Every trust signal and task step Ed25519 signed at creation. Tamper-evident audit trail with SIEM webhook export.
Every record carries a cryptographic signature from the moment it is created. Retroactive manipulation is mathematically impossible.
When a regulator asks "how do you know this trust signal was not modified after the fact?" most platforms have no answer. DAT signs every trust signal and every task step with Ed25519 at the moment of creation. The signature, signed payload, and signer DID are stored alongside the record. Anyone can verify integrity independently using the public key endpoint — no database access required.
Ed25519 Audit Record Signing
==============================
On TrustSignal creation:
1. Build canonical payload
payload = JSON.stringify({
agentDid, signal, category,
weight, description, source,
pillar, metadata
})
2. Sign with service key
signature = Ed25519.sign(
payload,
privateKey // AES-256-GCM
) // encrypted
3. Store alongside record
record.signature = "a7f3..."
record.signedPayload = base64
record.signerDid = "did:dat:
service:reputation"
Verification (anyone, anytime):
GET /signing-key -> publicKey
POST /verify {
signature, signedPayload
}
-> { valid: true,
signerDid: "did:dat:..." }
Tamper attempt:
Modify record -> signature invalid
Re-sign -> wrong private key
Forge key -> DID resolution failsForward signed events to Splunk, Sentinel, Elastic, or Datadog in real time. Your SOC sees everything.
Enterprise SOC teams do not monitor agent platforms through custom dashboards. They use Splunk, Microsoft Sentinel, Elastic, and Datadog. DAT's SIEM webhook export sends every trust signal, security event, investigation action, and approval decision to your existing infrastructure in a standardized JSON envelope, cryptographically signed with Ed25519 so your SIEM can verify authenticity independently.
SIEM Webhook Export Pipeline
==============================
Source Services (8 total):
reputation -> trust signals
identity -> security events
dat-agent -> approvals, denials,
DLP, skills, nego.
org-webhook -> test events
SiemEnvelope:
{
"version": "1.0.0",
"id": "uuid-v4",
"timestamp": "2026-03-04T...",
"source": "dat-platform",
"orgDid": "did:dat:...",
"eventCategory": "trust_signal",
"eventType": "action_success",
"severity": 3,
"agentDid": "did:dat:...",
"data": { ... },
"signature": "hex...",
"signedAt": "2026-03-04T...",
"signerPublicKey": "hex..."
}
Auth Types:
bearer -> Splunk HEC, Datadog
header -> Elastic, Sentinel
none -> internal/test
Auto-disable: 10 consecutive fails
Recovery: admin re-enables in UIGenerate SOC2, GDPR, and EU AI Act compliance reports with a single click. Export as PDF or CSV.
Preparing for a SOC2 Type II audit typically means weeks of manual evidence collection. DAT automates this entirely. The compliance report engine aggregates data from security events, user audit logs, agent registrations, SIEM configurations, and trust scores into structured reports that map directly to compliance control frameworks. Each report includes a weighted compliance score, open issue detection, and exportable evidence.
Compliance Report Generation
==============================
Report Types:
SOC2 -> 6 sections, CC refs
GDPR -> 5 sections, Art. 32
EU_AI_ACT -> 5 sections
General -> custom
Scoring Formula (100 pts):
2FA adoption (15 pts)
SIEM configured (15 pts)
No blacklisted (15 pts)
Avg trust >= 60 (15 pts)
Low violations (15 pts)
Audit complete (15 pts)
Low failed logins (10 pts)
Open Issue Detection (7 checks):
- Users without 2FA
- SIEM not configured
- Blacklisted agents present
- Low average trust score
- High violation count
- Incomplete audit trail
- Elevated failed login rate
Export Formats:
PDF -> jsPDF + AutoTable
CSV -> BOM-prefixed Blob
SIEM -> compliance_report event
Caching:
Redis 24h TTL per report
History: last 20 per orgDeploy agents with audit trails that satisfy SOC2, GDPR, and EU AI Act requirements out of the box. Start with a free account.