Skip to content
Security & trust

Built so you don't have to take our word for it

Approv sits in front of your AI agent's riskiest actions. That only works if the record of every decision is trustworthy — and provably so. Here's how we do it.

Tamper-proof audit trail

Every state change is hash-chained: each event includes the hash of the one before it. Change any past record and the chain breaks. You get a complete, ordered history of who approved what and when.

Independently verifiable

Each event is signed with Ed25519. The audit response ships the public key and the exact hashing formula, so you — or an auditor — can verify the whole chain offline without trusting Approv.

Least-privilege keys

API keys are scoped to a single project and stored only as a hash. Rotate instantly from Settings; the old key stops working the moment you rotate.

Encrypted in transit & at rest

All traffic is TLS. Data lives in Postgres with encryption at rest. Signing keys are held in an isolated vault, separate from application data.

Human in the loop by design

Risky actions never execute on the agent's say-so alone. A real person approves on WhatsApp or SMS, and the first reply wins — no double decisions.

Data minimization

We store what an approval needs — the action, amount, and decision. You choose what context to attach. No hidden scraping of your systems.

Compliance roadmap

SOC 2 Type II is on our roadmap. The signed audit trail is designed to support governance requirements like the EU AI Act's human-oversight provisions. Building on a regulated stack and need something specific? We'll work with your security team.

Start free

Found a vulnerability? Email security@approv.dev — we respond fast and credit responsible disclosure.