Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Getting Started
Why Teams OverpayCache Fill Then SaveFirst 24 HoursSetting Up FabricConnecting RepositoriesCache Tiers ExplainedHow 100 Engineers ShareGateway Config For CachingMeasuring Baseline SpendEconomics Of Shared Codebases
Cost Optimization
Codebase Context Fabric
Engineering Workflows
Configuration & Tuning
Security & Governance
Org IsolationEntitlement Access ControlTask ClassificationPreventing Stale AnswersReplay AuditCache ComplianceData ResidencyEncryption At RestDeny ListsGovernance Semantic Replay
Operations & Monitoring
Advanced Patterns
Agent Gateway Groups
Hosted Gateway Tasks
Knowledge Base and Fabric
Chat Cost Estimation
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Cache and Compliance: Meeting Audit Requirements

The org-shared cache provides a complete audit trail for every cached interaction without storing raw content. This design helps you meet regulatory and certification requirements while maintaining the privacy benefits of content-free audit records.

Use this page when

  • You need to understand how cached LLM responses maintain audit compliance (SOC 2, ISO 27001, HIPAA).
  • You are preparing for an audit and need to show cache-layer controls, retention policies, and access logs.
  • You want to configure cache retention and purge rules to meet regulatory requirements.

Primary audience

  • Primary: Technical Leaders
  • Secondary: Technical Engineers, AI Agents

Compliance-Relevant Properties

The cache system provides several properties that map directly to common compliance framework requirements:

PropertyDescription
Complete audit trailEvery cache interaction is logged with outcome metadata
No raw content in logsPrompts and responses stored by digest only in audit records
Provenance trackingEvery cached response traces back to its creation context
Access control loggingDenied replay attempts are recorded with denial reason
Immutable audit recordsAppend-only audit log prevents tampering
Economics trackingCost avoidance is recorded for financial accountability
Org isolationStrict tenant boundary with multi-layer enforcement

SOC 2 Considerations

SOC 2 Trust Service Criteria relevant to cache operations:

CC6.1 — Logical and Physical Access Controls

The cache enforces logical access controls through:

  • Org-level isolation (org_id in every cache key).
  • Entitlement-based access control (entitlement digest matching).
  • Authentication-derived identity (no user-supplied org_id).

Evidence available: Replay audit records showing denied_replay outcomes with entitlement_mismatch reason demonstrate that access controls are actively enforced.

CC7.2 — System Monitoring

The cache provides continuous monitoring through:

  • Real-time replay audit records for every interaction.
  • Metrics on hit rates, denial rates, and stale miss rates.
  • Alerting on anomalous patterns (e.g., spike in denied replays).

Evidence available: Audit log exports showing continuous recording of all cache interactions with timestamps and outcomes.

CC8.1 — Change Management

The cache tracks configuration changes through:

  • Policy digest changes that invalidate affected cache entries.
  • Agent version tracking that prevents serving entries from outdated agents.
  • Config digest tracking that captures all configuration state.

Evidence available: Stale miss records showing policy_digest or config_digest as the invalidating signal demonstrate that changes are detected and enforced.

ISO 27001 Considerations

ISO 27001 controls relevant to cache operations:

A.8 — Asset Management

Cached artifacts are managed assets with:

  • Clear ownership (org_id, creator identity).
  • Defined lifecycle (TTL-based expiration, deny-list invalidation).
  • Classification (task class determines cacheability).

A.9 — Access Control

Cache access is controlled through:

  • Role-based access reflected in entitlement digests.
  • Principle of least privilege (narrower permissions cannot access broader entries).
  • Access review via replay audit log inspection.

A.12 — Operations Security

Operational security is maintained through:

  • Logging of all cache operations (hits, misses, denials).
  • Separation of audit records from cached content.
  • Capacity monitoring and alerting.

A.18 — Compliance

Compliance is supported through:

  • Configurable audit retention periods.
  • Export capabilities for external compliance tools.
  • Data residency controls for cache storage location.

HIPAA Considerations

If your organization processes Protected Health Information (PHI) and uses AI assistants for healthcare-related development:

Minimum Necessary Standard

The cache supports the minimum necessary standard by:

  • Storing only digests of content in audit records, not content itself.
  • Scoping cache entries to the narrowest entitlement boundary.
  • Denying replay when permission scopes differ.

Audit Controls (§164.312(b))

The replay audit trail satisfies audit control requirements by:

  • Recording every access attempt (successful or denied).
  • Including caller identity, timestamp, and outcome.
  • Maintaining immutable, append-only records.
  • Supporting configurable retention periods meeting HIPAA's 6-year minimum.

Access Controls (§164.312(a))

Cache access controls satisfy HIPAA requirements by:

  • Unique caller identification in every audit record.
  • Automatic session-based authentication (no shared credentials).
  • Entitlement-based access that reflects current authorization state.

Important HIPAA Caveat

If cache payloads may contain PHI (e.g., cached responses referencing patient data in code), you must ensure:

  • Cache storage is encrypted at rest (see Encryption at Rest).
  • Cache storage complies with your BAA requirements.
  • Data residency matches your HIPAA data handling policies.
  • Cache expiration aligns with your data retention policies.

Economics Records for Financial Accountability

Every cache hit records the estimated cost avoided. This provides:

  • Budget accountability: Track how much cache saves per team, per repository, per time period.
  • Chargeback accuracy: Understand actual vs. avoided LLM spend.
  • ROI evidence: Quantify the financial benefit of the cache system.

Cost Avoidance Fields

FieldDescription
cost_avoided_usdEstimated cost of the avoided upstream call
model_idModel that would have been called
token_estimateEstimated tokens for the avoided call

Audit Export and Integration

You can export replay audit records for integration with:

  • SIEM systems (Splunk, Datadog, Elastic).
  • GRC platforms (ServiceNow, Vanta, Drata).
  • Custom compliance dashboards.
  • Long-term archival systems.

Exports are available in JSON and CSV formats, scoped to your organization, and respect your configured retention period.

For AI systems

  • Canonical terms: Keeptrusts, cache compliance, audit requirements, SOC 2, ISO 27001, cache retention.
  • Config surface: cache retention policies, purge rules, audit log export.
  • When generating compliance documentation, reference cache-layer controls and retention settings from this page.

For engineers

  • Configure cache retention policies and purge rules via gateway YAML.
  • Export audit logs showing cache access patterns for compliance reviews.
  • Test retention enforcement by verifying entries expire per configured TTL.

For leaders

  • Cache-layer controls satisfy audit requirements for SOC 2, ISO 27001, and HIPAA without additional tooling.
  • Retention policies are declarative and org-scoped — no per-team exception management needed.
  • Cache audit logs integrate with existing SIEM and compliance reporting pipelines.

Next steps