Use case

SOC 2 audit evidence your auditor can verify.

Sigilbase produces SOC 2 audit evidence that stands on its own. It records each control event, such as an access review, as a sealed, chained entry, then exports them as an evidence bundle. Your auditor verifies that bundle offline with a standalone verifier in three commands, without a Sigilbase account or access to your database.

The problem
01

Three months before the audit, your evidence is screenshots and CSV exports no one can prove are complete.

02

Access reviews sit in a ticket system anyone with admin rights could have edited after sign-off.

03

The auditor has to trust that the logs you handed over match what actually happened.

How it maps

The Sigilbase event model, applied to a control.

Sigilbase records each control activity as one event: an actor, an action, and a payload. Here a security lead completes a quarterly access review and revokes two accounts.

POST /v1/events
{
  "actor":  "user:security-lead",
  "action": "access.review.completed",
  "payload": {
    "control":  "CC6.1",
    "scope":    "prod-database",
    "period":   "2026-Q2",
    "accounts": 42,
    "revoked":  ["user:contractor-11", "user:ex-eng-04"]
  }
}
Chain

Sigilbase hashes each control event with SHA-256 and chains it to the previous one, so a review cannot be backdated or edited without breaking every hash after it.

Seal and verify

Sigilbase seals recent events into a signed checkpoint every few minutes, and the standalone verifier recomputes the chain and signatures offline so your auditor never has to take your word for it.

Why provable beats logged

A log records events. Sigilbase makes them provable.

How a standard control log compares with Sigilbase audit evidence.
Question A standard log Sigilbase
Can a review be edited after sign-off? Yes, with system access No, any edit breaks verification
Can the auditor verify without trusting you? No, they rely on your exports Yes, offline with the standalone verifier
Does the evidence hold if the tool is gone? No, it lives in the vendor's system Yes, the evidence bundle verifies on its own
Is each control event sealed and dated? No Yes, in a signed checkpoint
One control, end to end

An access review, from event to auditor sign-off.

Sigilbase turns a single control, a quarterly access review under CC6.1, into evidence an auditor can check unaided. The security lead logs the review, you export the bundle, and the auditor verifies it with three commands.

the auditor, offline
$ sigil-verify ./evidence-bundle.tar
  hash chain ......... ok
  inclusion proofs ... ok
  signatures ......... ok

$ sigil-verify --control CC6.1 ./evidence-bundle.tar
  12 access.review.completed events, all sealed

$ sigil-verify --show 40917 ./evidence-bundle.tar
  access.review.completed  CC6.1  2026-Q2  revoked 2
1. Log the review as an event

Sigilbase records the completed access review as a sealed event: who reviewed, the scope, the period, and which accounts were revoked.

2. Export the evidence bundle

Sigilbase exports the events for the control and period into one evidence bundle, a single file that carries the events, proofs, checkpoints and public keys.

3. The auditor verifies it

The auditor runs the standalone verifier against the bundle, offline, and reads back the sealed access reviews for CC6.1 with no Sigilbase account.

SOC 2 CC-series criteria expect logging with integrity and retention, and ISO 27001 Annex A covers logging and protection of log information. Sigilbase strengthens the integrity of that evidence; it does not grant certification, shortcut the audit, or replace an auditor's judgement.

FAQ

Questions about SOC 2 audit evidence.

What counts as audit evidence for SOC 2?

Audit evidence for SOC 2 is anything that shows a control operated over the audit period, such as access reviews, change approvals and access revocations. Sigilbase records each of these as a sealed event and exports them as an evidence bundle. Because the bundle is chained and signed, it shows not just that the events exist but that the record was not altered.

Can my auditor really verify this without a Sigilbase account?

Yes. The standalone verifier is open source and runs offline, so your auditor checks the evidence bundle with three commands and no account. It recomputes the hash chain, checks the inclusion proofs, and validates the signatures without contacting Sigilbase.

Does Sigilbase make my company SOC 2 compliant?

No. SOC 2 compliance depends on your controls, your scope and an auditor's opinion, none of which a logging tool can provide. Sigilbase strengthens one part of the picture, the integrity and verifiability of your log evidence, and leaves the certification to your auditor.

How does this map to ISO 27001 logging controls?

ISO 27001 Annex A includes controls for logging and for protecting log information from tampering and unauthorised access. Sigilbase addresses the tamper-evidence part directly by chaining and signing each event. Whether your wider logging programme meets the standard is a matter for your information security management system and your certification body.

How long does the evidence stay verifiable?

The evidence bundle stays verifiable for as long as you keep the file, because verification does not depend on Sigilbase staying online. The standalone verifier checks the bundle offline against the public signing keys included in it. You can archive a bundle and re-verify it years later.

Join the waitlist

Building now. Early access for teams preparing SOC 2 or ISO 27001 evidence.

No spam, one email when it opens.

Privacy

Sigilbase is pre-launch. This page collects one thing: an email address, if you choose to join the waitlist.

Waitlist emails are used to send one announcement when access opens, and nothing else. No marketing lists, no sharing, no profiling.

This site runs no analytics or trackers. To protect the waitlist form from automated abuse we use Cloudflare Turnstile, a privacy-preserving challenge from our hosting provider; it may set a temporary cookie for that purpose and is not used to track or profile you. When you join the waitlist, your email address is sent to our own signup endpoint and stored on our behalf by Cloudflare. It is not shared with anyone else.

To have your email removed, contact hello@sigilbase.io.

Data controller: Sigilbase, United Kingdom.

Last updated July 2026