Audit & provenance fabric
Tamper-evident by default.
The Evidence Ledger is the audit and provenance fabric under every action in careos. It records what happened, who did it, with what authority, and under which policy — on a primitive that is independently reviewable, exportable, and tamper-evident.
What the Ledger records
Six classes of evidence. One primitive.
Administrative actions
Every administrative action — creates, updates, deletes, state transitions — with actor, timestamp, and source context.
Authentication events
Every authentication event with IP, device fingerprint, outcome, method, and session linkage.
Policy changes
Every policy, role, and configuration change with a structured diff and an approver on record.
AI decisions
Every AI decision with model, prompt version, source evidence, reviewer, and downstream effects.
Workflow transitions
Every workflow state transition linked back to the plan version and rule that allowed it.
Patient data access
Read-level auditing: who looked at which record, when, under what authority, and for how long.
Compliance workflows on top
Every compliance chore as a product surface.
The Ledger is not only a log — it is the substrate for every compliance workflow a regulated operator needs.
DSAR / SAR
Tenant-safe search across the Care Graph, compile, review, redact, approve, and export. Turns the quarterly scramble into a minutes-long workflow.
Legal hold
Hold scoped by patient, episode, document, or investigation. Overrides retention, tracks approvers, and releases only on signed authority.
Access review
Dormant-user controls, segregation-of-duties enforcement, privilege session review, and periodic attestation queues.
Retention as code
Schedules expressed as policy — by data class, legal basis, and jurisdiction. Automated deletion with audit evidence, not manual clean-up.
Break-glass
Emergency access requires justification, approval, and expiry. Every session is reviewed post-event with structured artefacts.
Incident packs
CAPA, investigation, and evidence assembly on templates so the work of responding to an incident does not start from a blank page.
Verification & independence
Verifiable without application access.
Independent review
Audit outputs are reviewable without application access. Auditors see evidence directly, not via a staff user in the UI.
Cryptographic anchoring
Ledger entries are chained and anchored so tampering is detectable. Tamper-evidence is default, not opt-in.
External export
Every record is exportable to external audit systems in structured formats with schema versioning.
SIEM integration
Syslog, webhook, and API delivery to the SIEM of record. Security operations never have to ask for a data pull.
Retention evidence
Automated deletion jobs emit structured evidence records: what was deleted, under which policy, on whose authority, with what legal basis.
Deletion evidence
Right-to-erasure, contract-end deletion and offboarding run as productised flows — every removal produces a signed, exportable completion artefact.
Why this matters commercially
Trust as a sales asset, not a liability.
Compliance as product
Compliance becomes productised surface, not a fire drill. You do not build DSAR workflows; you use them.
Audit in minutes
Audit preparation drops from days to minutes. The evidence is already assembled, indexed, and filterable.
On-demand packs
Regulatory evidence packs generated on demand from a single pane. No scavenger hunt across shared drives.
Trust as an asset
Trust becomes a sales asset. You win deals with the audit story, not survive them despite it.
Procurement acceleration
DTAC, DSPT and security questionnaires answered from the ledger directly — evidence pulls replace weeks of manual assembly.
Incident credibility
When something does go wrong, the post-incident pack is already complete: timeline, actors, decisions, remediations. Credibility is defensible.
Evidence Ledger
See a DSAR run end-to-end.
The fastest way to understand the Ledger is to watch a DSAR workflow run on the sample tenant. We demo it live.