What the audit trail contains
Every governance decision in Fundamentum generates a structured audit record. The record is immutable — it cannot be deleted, edited, or retroactively altered. Records are cryptographically linked: each record contains a hash of the previous record, so any tampering with historical records is immediately detectable.
| Field | Contents | Purpose |
|---|---|---|
| Event type | OTA deploy, command, state transition, policy change, credential operation | Classification for filtering and reporting |
| Actor identity | Cryptographic identity of the requesting entity (device, user, API, service) | Non-repudiation — "I didn't authorize that" is refutable |
| Target | Device ID, device category, or fleet subset | Scope of the action |
| Policy version | Hash of the policy configuration in effect at decision time | Reproducibility — the decision can be re-evaluated against the same rules |
| Decision | Grant / Deny with full rationale | Compliance evidence and incident reconstruction |
| Timestamp | Cryptographically signed timestamp from Fundamentum's time authority | Tamper-evident sequencing |
| Chain hash | Hash of the previous audit record | Tamper detection — any alteration breaks the chain |
SOC 2 Type II — what it means in practice
SOC 2 Type II is not a questionnaire or a self-assessment. It is an independent audit that evaluates whether a company's security controls actually operate as designed — not just whether they exist on paper. Fundamentum operates under a SOC 2 Type II perimeter audited by RCGT, with a report dated April 15, 2026, as part of Groupe Vectanor.
What SOC 2 Type II unlocks for Amotus clients: Enterprise procurement teams that require security attestation from vendors can accept the SOC 2 Type II report as evidence. Healthcare organizations subject to HIPAA and Health Canada requirements can use it as part of their vendor due diligence package. Insurance underwriters use it to reduce the assessed risk profile of Fundamentum-governed deployments. Defence procurement offices include it in CPCSC-compatible vendor qualification.
Compliance use cases
- Incident reconstruction: When something goes wrong at scale, the audit trail provides a complete, tamper-evident timeline of what was authorized, by whom, under what policy, at what time. The mean time to diagnosis for incidents on governed fleets is measurably lower than on ungoverned fleets.
- Regulatory submission: Healthcare, energy, and financial services regulators increasingly require evidence of device control procedures. Fundamentum's audit trail provides this evidence in a structured, exportable format.
- Insurance documentation: Cyber insurance underwriters assess the risk profile of a fleet based on the existence and quality of governance controls. SOC 2 Type II certification and a demonstrable audit trail are material factors in premium calculation.
- Customer SLA evidence: Enterprise customers who purchase connected products or services may require evidence of update governance. The audit trail provides cryptographic proof of every update decision — timestamps, authorization, and outcome.