Early Access

Your audit logging
infrastructure.
Done.

The audit logging infrastructure SOC 2 and GDPR require. Cryptographically chained, tamper-evident, and auditor-ready. Ship in days, not months — without building it yourself.

No spam. Notify on launch only.

EU
// data residency
SOC 2
// compliance ready
Rust
// core engine
// every event is cryptographically linked — tamper detection is mathematical, not a promise

Chain integrity can be verified from exports — without trusting Logstone's servers. Hand an auditor the NDJSON export and they can confirm the chain independently.

EVENT #001
actor usr_a3f9c2
action user.login
resource dashboard
timestamp 2026-02-19 09:14:02Z
verified
EVENT #002
actor usr_a3f9c2
action record.exported
resource invoice_9182
timestamp 2026-02-19 09:15:44Z
verified
EVENT #003
actor usr_b82a11
action role.modified
resource usr_a3f9c2
timestamp 2026-02-19 09:22:11Z
verified
EVENT #004
actor usr_a3f9c2
action user.logout
resource dashboard
timestamp 2026-02-19 09:47:38Z
verified
// features

Everything compliance
audits actually check.

Purpose-built for the compliance requirements blocking your enterprise deals.

Cryptographic Chaining

Each event hashes into the next. Any modification breaks the chain. Tamper detection is mathematical — not a policy.

GDPR Right to Erasure

Mark fields as sensitive. On erasure request, the field values (old/new) are wiped — but the audit trail structure (action, resource, timestamp, chain hash) is preserved. GDPR Article 17 compliant without breaking your chain.

Async Workflow Support

Trace related events across queues, webhooks, and background jobs using Correlation IDs. Every system actor, integration, and cron job can be attributed and linked back to the triggering event.

Auditor-Ready Exports

Generate time-bounded exports in NDJSON format. Each export includes chain hash information so auditors can independently verify log integrity — no need to trust Logstone's infrastructure.

Multi-Language SDKs

Node.js available at launch. Python, Go, and Rust SDKs in the pipeline. Simple API — log an event in three lines.

AI Agent Traceability

Log autonomous AI actions with full context. Who approved it, what was decided, what model ran. EU AI Act ready.

Three Actor Types

Every event is attributed to the right actor — human users, your own system or background jobs, or third-party integrations. No more ambiguous "who made this change?"

// built for multi-tenant saas

Every event, fully
attributed.

Know exactly who did what — whether it was a human, your own backend, or a third-party integration.

Actor Types
Three kinds of actors. No ambiguity.

Every event is attributed to exactly the right source. Stop guessing which changes came from humans vs. automation.

type: "user" Alice updated the billing address
type: "system" Nightly job archived 142 records
type: "integration" Stripe webhook updated invoice status
Sub-tenant Support
Your customers have customers too.

Use subTenantId to scope audit logs to the end-customers inside your own multi-tenant product. Each sub-tenant sees only their own trail.

tenantId → subTenantId acme-corp → workspace_482
tenantId → subTenantId acme-corp → workspace_917
Team RBAC
Control who sees the audit data.

Three built-in roles control access to audit logs across your team. Grant your compliance officer read-only access without touching your codebase.

Owner Full access, billing, API key management
Admin Search, filter, export logs
Viewer Read-only — auditors and compliance
// eu-native, available globally

EU-native.
Global reach.

Norwegian-founded, hosted within the EU. GDPR isn't an afterthought — it's the foundation. Whether you're in Europe or the US, your data stays where you need it.

🇪🇺
EU Data Residency
Servers in Germany & Finland — data never leaves the EU
🔒
GDPR Native
DPA included, pseudonymisation built-in, right to erasure supported
📋
SOC 2 & HIPAA Ready
Provides the audit logging infrastructure SOC 2, ISO 27001, and HIPAA require
📤
Auditor-Ready Export
Export logs in formats your auditors actually need — no manual work required
🤖
EU AI Act Compliant
Audit trails for high-risk AI systems — required from 2025
// developer experience

Clean API.
Zero boilerplate.

audit.js 
import { Logstone } from '@logstone/node';

const logstone = new Logstone({
  apiKey: process.env.LOGSTONE_API_KEY,
});

// Log an audit event
await logstone.log({
  actor: {
    type: 'user',
    id: 'user_123',
    email: 'alice@example.com',
  },
  action: 'user.updated',
  resource: {
    type: 'user',
    id: 'user_456',
  },
  sensitiveFields: [
    { field: 'email', oldValue: 'alice@old.com', newValue: 'alice@example.com' },
  ],
});

// Cryptographically chained
// and stored in the EU.
// how it works

Up and running
in three steps.

No infrastructure to manage. No compliance expertise required. Just logs that work.

01
Install the SDK

Add @logstone/node to your project. Initialise with your API key. Takes two minutes.

02
Send your first event

Call client.log() with an actor, action, and resource. Cryptographically chained and stored in the EU instantly.

03
Pass your audit

Search, filter, and export logs in auditor-ready formats from the dashboard. Give your compliance team exactly what they need to pass the audit.

// faq

Common
questions.

Why not just build audit logging ourselves?

You could — but it typically takes 2-3 months of engineering time, and that's before you tackle cryptographic integrity, retention policies, GDPR compliance, and keeping it maintained. Logstone gives you all of that out of the box so your team can focus on your actual product.

How is this different from just logging to a database?

A regular database can be modified — records can be edited or deleted without any trace. Logstone chains every event cryptographically, so any tampering is mathematically detectable. That's what auditors actually require.

Where is my data stored?

All data is stored on servers within the EU. It never leaves the EU. We're GDPR-native by design.

What about GDPR's right to erasure? Can I delete user data?

Yes. We use pseudonymisation — we store an ID like usr_a3f9c2 in the log, not the user's email or name. You control the mapping. To erase a user, you delete the mapping on your end. The log chain stays intact.

When are you launching?

Logstone is in early access — a limited number of teams are already using it in production. We're onboarding new customers from the waitlist. Join the waitlist to get in line for access.

Who should use Logstone?

Logstone is built for engineering teams at B2B SaaS companies — specifically if you're preparing for a SOC 2 or GDPR audit, if your customers ask "who made this change?", or if you have background jobs, webhooks, or integrations that mutate data and need a clear attribution trail.