Feature

Hash-chained, HSM-signed audit

Every action is sealed in a tamper-evident ledger and signed by an Azure Key Vault HSM.

What it is

Audit isn't a bolt-on. It's the substrate. Every state transition, every approval, every phase event is appended to a SQL ledger with prev_hash and this_hash columns. Every 60 seconds, a per-customer batch is signed and uploaded to WORM blob storage with a 7-year locked immutability policy.

How it works

NotarizationBackgroundService runs every 60s per customer. KeyVaultHsmSigner signs RS256 over the batch hash. BlobWormUploader applies an immutability policy on each blob. The receipt — a portable artifact — references the kid, the previous hash, and the immutable blob URI.

What you get

Auditors verify independently — no Nexune tooling required.
Tamper-evident: no log row can be silently changed.
WORM-immutable for 7 years, deletion-blocked at the storage layer.

See this feature running.

Request a demo All features