FAQ
Questions before you ship.
Everything we get asked about Stonewrit: product, compliance, integration, and security. Still missing something? Email the team.
Product
- How is Stonewrit different from a log aggregator like Datadog or Splunk?
- Logs are mutable, time-series, and built to be aggregated. Stonewrit records are immutable, hash-chained, and built to be verified. Auditors and regulators ask for an audit trail, not a log, and the difference matters when the integrity of the record is in question.
- What does "tamper-evident" actually guarantee?
- Every event is canonicalized using RFC 8785 and SHA-256 hashed. Each event hash includes the previous event hash, forming a linked chain. If a single byte of any record is modified, including by us, after the fact, every subsequent hash no longer matches. Auditors can verify the whole chain independently via a public verify endpoint.
- Why "AI agent" specifically?
- AI agents take actions on behalf of users, often with elevated permissions and minimal human review. That is exactly the activity auditors will ask about first. Stonewrit treats AI agents as a first-class actor type with fields for tool calls, approvals, supervisor links, and human-in-the-loop decisions.
- Do you store the underlying data, or just metadata?
- Both. We store the full normalized event payload (your choice of fields, with optional hashing of sensitive identifiers) plus the cryptographic proofs. The payload is what makes evidence useful; the proofs are what make it trustworthy.
Compliance
- Which frameworks does Stonewrit map evidence to?
- SOC 2 (CC6.1, CC7.2, CC8.1, CC9.2), ISO 27001, HIPAA, and GDPR. Custom and private frameworks are supported on the Enterprise plan. Mappings are labeled "suggested evidence", so Stonewrit never overstates compliance status; auditor sign-off stays where it belongs.
- Does this replace my SOC 2 or ISO 27001 auditor?
- No. Stonewrit gives your auditor a tamper-evident, verifiable trail of sensitive actions and a one-click evidence export. Your auditor still issues the report. Most teams use Stonewrit to shorten evidence gathering from weeks of screenshots and spreadsheets to a single export.
- Can I export evidence in a format auditors accept?
- Yes. JSON exports include events, hash proofs, control mappings, and a verification manifest, packaged as a downloadable bundle. The bundle is independently verifiable: auditors can re-hash any event and compare against the chain.
- Do you provide a DPA for GDPR?
- Yes, on the Pro and Enterprise plans. Email hello@stonewrit.com and we will get it to you.
Integration
- How do I send events?
- POST a normalized event to /api/v1/events with your API key in the Authorization header and an Idempotency-Key. We canonicalize, hash, and chain it, then return a cryptographic proof. See the Quickstart in the docs.
- Which AI agent frameworks does Stonewrit support?
- Any framework. Stonewrit is API-first, so if your agent framework can make an HTTP request, it can send evidence. We publish first-class snippets for LangChain, CrewAI, AutoGen, Mastra, and a generic "Custom" example.
- What are the latency and volume limits?
- P99 ingest latency is under 80 ms. Monthly volume is per plan: 250k on Starter, 5M on Pro, unlimited on Enterprise. You set a spend cap and we nudge you before any overage, so there are no surprise bills.
- Is there an SDK?
- The API is small and idempotent enough that a short wrapper covers most use cases. Language SDKs follow as customer demand makes the priority clear.
Trust and security
- Where is data stored?
- US-East by default on Starter and Pro. EU and on-prem or VPC deployment are available on Enterprise. All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Who can see my events?
- Only members of your organization and any auditors you explicitly grant access. Auditors get read-only links scoped to the framework and date range you choose, never full account access.
- Can Stonewrit itself tamper with my data?
- No, and we could not hide it if we tried. The chain is cryptographically verifiable end to end. If a single byte of any event were modified by us, the chain hash from that point forward would no longer match, and any auditor running verify would see it immediately.
- How do I get started?
- Create an organization, send your first event in minutes, and invite your team. Email hello@stonewrit.com if you want a hand getting set up.
Still have questions?
Email the team directly. We answer every message.