For regulated industries
DCAA-aligned. Audit-ready. By design.
Same login, same compliance discipline as the timekeeping platform federal contractors already use through Hour Timesheet — now extended to every AI agent on the platform.
The controls regulated-industry customers expect
Attribution
Every action stamped with who, what, when, why — agent, human approver, prompt version.
Contemporaneous logging
Actions logged at execution time, not reconstructed after the fact.
Tamper-evident ledger
HMAC-chained append-only audit log, anchored to GCP KMS. Verifiable on replay.
Approval thresholds
Customer-configurable $ thresholds and category gates. Required approver roles, enforced.
Segregation of duties
Approver cannot be the most recent prompt editor of the requesting agent within 24h.
Tool & data scope
Per-agent restrictions on which tools, which data, which external comms channels are allowed.
Evidence export
Signed CSV/JSON export of action log + approvals + policy versions, scoped to any date range.
Retention
7-year retention available for regulated-industry tenants. Customer-configurable.
What we do not claim
Honest > shiny. Where we don't have the certification, we don't claim it.
- ❌ DCAA-compliant / DCAA-certified
- ❌ FedRAMP / GovCloud
- ❌ ITAR / CMMC / CUI
- ❌ SOC 2 (in progress, not certified)
- ❌ "Immutable" — nothing is. We say tamper-evident.
- ❌ "Blockchain" — we say hash-chained, append-only ledger.
We say DCAA-aligned, audit-ready architecture, and controls regulated-industry customers expect. Every stronger claim has to be defensible by a specific shipped feature.
Bring your auditor.
Hand them a signed evidence export — action log, approval history, and policy versions — scoped to the date range they need. The same format goes to a regulator on request.