For existing SaaS going through compliance

The fastest path to a SOC 2, ISO 27001 and GDPR audit trail

You already have a SaaS in production. Now you need an audit trail that survives a Type II report, an ISO 27001 stage-2 audit, and a GDPR DPIA. Recalled gives you all three without migrating a single table.

Start for freeRead the compliance guide
Log a sensitive action in 5 lines
// Every sensitive action ends up in Recalled
await recalled.events.create({
  action: "data.export.requested",
  actor: { id: admin.id, email: admin.email },
  organization: tenant.id,
  targets: [{ type: "dataset", id }],
  metadata: { format, requesterType, reason },
});

You are in the middle of a compliance engagement. The auditor asked for access logs. The DPO asked for a data map. Your enterprise prospects ask for a DPA. All three want the same thing: an immutable, searchable, exportable record of who did what, when, and with whose data. Recalled is that record, and you can add it to a live product without a migration.

Why compliance-stage SaaS pick Recalled

  • HMAC-signed hash chain

    Every event is HMAC-SHA256 signed with a server-side key and chained to the previous one. SOC 2 and ISO 27001 auditors call GET /v1/events/verify to check the whole chain without trusting us.

  • EU hosting, GDPR-ready

    All data stored in the EU, encrypted at rest with AES-256, DPA accepted at signup, one-call erasure for Article 17.

  • Off-DB trail

    The trail does not live in your Postgres. A breach of your primary database does not let an attacker rewrite the audit evidence.

  • CSV exports for auditors

    Filter by date range, action prefix or actor. Hand the export to your auditor, your lawyer, your DPO, your customer.

The compliance checklist, checked

Access logs with hash-chained integrity, check. Change logs for sensitive actions, check. Data subject access request trail, check. EU residency, check. Encryption at rest, check. One-call erasure for Article 17, check. DPA at signup, check. You spend your engineering time on the product, not on the spreadsheet.

What to wire first

Three use cases that move the compliance needle fastest.

Ship SOC 2 / ISO 27001 evidence

SOC 2 and ISO 27001 both require an immutable record of sensitive actions. Recalled emits hash-chained, signed events so your auditor can verify integrity without trusting your database.

GDPR-ready audit trail

Recalled is hosted in the EU, encrypted at rest, and exposes a one-call anonymization endpoint for Article 17. Ship a GDPR-ready audit trail without building your own data protection layer.

Audit every admin action

Log every sensitive action taken by a staff member from your back-office: suspensions, refunds, impersonations, role changes. Answer 'who did this and when' before anyone has to ask.

Priority actions to wire

admin.user.suspendedLog admin user suspensionsadmin.role.changedLog role changesadmin.impersonation.startedLog staff impersonationdata.export.requestedLog data export requestsuser.account.deletedLog account deletions

Your next audit log is 2 minutes away

Stop hacking on your own logs table. Drop in Recalled, send your first event, move on.

Start for freeRead the docs