Sign in →
Features1 min read

Audit, Security & Compliance

Enterprise-grade governance for financial infrastructure. Immutable audit trails, RBAC, SOC 2, GDPR, and data residency.

Updated 2026-06-15Suggest edits
Docs Governance Audit & Compliance

The Immutable Audit Trail#

Aforo treats every API request as a financial event. Every interaction is logged to a non-repudiable, append-only audit trail.

Request Fingerprinting
Every canAccess check logged with unique Request ID, timestamp, gateway origin, and entitlement logic.
Version History
Every Plan and Margin Guard change is version-controlled. See who changed what and when.
Tamper-Proof Storage
Append-only architecture. Logs cannot be modified or deleted by any user, including administrators.
audit-log-entry.json
{
  "event_id": "audit_7f3a2b1c",
  "timestamp": "2026-03-29T14:32:00.042Z",
  "actor": { "user_id": "user_456", "role": "PRODUCT_MANAGER", "ip": "203.0.113.42" },
  "action": "RATE_PLAN_UPDATED",
  "target": { "type": "rate_plan", "id": "rp_uuid_789", "name": "Enterprise AI Tier" },
  "changes": {
    "rate_per_1k_tokens": { "before": 0.003, "after": 0.005 },
    "min_commit": { "before": 500, "after": 1000 }
  },
  "metadata": { "reason": "Provider cost increase — Anthropic pricing update Q2 2026" }
}

Access Control (RBAC)#

RolePermissionsBest For
ViewerRead-only access to dashboards and audit logsSupport & Analytics
Product ManagerCreate/Edit Plans, Rate Cards, and OfferingsGrowth & Revenue
DeveloperManage API Keys and Gateway configurationsEngineering & DevOps
Finance AdminFinalize Invoices, manage ERP sync, set Margin GuardsFinance & Accounting
OwnerFull system access including User Management and SSOPlatform Leads

Global Compliance Standards#

SOC 2 Type II
Internal controls for security, availability, and confidentiality audited annually by independent assessor.
GDPR & CCPA
Aforo acts as Data Processor. Full coverage: DSR queue (Art. 12-22), consent ledger (Art. 7), breach workflow (Art. 33-34), RoPA (Art. 30), DPIA (Art. 35). See the Privacy & GDPR section for the full reference.
PCI-DSS Level 1
Payment processing via PCI-compliant gateways (Stripe/Adyen). Sensitive card data never touches your infrastructure.
HIPAA-Ready
BAA available for healthcare customers. PHI isolation, encryption at rest (AES-256), and access audit logging.

Data Residency#

Enterprise customers can choose where their metering and billing data is stored to comply with local sovereignty laws:

US
United States
us-east-1 (Virginia)
EU
European Union
eu-west-1 (Ireland)
IN
India
ap-south-1 (Mumbai)
INFO
Indian tenant data can be stored exclusively within Indian borders, ensuring compliance with DPDP Act 2023 and RBI data localization requirements.

SSO Integration#

SECURITY NOTE
Aforo supports SAML 2.0 and OIDC for Single Sign-On, allowing your team to manage access via Okta, Azure AD, or Google Workspace. User provisioning and de-provisioning are automatic via SCIM.