Open source · Apache 2.0

Don't lose your next
enterprise deal.

Add enterprise-grade audit logs to your SaaS in an afternoon. Hash chain verified. Open source. SOC2-ready.

Get StartedStar on GitHub
The SDK

Built so you don't have to.

A hash chain, storage, search, and compliance exports — in one line.

import { Ormaos } from '@ormaos/node';
const ormaos = new Ormaos({ apiKey: process.env.ORMAOS_KEY });

// One call. Every action. Traced.
await ormaos.audit.log({
  actor: { id: 'usr_01HXQ4', email: 'john@ormaos.com' },
  action: 'api_key.rotated',
  target: { id: 'key_01HX9Z', scope: 'production' },
  context: { ip: '203.0.113.42', userAgent: 'Ormaos-Dashboard/1.0' },
});
Tamper-evident by design

Every event, cryptographically linked.

Each log references the hash of the previous one. Change a single event and the whole chain breaks. Auditors love math they can verify.

#1
user.loginbysarah@app.example
prev:genesishash:3f9a8b2c...
verified
#2
api_key.rotatedbyjohn@ormaos.com
prev:3f9a8b2c...hash:7e2d4a1f...
verified
#3
customer.deletedbyadmin@ormaos.com
prev:7e2d4a1f...hash:c1b5e8d3...
verified
#4
audit.exportedbyjohn@ormaos.com
prev:c1b5e8d3...hash:9a4f2c7b...
verified

Run ormaos.audit.verify() to prove integrity across any range.

Pricing

Priced by events, not seats.

Pay for what you log. Every tier includes the hash chain, widget, and exports.

Free

For side projects and evaluation.

$0/forever
50K events / month
7-day retention
  • Hash chain verification
  • Embeddable widget
  • Community support
Start free

Starter

For teams not yet in formal audit.

$29/month
500K events / month
30-day retention
  • Everything in Free
  • CSV & JSON exports
  • Email support
Start free trial
Most popular

Pro

For SaaS closing their first enterprise deal.

$79/month
2M events / month
1-year retention
SOC2-ready
  • Everything in Starter
  • SOC2-formatted exports
  • Webhooks & custom actors
  • Priority support
Start free trial

Scale

For SaaS with mature enterprise customers.

$199/month
10M events / month
3-year retention
  • Everything in Pro
  • 99.95% SLA
  • SSO / SAML
  • Dedicated Slack support
  • Custom actor schemas
  • Webhook signature validation
Start free trial

Enterprise

For regulated industries and high-scale SaaS.

Custom
Unlimited events
Up to 10-year retention
HIPAA / SOX ready
  • Everything in Scale
  • 99.99% SLA with credits
  • SCIM provisioning
  • Dedicated CSM
  • Custom MSA & DPA
  • On-premise deployment
  • 24/7 security response
Contact sales

Self-host for free.

Apache 2.0 licensed. Bring your own Postgres. Same code as the cloud.

Get it on GitHub
Questions

Asked and answered.

How does the hash chain actually work?

Every event you log includes the SHA-256 hash of the previous event. Change one event and every subsequent hash breaks. Run ormaos.audit.verify() and you get cryptographic proof the log hasn't been tampered with. No trust required — math speaks.

Can I self-host OrmaOS?

Yes, free forever under Apache 2.0. Bring your own Postgres, run it via Docker Compose, done. Zero feature gating between self-host and managed cloud — same code, same capabilities. You only pay the cloud for convenience: SLA, backups, managed Postgres, upgrades.

How is this different from WorkOS Audit Logs?

WorkOS sells audit logs as part of a suite (SSO + SCIM + Auth + Audit Logs). You pay $99-125+/month and have to adopt their ecosystem. OrmaOS is standalone: you keep your auth stack (Auth0, Clerk, Supabase, whatever), we do only audit. We're also open source. They're not.

Will this actually pass a SOC2 audit?

The Pro tier's 1-year retention, hash chain integrity, and SOC2-formatted CSV exports cover the core audit-log controls (CC6.1, CC7.2). The product is designed to give auditors what they ask for. We provide a readiness document and answer questions during audit season.

How fast can I integrate OrmaOS into my SaaS?

One SDK install, one API key, one method call. Most teams go from signup to first logged event in under 15 minutes. The embeddable widget for customer-facing audit log views takes another 10 minutes.

What happens if I hit my event quota?

We never hard-fail audit logs — that would break your compliance story. You get email alerts at 80% and 100% of quota. Events above quota are still accepted during a 7-day grace period, then write access is throttled (reads stay open) until you upgrade.

Can I migrate my existing audit logs into OrmaOS?

Yes. The API accepts historical events with custom timestamps. We backfill the hash chain correctly. The CLI has a migrate command for bulk imports from CSV or other audit log systems.

Who owns my audit data?

You do. Fully exportable at any time via the API or dashboard. No lock-in. Apache 2.0 license means you could literally fork the server and run it yourself forever if you wanted to.

Ship enterprise-ready
audit logs this week.

Join the waitlist. Get early access, founder-direct support, and lifetime pricing on launch.

No spam. One launch email. Unsubscribe anytime.