doc /audit/overviewrev 2026.04.22status production·region us-east-1, us-gov-west-1

think of it as a mini blockchain for ai decisions: an internal, permanent, cryptographically chained record that nobody can alter without every subsequent record exposing it immediately.

ed25519 signatures over rfc 8785 canonicalized payloads, hash-linked into a per-tenant chain, anchored by rfc 3161 timestamps from a digicert tsa. customer-controlled aws kms keys. aes-256-gcm envelope encryption at rest.

deployone-click install · byo kms · audit-ready in < 30 min
marketplacedeploy on awsmarketplacedeploy on azure
read the spec ↗·try the api →·book a technical review →
operatingsigning & verification online · us-east-1
last anchored2026-04-22 14:02:11z · root 0x5522bb17…
backendfastapi · postgres · go sigsidecar · ecs fargate
why we exist

every one of these happened because no signed record existed at the moment the decision was made.

syen comply is running before the examiner arrives. the record already exists when they ask.

§01 try the api interactive

a four-step walkthrough. record, sign, verify, retrieve.

runs against a sandbox tenant. payloads are deterministic so you can diff them against the docs. nothing is stored.

scenario
POST/api/v1/eventssyen-comply-sdk@4.2.1 · python
~12ms server roundtrip · 2.1KB request
response— · idle
idleselect a step. press run.
positioning
you can't use ai to secure ai.
every governance platform, every compliance tool, every security product uses ai to govern ai. syen comply does not. it is cryptographic infrastructure. the signing key lives in your kms. the anchor comes from digicert. verification requires only openssl. no model. no inference. no reasoning layer.
§02 primitives 
three primitives. the whole product.
no dashboards, no rules engines, no policy editors. an append-only ledger and the proofs to verify it offline.
01
locked records
each event canonicalizes to a deterministic byte sequence. one byte changes, the sha-256 changes. the record's identity is its content.
canonicalization rfc 8785 (jcs)
digest sha-256 over canonical bytes
signature ed25519, customer kms key
timestamp rfc 3161 (digicert tsa)
02
linked chain
each event carries the digest of the one before it. rewrite a record in the middle, every record after it is invalid. the chain is its own audit log.
structure per-tenant hash chain
anchor hourly merkle root → public chain
proof size o(log n) inclusion proof
verification offline, no syen call required
03
audit ready
the proof package is a signed json bundle: the event, the chain context, the anchor, the kms attestation. an auditor verifies it with public tooling.
bundle json + detached ed25519 sig
frameworks sr 11-7 · nist ai rmf · soc 2
federal omb m-25-22 · fy2026 ndaa · eo 14365
tooling cli syen-verify proof.json
§03 try to rewrite history  interactive · the signature moment
edit any byte of any record. watch the chain break.
this isn't a demonstration video. the bytes below are real. sha-256 runs in web crypto. ed25519 runs in @noble/ed25519. the demo keypair is fixed and committed (it secures nothing). open devtools — every call is on window.__syen. [server-only steps — kms, rfc 3161 tsa, public-chain anchoring — are labeled inline.]
click any orange field in block #002 to rewrite history, or use a preset below.
viewtenant: acme-fsi-prodinitializing crypto…
#00114:02:09z
event_typepolicy.check.passed
actorsvc:policy-engine@v3
framework_mapping["sr_11_7", "nist_ai_rmf"]
sha2569c4ea01b…signed
prev_digest— (genesis)root
#00214:02:11z
event_typecredit.decision.made
actorsvc:underwriting-llm@2026.03.18
decisionapproved
amount_usd24000
applicant_idapp-991
human_reviewedtrue · reviewer:ariana.lee@acme.example
framework_mapping["sr_11_7"]
sha256a1f09e2c…signed
prev_digest9c4ea01b…linked
canonical bytes (rfc 8785) — bytes that changed
sha256 storeda1f09e2c4d8b7e1f4ad62c0bc7e914b58a3e2c91d4f0a98cb2…
sha256 recomputedcomputing…
ed25519 verifysignature_invalid · public key 0x7f…
block #002 fails verification. all subsequent blocks invalidated.
#00314:02:14z
event_typehuman.review.recorded
actoruser:ariana.lee@acme.example
attestation"reviewed and approved per sr 11-7 §iii.4"
sha256d8a31c77…signed
prev_digesta1f09e2c…linked
#00414:02:18z
event_typeproof.bundle.exported
actorsvc:export-api
recipientaudit-team@examiner.gov
sha2565522bb17…signed
prev_digestd8a31c77…linked
three ways to break the chain ↓
  1. canonicalize. serialize the event under rfc 8785 (jcs). deterministic byte order.
  2. digest. sha-256 over the canonical bytes. fixed 32 bytes regardless of payload.
  3. chain. include the digest of block #001 (9c4ea01b…) in block #002's payload.
  4. sign. ed25519 signature over (digest ‖ prev_digest), key in customer aws kms.
  5. verify. recompute the digest. compare to the stored hash. check the signature against the customer public key.
awaiting input
edit a field above, or run the tamper preset, to see the diagram step through.
§04 built for 
attests to ·soc 2 type iinist ai rmfsr 11-7
also attests to →hipaa·omb m-25-22·fy2026 ndaa·eo 14365·gdpr art. 22·pci dss·ai sbom
also availableaws marketplace ↗azure marketplace ↗·request the soc 2 reportthreat modelapi referencecli (syen-verify)status
architecture
software is going headless. we already were.
every system of record is stripping its interface and exposing the data layer directly to agents. salesforce, okta, snowflake, servicenow. the ui moat is disappearing. when agents bypass the interface entirely, the passive governance evidence that came from humans clicking through approval workflows disappears with it.
syen comply was never a dashboard. it was never a ui. it is an http endpoint that seals a cryptographic record the moment an agent acts. no interface to lose. no moat that erodes. as every system your agents touch goes headless, the evidence layer underneath them becomes the only independently verifiable record of what happened.
integrates via http in under 30 minutes. no ui required on either end.
§05 where it runs 
three deployment surfaces. one cryptographic primitive.
financial services
when an occ examiner requests documentation for a specific ai-assisted loan or fraud decision, the signed proof package exports in under 12 minutes. model version, dataset, policy, human reviewer, and digicert anchor included.
data centers
for regulated tenants running ai workloads inside colocation or federal facilities, each tenant gets a separate cryptographic chain. per-tenant kms key separation.
cyber insurance
insurers are pulling out of ai workload coverage because they cannot verify ai outputs. syen comply produces the independently verifiable record that makes those outputs insurable.
signed. sealed. delivered.
the signed record exists before the examiner asks.