Skip to main content

Description

Automatic request logging with cryptographic integrity verification using hash chain technology ensures immutable audit trails for EU AI Act Article 12 & 19 compliance. All LLM requests are automatically captured with complete context, including prompts, responses, parameters, timestamps, cost, and latency, and stored in an append-only format that prevents modification or deletion. Each log entry is linked to previous entries through cryptographic hashing, creating a verifiable chain of integrity that detects any tampering attempts. The system stores logs exclusively in EU regions, encrypts them at rest using AES-256, and provides cryptographic verification tools that allow compliance officers and auditors to mathematically verify that no logs have been altered since creation. Log retention policies enforce regulatory requirements with 5 days for the Free plan, and for the Pro plan, it can be extended with a Compliance Archiving addon, with all retention actions logged for audit purposes. This feature exists to support regulatory audit requirements, demonstrate system integrity, and provide legally defensible evidence of AI system behavior. It is primarily used by compliance officers, external auditors, legal counsel, and regulatory authorities during inspections.

Example

An external auditor conducting a regulatory inspection requests verification of all high-risk AI system logs from Q4 2025. The compliance officer exports the filtered request data, provides the cryptographic hash chain file, and runs the integrity verification tool, which confirms that all 47,283 log entries maintain perfect cryptographic integrity with zero tampering detected. The auditor independently verifies the hash chain, confirms the EU-only data-residency metadata, reviews the automated timestamp and user attribution for each entry, and certifies that the organization’s immutable audit trail meets the EU AI Act Article 19 record-keeping requirements, providing legally defensible evidence of regulatory compliance.

What Are Immutable Logs?

Immutable logs are records that cannot be modified or deleted after creation, providing tamper-proof audit trails for regulatory compliance.

Key Characteristics

Append-Only Storage
  • Logs can only be added, never modified or deleted
  • Each entry receives a unique identifier and timestamp
  • Historical records remain unchanged regardless of system updates
Cryptographic Linking
  • Each log entry contains a hash of the previous entry
  • Creates a mathematical chain linking all records
  • Any tampering breaks the chain and is immediately detectable
Automated Capture
  • All LLM requests are logged automatically without manual intervention
  • Complete context captured (prompt, response, metadata, compliance fields)
  • Zero-knowledge architecture - API keys never sent to PromptMetrics
EU-Only Storage
  • All logs stored exclusively in AWS eu-central-1 (Frankfurt) and eu-west-1 (Ireland)
  • Zero cross-border data transfers
  • Full GDPR Article 44-49 compliance
Immutable logs provide legally defensible evidence that AI system behavior records have not been altered, supporting regulatory audits and legal proceedings.

Cryptographic Hash Chain Verification

How Hash Chains Work

Hash chains use cryptographic algorithms to link log entries:
  1. Entry Creation: Each log entry is created with full request context
  2. Hash Generation: The system generates a cryptographic hash (fingerprint) of the entry
  3. Chain Linking: The hash of the previous entry is included in the current entry
  4. Verification: Any modification to past entries breaks the mathematical chain
Example Chain: 
Entry 1: [Data] → Hash: abc123
Entry 2: [Data + abc123] → Hash: def456
Entry 3: [Data + def456] → Hash: ghi789
If Entry 2 is modified, its hash changes, breaking the link to Entry 3, and verification fails.

Running Verification

1

Access Audit Trail Dashboard

Navigate to Compliance → Audit Trails in the main menu.
2

Select Verification Period

Choose the date range for logs you want to verify (e.g., Q4 2025, Last 90 days, Custom range).
3

Run Verification Tool

Click the “Verify Hash Chain Integrity” button. The system checks cryptographic links between all entries in the selected period.
4

Review Results

View verification report showing:
  • Total entries verified
  • Integrity status (Pass/Fail)
  • Any broken links or tampering detected
  • Timestamp range of verified logs
5

Export Verification Certificate

Generate a signed verification certificate with cryptographic proof for regulatory submissions or audit documentation.

Verification Results

Pass (Integrity Confirmed)
  • All hash links intact
  • No modifications detected
  • Logs are tamper-proof and legally defensible
Fail (Integrity Compromised)
  • One or more hash links are broken
  • Indicates potential tampering or data corruption
  • Requires immediate investigation and incident reporting
Any integrity verification failure must be reported immediately to workspace Admins and investigated as a potential security incident.

Accessing Audit Trails

Request History Access

All logged requests are accessible through: Compliance → Request History
  • Full searchable interface with advanced filters
  • Filter by date range, risk level, compliance status, model, prompt template
  • Export to CSV/JSON for external analysis
Compliance → Audit Trails
  • Focused view on cryptographic integrity and verification
  • Access to hash chain verification tools
  • Audit-ready export formats with verification certificates

Log Entry Details

Each log entry contains: Request Context
  • Full prompt text (system, user, assistant messages)
  • Complete response from LLM
  • Model identifier and parameters
  • Execution timestamp (ISO 8601 format)
Performance Metrics
  • Total latency (ms)
  • Time to first token (TTFT) for streaming
  • Token counts (input and output)
  • Calculated cost
Compliance Fields
  • Risk level classification (automated or manual)
  • Use case category (EU AI Act Annex III)
  • Transparency disclosure status
  • Human oversight indicator
Audit Metadata
  • User ID of requestor
  • Workspace ID
  • Request group ID (for conversation tracking)
  • Tags and custom metadata
Cryptographic Integrity
  • Unique request ID
  • Previous entry hash
  • Current entry hash
  • Verification signature

Log Retention Policies

Retention Periods

Free Plan
  • 5 days log retention
  • After 5 days, logs are permanently deleted
  • Compliance Officers should export critical data before expiration
Pro Plan
  • Unlimited log retention
  • Logs retained for the entire subscription duration
  • No automatic deletion unless explicitly requested

Retention Compliance

Log retention policies ensure compliance with: EU AI Act Article 12
  • Automatic logging of high-risk AI system operations
  • Logs retained for period required by risk level (typically 6-36 months)
GDPR Article 17 (Right to Erasure)
  • User data can be deleted on request
  • System logs anonymization when personal data is removed
  • Audit trail maintained showing erasure actions

Retention Actions Logging

All retention-related actions are logged:
  • Manual log exports by Compliance Officers
  • Automated retention policy enforcement
  • GDPR erasure requests and execution
  • Retention period modifications (Pro plan only)
Pro plan users should establish internal log retention policies aligned with regulatory requirements for their industry and geographic jurisdiction.

Exporting Audit Data

Export Formats

CSV (Comma-Separated Values)
  • Tabular format for spreadsheet analysis
  • Includes all log fields and compliance metadata
  • Compatible with Excel, Google Sheets
JSON (JavaScript Object Notation)
  • Structured format preserving nested data
  • Includes cryptographic hashes and verification data
  • Compatible with programmatic analysis and data pipelines
PDF (Portable Document Format)
  • Human-readable audit report format
  • Includes verification certificate and signature
  • Suitable for regulatory submissions and legal proceedings

Export Process

1

Filter Logs

Apply filters for the specific logs you need to export (date range, risk level, compliance status).
2

Run Verification

Verify hash chain integrity before export to ensure you’re exporting tamper-proof data.
3

Select Export Format

Choose CSV, JSON, or PDF based on your audit requirements.
4

Include Verification Certificate

Option to include a cryptographic verification certificate proving log integrity.
5

Download Export

Encrypted download link generated with a 24-hour expiration for security.

Export Audit Trail

All exports are logged:
  • User ID of the Compliance Officer who requested the export
  • Timestamp of export
  • Date range and filters applied
  • Number of records exported
  • Export format selected
This creates an audit trail of data access for regulatory oversight and internal security monitoring.

Demonstrating Compliance

For EU AI Act Article 12

Requirement: Automatically log operations of high-risk AI systems PromptMetrics Implementation:
  • 100% automatic request logging (no manual intervention)
  • Complete context capture (prompt, response, metadata)
  • Immutable storage preventing modification
  • EU-only data residency

For EU AI Act Article 19

Requirement: Keep logs for the minimum period required to demonstrate compliance PromptMetrics Implementation:
  • Unlimited retention on Pro plan
  • Cryptographic integrity verification
  • Export capabilities for regulatory submissions
  • Audit trail of all retention actions

For GDPR Compliance

Requirement: Maintain security of processing and demonstrate compliance PromptMetrics Implementation:
  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • EU-only storage with zero cross-border transfers
  • Cryptographic integrity prevents unauthorized modification
  • Audit trail for all data access and exports

Compliance Overview

Return to the main compliance officer introduction.

Request History.

Search and filter request logs for compliance investigations.

Compliance Reporting.

Generate audit-ready compliance reports with verification certificates.

Data Sovereignty.

Verify 100% EU data residency for all audit trail data.