SOC 2 audit evidence your auditor can verify.
Sigilbase produces SOC 2 audit evidence that stands on its own. It records each control event, such as an access review, as a sealed, chained entry, then exports them as an evidence bundle. Your auditor verifies that bundle offline with a standalone verifier in three commands, without a Sigilbase account or access to your database.
Three months before the audit, your evidence is screenshots and CSV exports no one can prove are complete.
Access reviews sit in a ticket system anyone with admin rights could have edited after sign-off.
The auditor has to trust that the logs you handed over match what actually happened.
The Sigilbase event model, applied to a control.
Sigilbase records each control activity as one event: an actor, an action, and a payload. Here a security lead completes a quarterly access review and revokes two accounts.
{
"actor": "user:security-lead",
"action": "access.review.completed",
"payload": {
"control": "CC6.1",
"scope": "prod-database",
"period": "2026-Q2",
"accounts": 42,
"revoked": ["user:contractor-11", "user:ex-eng-04"]
}
}
Sigilbase hashes each control event with SHA-256 and chains it to the previous one, so a review cannot be backdated or edited without breaking every hash after it.
Sigilbase seals recent events into a signed checkpoint every few minutes, and the standalone verifier recomputes the chain and signatures offline so your auditor never has to take your word for it.
A log records events. Sigilbase makes them provable.
| Question | A standard log | Sigilbase |
|---|---|---|
| Can a review be edited after sign-off? | Yes, with system access | No, any edit breaks verification |
| Can the auditor verify without trusting you? | No, they rely on your exports | Yes, offline with the standalone verifier |
| Does the evidence hold if the tool is gone? | No, it lives in the vendor's system | Yes, the evidence bundle verifies on its own |
| Is each control event sealed and dated? | No | Yes, in a signed checkpoint |
An access review, from event to auditor sign-off.
Sigilbase turns a single control, a quarterly access review under CC6.1, into evidence an auditor can check unaided. The security lead logs the review, you export the bundle, and the auditor verifies it with three commands.
$ sigil-verify ./evidence-bundle.tar hash chain ......... ok inclusion proofs ... ok signatures ......... ok $ sigil-verify --control CC6.1 ./evidence-bundle.tar 12 access.review.completed events, all sealed $ sigil-verify --show 40917 ./evidence-bundle.tar access.review.completed CC6.1 2026-Q2 revoked 2
Sigilbase records the completed access review as a sealed event: who reviewed, the scope, the period, and which accounts were revoked.
Sigilbase exports the events for the control and period into one evidence bundle, a single file that carries the events, proofs, checkpoints and public keys.
The auditor runs the standalone verifier against the bundle, offline, and reads back the sealed access reviews for CC6.1 with no Sigilbase account.
SOC 2 CC-series criteria expect logging with integrity and retention, and ISO 27001 Annex A covers logging and protection of log information. Sigilbase strengthens the integrity of that evidence; it does not grant certification, shortcut the audit, or replace an auditor's judgement.
Questions about SOC 2 audit evidence.
What counts as audit evidence for SOC 2?
Audit evidence for SOC 2 is anything that shows a control operated over the audit period, such as access reviews, change approvals and access revocations. Sigilbase records each of these as a sealed event and exports them as an evidence bundle. Because the bundle is chained and signed, it shows not just that the events exist but that the record was not altered.
Can my auditor really verify this without a Sigilbase account?
Yes. The standalone verifier is open source and runs offline, so your auditor checks the evidence bundle with three commands and no account. It recomputes the hash chain, checks the inclusion proofs, and validates the signatures without contacting Sigilbase.
Does Sigilbase make my company SOC 2 compliant?
No. SOC 2 compliance depends on your controls, your scope and an auditor's opinion, none of which a logging tool can provide. Sigilbase strengthens one part of the picture, the integrity and verifiability of your log evidence, and leaves the certification to your auditor.
How does this map to ISO 27001 logging controls?
ISO 27001 Annex A includes controls for logging and for protecting log information from tampering and unauthorised access. Sigilbase addresses the tamper-evidence part directly by chaining and signing each event. Whether your wider logging programme meets the standard is a matter for your information security management system and your certification body.
How long does the evidence stay verifiable?
The evidence bundle stays verifiable for as long as you keep the file, because verification does not depend on Sigilbase staying online. The standalone verifier checks the bundle offline against the public signing keys included in it. You can archive a bundle and re-verify it years later.
Join the waitlist
Building now. Early access for teams preparing SOC 2 or ISO 27001 evidence.
Could not save your email. Try again or write to hello@sigilbase.io.
No spam, one email when it opens.