Ship the audit logs enterprise deals demand
Somewhere on your first enterprise procurement checklist, next to SSO and SCIM: audit logs. Your customer wants to see who in their organisation did what in your product. Sigilbase gives you that in an afternoon — append events over an API, share a scoped read-only view, and yours verify cryptographically.
Enterprise buyers require audit logs before they sign. It sits on the security questionnaire next to SSO, and "on the roadmap" reads as "not enterprise-ready".
Building it properly is real work: append-only storage, retention, per-customer scoping, export, and a viewer — a quarter of undifferentiated engineering that wins zero deals on its own.
Logs in your own database are also just rows you could edit. Sophisticated buyers know it, and their security reviewers increasingly ask about it.
The Sigilbase event model, applied to an admin action.
Your application appends events as they happen — one per admin action, attributed to your customer's user.
{
"actor": "user:jmorton@acme",
"action": "member.role_changed",
"occurred_at": "2026-07-14T09:12:44.201133Z",
"resource": "customer:acme/team/settings",
"payload": {
"member": "user:kpatel@acme",
"from_role": "editor",
"to_role": "admin"
}
}
Namespace resources per customer (or run a stream per customer) and every event is scoped from the start.
Each one is hash-chained and sealed into signed checkpoints as it lands, so the log your customer sees is provably the log as written.
Three ways to ship audit logs. Only one is provable.
| Question | Build it yourself | Generic audit-log SDK | Sigilbase |
|---|---|---|---|
| Engineering cost | A quarter, then maintenance forever | Days, plus their pricing curve | An afternoon: one API, your events |
| Per-customer scoped access | Yours to design and secure | Varies | Scoped, expiring, revocable read-only views built in |
| Tamper-evident by construction | Almost never | No, trust the vendor | Hash-chained, sealed, signed; changes fail verification at the exact record |
| Your customer can verify independently | No | No | Yes, exports verify offline with an open-source verifier |
| Survives your vendor disappearing | n/a | No | Yes, exported evidence verifies without Sigilbase |
The audit log that closes the security review.
Most audit-log features end the conversation at "yes, we have them". Sigilbase changes what the feature is: when your enterprise customer's security team reviews you, you hand them audit logs they can check for themselves — a scoped export and a small open-source verifier, no trust in you or in us required. "Our audit logs are cryptographically tamper-evident and independently verifiable" is a sentence none of your competitors' questionnaire answers contain.
The mechanics, today: create a stream (or a resource namespace) per customer; append events from your application over the API; when a customer needs access, issue a scoped, expiring, read-only grant from the dashboard — they get a portal with their events, inclusion proofs, and export. Every grant, view, and revocation lands in your own audit trail, because access to the log is itself logged.
Sigilbase is the audit-log infrastructure underneath your product — the storage, integrity, scoping, and verification. The product surface your users see for day-to-day browsing inside your app remains yours to design; many teams start with grant-issued portals and build inward from there.
Your customers' auditors will ask about these logs too: read the SOC 2 evidence guide
Questions about enterprise audit logs.
Why do enterprise customers require audit logs?
Their security and compliance teams need to see who in their organisation accessed and changed things in your product — for their own SOC 2 and ISO 27001 obligations, incident response, and offboarding checks. It is a standard procurement checklist item alongside SSO and SCIM.
How is this different from logging to my own database?
Rows in your database can be edited by anyone with sufficient access, and nothing would show it. Sigilbase events are hash-chained and sealed into signed checkpoints as they are written; any later modification, deletion, or reordering fails verification at the exact record.
How do I give a customer access to their logs?
Issue a scoped grant from the dashboard: choose the streams or date range, and they receive a read-only portal showing only their events, with export. Grants expire, are revocable, and every access is recorded in your own audit trail.
Can my customer verify the logs without trusting Sigilbase?
Yes. Evidence exports include the events, hashes, checkpoints, and signatures, and verify offline with our open-source verifier in three commands. A tampered export fails naming the exact sequence.
What does it cost to start?
The developer tier is free (one stream, 10,000 events a month). Paid plans start at £79/month. Retention is forever on every plan, and ingestion never stops for billing reasons.
Join the waitlist
Building now. Early access for B2B teams heading into enterprise deals.
Could not save your email. Try again or write to [email protected].
No spam, one email when it opens.