly tiers mean a single line in your budget, no surprises when your engineering team runs high-volume integrations.
Self-service upgrades, downgrades, and cancellations via the Stripe customer portal. Annual billing available at 2 months free. Purchase orders and invoicing available for Enterprise.
All data processed and stored in EU regions. Satisfies GDPR Article 28 and data residency requirements for regulated EU firms. No additional configuration or cost required.
All data exportable in standard JSON format at any time. On termination, data remains available for 30 days. You own your data — Keldric is the processor under GDPR Article 28.
Real-time overview of total entries, CBAM-class records, unique users, and chain integrity status. Management-level reporting without requiring technical access to raw audit data.
The audit trail is only as good as the guarantees that protect it. Keldric enforces immutability at every layer — application, database, and cryptographic — so no single point of failure can silently alter your evidence.
PostgreSQL BEFORE UPDATE and BEFORE DELETE triggers raise exceptions on any modification attempt. Even direct database access cannot alter a committed entry. The constraint exists independently of the application layer.
Each entry's chain_hash is computed from its own content hash plus the previous entry's chain hash. Altering any historical record invalidates every subsequent hash — detectable in a single verification pass.
All timestamps are generated by the database using NOW() — never trusted from client input. The timestamp is included in the content hash, making backdated entries cryptographically detectable.
JWT sessions are server-side revocable at logout. IP-based rate limiting blocks brute force at 10 failed attempts per 15 minutes. Constant-time bcrypt prevents timing-based user enumeration.
No per-event charges. No usage surprises. One monthly fee per organisation, billed annually or monthly.
For growing compliance teams with a single application to instrument.
14-day trial · No card required
For mid-market teams managing multiple systems, regulations, or jurisdictions.
14-day trial · No card required
For large regulated organisations, multi-entity groups, and custom deployments.
Typical deployment in under 2 weeks
Keldric stores exactly what you send — action type, resource identifiers, before/after state, and a description. We store nothing about your underlying application or users beyond what you explicitly log. Access is scoped to your authenticated session. Database Row Level Security blocks any anonymous or cross-tenant access at the PostgreSQL layer.
No. PostgreSQL BEFORE UPDATE and BEFORE DELETE triggers raise exceptions on any modification attempt — including from users with direct database access. Even Keldric's own infrastructure team cannot silently alter a committed entry. Any modification attempt is blocked at the database engine level, not just the application layer. The hash chain provides a second independent layer of detection.
The export endpoint returns a self-contained JSON file containing every matching entry, a full chain verification result, and a SHA-256 package fingerprint. A regulator receiving this file can independently recompute every content_hash and chain_hash using only the data in the file — without accessing your systems or trusting Keldric's infrastructure. The package_hash allows them to verify nothing was altered after export.
A single-application integration with basic event logging takes under an hour. Most customers are writing audit entries in production within a day. The API has three POST endpoints and requires no SDK — any HTTP client in any language works. We provide an interactive API explorer at /api/docs, example payloads for all CBAM action types, and a dedicated onboarding call on Professional and above.
All data is stored in EU-region PostgreSQL (Supabase). For Enterprise customers, dedicated infrastructure options including bring-your-own-database deployments are available. This satisfies data residency requirements for regulated EU organisations and specific national requirements (Germany, France, Netherlands). Contact sales for infrastructure options.
You'll receive an email before the trial ends. If you choose not to subscribe, your account is suspended and your data is held for 30 days before deletion — exportable at any time during that window. No entries are deleted while your account is active. There is no obligation and no card required to start a trial.
Book a 30-minute demo and we'll walk through your specific compliance requirements, show the integration live, and answer every technical question your team has.
No card required · EU data residency · Cancel anytime