Built so you don't have to take our word for it
Approv sits in front of your AI agent's riskiest actions. That only works if the record of every decision is trustworthy — and provably so. Here's how we do it.
Tamper-proof audit trail
Every state change is hash-chained: each event includes the hash of the one before it. Change any past record and the chain breaks. You get a complete, ordered history of who approved what and when.
Independently verifiable
Each event is signed with Ed25519. The audit response ships the public key and the exact hashing formula, so you — or an auditor — can verify the whole chain offline without trusting Approv.
Least-privilege keys
API keys are scoped to a single project and stored only as a hash. Rotate instantly from Settings; the old key stops working the moment you rotate.
Encrypted in transit & at rest
All traffic is TLS. Data lives in Postgres with encryption at rest. Signing keys are held in an isolated vault, separate from application data.
Human in the loop by design
Risky actions never execute on the agent's say-so alone. A real person approves on WhatsApp or SMS, and the first reply wins — no double decisions.
Data minimization
We store what an approval needs — the action, amount, and decision. You choose what context to attach. No hidden scraping of your systems.
Compliance roadmap
SOC 2 Type II is on our roadmap. The signed audit trail is designed to support governance requirements like the EU AI Act's human-oversight provisions. Building on a regulated stack and need something specific? We'll work with your security team.
Start freeFound a vulnerability? Email security@approv.dev — we respond fast and credit responsible disclosure.