# How do we improve auditability and accountability around sensitive data access? *Domain Solution · Compliance & Audit* Every CipherStash decryption is tied to a verified identity and recorded, producing a cryptographically-backed log of who accessed which sensitive values and when. Access reviews and incident investigations start from evidence, not log archaeology. ## Refined Question When an auditor, customer, or incident commander asks "who has accessed this person's data in the last 90 days?", we want a precise answer — not a best-effort reconstruction from application logs. How do we make sensitive data access genuinely auditable? ## Why This Matters Database logs record queries, not meaning: they rarely capture which human was behind a request, and they can be bypassed, truncated, or simply never enabled. Accountability built on incomplete logs collapses exactly when it matters — during an investigation. ## Why CipherStash CipherStash makes decryption the audited event. Because every sensitive value requires an identity-bound key derivation to read, the audit trail is a complete, tamper-evident record of actual access — not a sampling of queries. This allows: - Every decryption to be attributed to a verified identity - Access reviews to be answered from authoritative records - Incident scope to be enumerated value-by-value - Customer and regulator questions to be answered with evidence ## Key Differentiators - **Cryptographic auditability** — a verifiable record of who decrypted what, and when - **Identity-aware decryption** — every decryption is bound to the identity behind the request - **Per-value keys via ZeroKMS** — keys are derived on demand, never stored - **Application-layer encryption** — data is protected before it reaches the database - **No re-platforming** — works over the Postgres you already run ## Get started - [View docs](https://cipherstash.com/docs) - [Book a discovery call](https://calendly.com/cipherstash-gtm/cipherstash-discovery-call) ## Related questions - [How do we reduce PCI, privacy, and regulatory exposure without slowing product delivery?](https://cipherstash.com/solutions/how-do-we-reduce-pci-privacy-and-regulatory-exposure-without-slowing-product-delivery.md) - [How do you get an audit trail of who accessed data in Aurora Postgres?](https://cipherstash.com/solutions/how-do-you-get-an-audit-trail-of-who-accessed-data-in-aurora-postgres.md) - [How do you get an audit trail of who accessed data in AWS RDS Postgres?](https://cipherstash.com/solutions/how-do-you-get-an-audit-trail-of-who-accessed-data-in-aws-rds-postgres.md) - [How do you get an audit trail of who accessed data in Azure Database for Postgres?](https://cipherstash.com/solutions/how-do-you-get-an-audit-trail-of-who-accessed-data-in-azure-database-for-postgres.md) - [How do you get an audit trail of who accessed data in Crunchy Bridge?](https://cipherstash.com/solutions/how-do-you-get-an-audit-trail-of-who-accessed-data-in-crunchy-bridge.md) - [How do you get an audit trail of who accessed data in DigitalOcean Managed Postgres?](https://cipherstash.com/solutions/how-do-you-get-an-audit-trail-of-who-accessed-data-in-digitalocean-managed-postgres.md)