Auditing · Part of ESSPRO

Every message. Every event. On the record.

When communications are end-to-end encrypted, compliance still needs a chain of custody. AMVLET Auditing captures a complete, tamper-evident stream of conversations and room events — transparent to participants, configurable by policy, and stored on infrastructure you control.

Talk to compliance engineering → See capabilities
E2EE preserved JSON event stream S3 / file storage SIEM-compatible
The compliance problem

Encrypted doesn't mean invisible to your own compliance team.

Most organisations deploying secure messaging face an impossible binary: disable E2EE so compliance can see conversations, or keep encryption and fight discovery requests without evidence.

AMVLET Auditing is built for regulated environments where both are non-negotiable. End-to-end encryption protects conversations from outside access. Auditing gives your own compliance team the authoritative record they need — on your terms, on your infrastructure.

Audit presence is visible in the room member list. Participants always know when a room is being recorded.
Configure scope per policy: all rooms, group conversations only, or custom rules per department or jurisdiction.
Structured JSON events — queryable, exportable, and compatible with any log analytics platform.
Audit scope configuration
#ops-command Audited 7 yr
#finance-q2 Audited 5 yr
#project-sovereign Audited 7 yr
Direct messages Excluded
Storage: S3 · eu-west-1
Export: Splunk pipeline · active
Capabilities

Complete audit coverage.
Without compromising encryption.

Built for the evidence-chain requirements of regulated industries — and the operational flexibility compliance teams actually need to configure and maintain.

Transparent by design

Auditing is visibly present in the room member list. Every participant can see when a room is being captured — no covert observation, no hidden collection. Compliance with dignity.

Flexible scope

Configure auditing to match your obligations. Capture all rooms, group conversations only, or apply different retention windows per team, department, or compliance zone. Direct messages can be excluded entirely.

Structured JSON events

Every captured event is stored as machine-readable JSON — timestamps, sender identity, message content, room metadata, and event type. No proprietary format, no vendor lock-in, no manual export step.

Infrastructure you control

Audit streams write to S3-compatible object storage or local file storage — in your chosen region, on your chosen infrastructure. No audit data transits a third-party cloud without your explicit direction.

SIEM & analytics export

Forward the audit event stream directly to Splunk, Elastic, Graylog, or any syslog-compatible platform. Real-time streaming or batched export — configure to match your existing security operations pipeline.

Configurable retention

Define per-policy retention windows — from regulatory minimums to legal hold. Apply different retention periods per room, team, or compliance zone. Records are kept exactly as long as your obligations require.

Audit evidence

A complete chain of custody. In a format regulators can read.

Audit records captured by AMVLET include the full context regulators and legal teams need: who sent what, to which room, at what time — alongside join, leave, and policy events that show the full picture of a conversation's membership.

Every event is structured JSON. No post-processing required to load into your SIEM. No custom scripts to extract readable timestamps. The record is ready to export the moment it is captured.

1Message content, sender identity, and room metadata captured in a single event record.
2File transfers, room joins, and member leaves captured as distinct typed events alongside messages.
3Policy enforcement events — invites verified or blocked — written to the same stream for complete accountability.
4Stream is continuous, append-only, and tamper-evident. Records cannot be altered after capture.
AMVLET · Audit log · #ops-intelligence
Timestamp Type Actor Detail
09:14:22 MSG L. Moreau · @l.moreau "Deployment brief reviewed…"
09:14:45 FILE L. Moreau · @l.moreau ops-brief-final.pdf · 2.1 MB
09:21:07 JOIN R. Hakimi · @r.hakimi Joined · SCIM provision
09:35:22 MSG R. Hakimi · @r.hakimi "Assessment forwarded…"
09:47:11 LEAVE T. Albrecht · @t.albrecht Session ended
09:53:05 POLICY System · IAM-check 3 invites verified · 0 blocked
Streaming · 847 events today → Splunk pipeline · active
Regulatory coverage

Built for the frameworks that mandate audit trails.

Regulated industries don't just benefit from audit records — they're required by law to maintain them. AMVLET Auditing produces the evidence formats these frameworks demand.

EU Regulation
GDPR
Article 5(2) accountability principle requires organisations to demonstrate compliance. Article 30 mandates records of processing activities including communications.
Financial Services
MiFID II
Mandates the archiving of all relevant communications — voice, electronic, and messaging — with five to seven year retention for firms operating in EU financial markets.
EU Cybersecurity
NIS2
Requires operators of essential services to maintain logs of security-relevant events. Incident documentation must be available for investigation and regulatory review.
International Standard
ISO 27001
Control A.12.4 mandates event logging and monitoring across information systems. Audit logs must be protected from tampering and available for operational review.
EU Financial Resilience
DORA
The Digital Operational Resilience Act requires financial entities to maintain ICT-related incident records and demonstrate the integrity of their communications infrastructure.
Healthcare
HIPAA
The Security Rule requires covered entities to log and audit access to protected health information, including messages and files transmitted over communications systems.
How it works

From conversation to compliance archive.

A continuous, four-stage pipeline from event capture through to long-term retention and operational review — no manual steps, no custom integration work.

Capture

Messages, file transfers, room joins, and policy events captured in real time. Audit presence shown in the room member list.

Configure

Administrators define scope, retention windows, and per-room policies. DMs can be excluded; specific rooms can carry elevated retention periods.

Store

Structured JSON events written to S3-compatible storage or local file storage. Your region, your infrastructure, your access controls.

Review

Records streamed to your SIEM or analytics platform. Filter by room, user, date, or event type. Export for legal discovery or regulatory inspection.

Questions

Frequently asked.

The questions compliance leads, legal teams, and security architects ask in the first call.

Does auditing break end-to-end encryption? +
No. Messages remain end-to-end encrypted between participants. Auditing works alongside E2EE — the organisation's own infrastructure captures the record, not a third party. Encryption protects conversations from external access; auditing gives your own compliance team the evidence they are authorised to hold.
Are participants notified when a room is being audited? +
Yes. Auditing is transparent by design. The audit presence is visibly displayed in the room member list, so every participant is aware their conversation is being captured. There are no hidden observers. This transparency is a deliberate design principle, not just a feature.
Can I exclude direct messages from auditing? +
Yes. Administrators can configure auditing to apply only to group rooms and channels, excluding direct messages entirely. Different configurations can be applied per department, team, or compliance zone — enabling precise alignment with your organisation's data governance policy.
What format are audit records stored in? +
All captured events are stored as structured JSON — one event per record, with timestamps, sender identity, message content, room metadata, and event type. This format is compatible with any log analytics or SIEM platform and requires no custom parsing or transformation before ingestion.
Can audit records be forwarded to our existing SIEM? +
Yes. Audit event streams can be forwarded in real time or batched to Splunk, Elastic, Graylog, or any syslog-compatible platform. If your security operations team already has log ingestion pipelines, the AMVLET audit stream plugs in without requiring a new workflow.
Where are audit records physically stored? +
On infrastructure you control. Audit records write to S3-compatible object storage or local file storage — in your chosen region, behind your own access controls. No audit data passes through third-party infrastructure unless you configure an export to one. For air-gapped deployments, records write to local storage with no external network dependency.
How long are records retained? +
Retention windows are configurable per policy. You can set different retention periods per room, team, or compliance zone — from short operational logs to seven-year legal-hold archives. Legal hold flags can be applied to specific rooms to prevent deletion regardless of the default retention window.
Does auditing work in air-gapped deployments? +
Yes. Auditing is available across all deployment modes — on-cloud, self-hosted, and air-gapped. In air-gapped environments, audit records write to local storage with no external network dependency. The full event stream, including SIEM forwarding to an internal instance, operates entirely within the air-gapped perimeter.

Give compliance the evidence chain they need.

Configure audit scope, connect your SIEM, and run a pilot deployment with full event capture in under two weeks.

Talk to compliance engineering → Book a 30-min demo