Audit-ready by construction.
Compliance is the trust layer underneath every agent run: an append-only audit log that records every meaningful action, a PII proxy that scrubs sensitive data before it reaches a model provider, and bring-your-own-key so your runs use your credentials — not ours.
in email dana@acme.io, card 4242 4242 4242 4242
out email <REDACTED:email>, card <REDACTED:credit_card>
01
Every action, on the record
Agent runs, canvas runs, eval grades, budget changes, role changes, token and BYOK key events — over twenty distinct action types land in one append-only audit log, each stamped with actor, resource, and a link back to its trace. Owners and admins can export the full trail as streamed JSONL or RFC-4180 CSV; everyone else gets read-only access. Retention is yours to set, from a week to ten years.
in email dana@acme.io, card 4242 4242 4242 4242
out email <REDACTED:email>, card <REDACTED:credit_card>
02
PII never leaves your infra
With the proxy on, every prompt, system message, and tool input is scrubbed before the model call. Emails, phone numbers, SSNs, Luhn-checked credit cards, IPv4 addresses, token-bearing URLs, and Anthropic / OpenAI / AWS key formats are replaced with typed <REDACTED:kind> markers. Strict mode adds IPv6 and long digit runs. The original is preserved on your server inside the RLS-protected trace span, so you keep the full context while the provider only ever sees structure.
open the pr-review canvas and run it
whisper-tiny.en · audio never leaves the browser
03
Your keys, your spend
Point Stackon at your own Anthropic and OpenAI keys and every run on the team bills to your account, falling back to platform keys only when none is set. Keys are encrypted with AES-256-GCM at rest — we only ever surface the last four characters and the last rotation time. Rotating or removing a key is one form submit, and the change is written straight into the audit trail.
in email dana@acme.io, card 4242 4242 4242 4242
out email <REDACTED:email>, card <REDACTED:credit_card>
04
Composes with the rest of Stackon
Compliance isn't a bolt-on; it reads from the same primitives every other pillar writes to. The audit log links directly into Trace, the PII proxy attributes its redaction count onto the span it scrubbed, and BYOK governs the very runs that Missions, Canvas, and Evals fan out. Turn it on and the trust layer is already wired through everything you've built.
20+ types
Audit actions tracked
JSONL · CSV
Export formats
AES-256-GCM
Key encryption
7 – 3650 days
Retention range
Part of one platform
Compliance works hand in hand with Apps & Surfaces.
Speed plus trust — prove your agents got better this week.
Compliance is one piece of Stackon, the observability-first workspace for teams running Claude and Codex. Start free and instrument your first run today.