Plug into the compliance-OS you already run

Vanta, Drata, Sprinto, and Secureframe cover the modern-SaaS slice — AWS, GCP, Okta, GitHub, Jira. None of them touch the BMCs in your racks.

That's our slice. We ship evidence two ways: as a one-click compliance report PDF, and as a stream of audit events over SIEM webhook — so it lands in whatever GRC tool you already pay for. You don't pick KVM Fleet instead of Drata; you pick KVM Fleet to plug into Drata.

What's in each report

Tamper-evident audit log

SHA-256 hash-chained over every access event, policy decision, power action, ISO mount, and cert issuance. Append-only at the database level — a Postgres trigger refuses any UPDATE or DELETE.

Customer-owned signing keys

You upload an Ed25519 public key. Every chain anchor we publish is signed by your private key (held in your HSM or secrets manager; the platform never sees the private half).

Customer-side verifier CLI

kvmfleet-verify walks an exported log, recomputes SHA-256, and validates signatures and Merkle inclusion proofs — without touching the platform. Apache 2.0. Your auditor runs it against your evidence pack.

Merkle inclusion proofs

Per-day Merkle root with per-event inclusion proofs. Any single event can be proven to belong to the chain head you exported.

One-click reports

Per framework, download a PDF that maps our audit-log evidence to the framework's control catalogue, with an integrity-verification section in every report.

SIEM webhook export

Stream every audit event to your existing SIEM (Splunk HEC, Elastic, Sumo, Datadog) or to a Vanta / Drata custom collector. Per-org event filter, delivery tracking, retry-with-backoff.

Configurable retention

SOC 2 expects 365 days, ISO 27001 commonly 3 years, HIPAA 6 years, EU financial services 10. Set the window per org; the janitor sweeps past the threshold and bumps the chain anchor so the verifier still passes.

External witness anchoring

Point us at a witness endpoint you control (Sigstore Rekor, an internal HSM, an S3 immutable bucket). We publish chain anchors there so you can cross-check independently.

The trust frame

Operated by us. Verifiable by you.

Most compliance platforms tell you their evidence is correct and expect you to take their word for it. We sign the chain anchor with your key and publish an open-source CLI so your auditor can verify our entire chain without trusting us.

Run this against an exported chain bundle:

# Verify a 90-day evidence pack you exported from the platform. $ kvmfleet-verify --chain ./kvmfleet-audit-2026-Q3.ndjson \ --proof ./kvmfleet-audit-2026-Q3.proof \ --pubkey ./your-org-ed25519.pub walked 18,492 events chain integrity: ✓ pass (SHA-256 chain links intact) Merkle inclusion: ✓ pass (all 18,492 events under epoch roots) signature: ✓ pass (Ed25519 verified against your pubkey) anchor freshness: ✓ pass (latest anchor T+47s) All checks pass.

The CLI is Apache-2.0 at github.com/KVMFleet/audit-verify. Vendor it in, run it in CI, hand it to your auditor — your call.

Business

€299/mo

3-year audit retention
All shipped frameworks (NIS2, SOC 2, ISO 27001, GDPR, HIPAA, NIST 800-53, PCI DSS)
Customer-owned signing keys, external witness, SIEM webhook — all included
5 managed customer orgs (MSP nesting)
Priority email support, 8-hour response

Start Business

Enterprise

From €15–30k/year

7–10 year audit retention (typical regulated-industry ask)
Unlimited managed organisations
Dedicated CSM, 99.9% uptime SLA, on-prem option, custom DPA
Custom framework mappings (FedRAMP, DORA, SOX on request)

Contact

Compliance evidence for the BMCs in your racks.