Exceptao — policy exceptions, on the record.

chain · verified

#04217 · 2026‑04‑30T14:23:18Z · exception.create · a3f9c2e1…7b4e1d #04218 · 2026‑04‑30T14:23:19Z · exception.submit · 7b4e1d8c…2b5e8a #04219 · 2026‑04‑30T14:24:02Z · approval.request · 2b5e8a1f…9c4e7a #04220 · 2026‑04‑30T14:31:47Z · evidence.upload · 9c4e7a2d…4f81bc #04221 · 2026‑04‑30T14:48:12Z · control.review · 4f81bcde…1a3d6f #04222 · 2026‑04‑30T15:02:09Z · approval.grant · 1a3d6fab…8e2c54 #04223 · 2026‑04‑30T15:02:09Z · exception.activate · 8e2c54df…6b9701 #04224 · 2026‑04‑30T15:02:09Z · workflow.notify · 6b9701ee…3d4a82 #04225 · 2026‑04‑30T16:14:33Z · audit.export · 3d4a8211…fe8c93 #04226 · 2026‑04‑30T17:30:01Z · exception.create · fe8c93aa…71d05c #04217 · 2026‑04‑30T14:23:18Z · exception.create · a3f9c2e1…7b4e1d #04218 · 2026‑04‑30T14:23:19Z · exception.submit · 7b4e1d8c…2b5e8a #04219 · 2026‑04‑30T14:24:02Z · approval.request · 2b5e8a1f…9c4e7a #04220 · 2026‑04‑30T14:31:47Z · evidence.upload · 9c4e7a2d…4f81bc #04221 · 2026‑04‑30T14:48:12Z · control.review · 4f81bcde…1a3d6f #04222 · 2026‑04‑30T15:02:09Z · approval.grant · 1a3d6fab…8e2c54 #04223 · 2026‑04‑30T15:02:09Z · exception.activate · 8e2c54df…6b9701 #04224 · 2026‑04‑30T15:02:09Z · workflow.notify · 6b9701ee…3d4a82 #04225 · 2026‑04‑30T16:14:33Z · audit.export · 3d4a8211…fe8c93 #04226 · 2026‑04‑30T17:30:01Z · exception.create · fe8c93aa…71d05c

/api/audit/verify · 200 OK

§ 01

Provenance

A tamper‑evident audit log,
by construction.

SHA‑256 hash chain, computed by a Postgres trigger — not the application. SHA‑256 hash-chain anchors, externally timestamped via an RFC 3161 authority. Auditors receive a cryptographic verdict, not a printed report.

$ curl -H 'X-Tenant: acme' https://acme.exceptao.com/api/audit/verify
{
  "ok": true,
  "total_rows": 4226,
  "head": "fe8c93aa71d05c…",
  "last_anchor_at": "2026-04-30T17:00:00Z",
  "broken_at": null
}

§ 02

Isolation

-- Postgres enforces tenancy. Application code may add
-- filters but must never rely on them for security.

ALTER TABLE exception
  ENABLE ROW LEVEL SECURITY;

CREATE POLICY tenant_isolation
  ON exception
  USING (
    tenant_id::text =
      current_setting(
        'app.current_tenant_id'
      )
  );

Tenant isolation in the database,
not the application.

Every tenant‑scoped table has an RLS policy keyed on a session GUC. A missing WHERE clause returns zero rows — it does not leak to another tenant. CI rejects any migration that introduces a tenant table without a matching policy.

§ 03

Ingress

No public inbound.
Not on day one. Not ever.

No open ports — not for the app, SSH, monitoring, or webhooks. All ingress is outbound‑initiated via Cloudflare Tunnel. Secrets unsealed on boot from off‑box Shamir shares.

Topology

  Browser
     │
     ▼
  ┌──────────────┐
  │  Cloudflare  │
  │   ▸ WAF      │
  │   ▸ Tunnel   │
  └──────┬───────┘
         │  outbound‑only
         ▼
  ┌──────────────┐
  │  VPS  · EU   │
  │   ▸ Django   │
  │   ▸ Postgres │
  │   ▸ Vault    │
  └──────────────┘

§ 04

Parity

Security features are not a price gate.

MFA, audit-log verification, RBAC, encryption, OIDC — every plan, every tenant. We charge for workflow editors, custom reports, and integrations. Not for proof your data is intact.

Always on

MFA

TOTP mandatory from second login. WebAuthn passkeys available now.

Always on

RBAC

Tenant‑defined roles, capability codes, group inheritance.

Always on

Audit verify

Public chain‑walk endpoint, HTTP 200 / 422 verdict.

Always on

SSO

OIDC (generic + Microsoft), SAML 2.0 — per-tenant, every plan.

§ 05

Capabilities

What is shipped today.

In production on every tenant. No roadmap slides.

Exceptions & Risk

· Submit → approve → activate → expire. Every transition audit-logged.

· Renewal reminders at 90 / 60 / 30 days. Auto-close on expiry.

· Evidence upload: hashed on receipt, DLP-scanned (PAN, PESEL, IBAN, passport).

· Closed exceptions mirror into Risk Register as residual risks. No re-entry.

· 30+ seeded frameworks: NIS2, ISO 27001, NIST CSF 2.0, KSC, OWASP Top 10.

· Asset inventory + NVD CVE polling. Per-asset remediation tracking.

· Vendor signed-link self-assessments. No vendor account required.

Identity & Platform

· TOTP mandatory from second login. WebAuthn passkeys. Step-up auth for approvals.

· OIDC (generic + Microsoft) and SAML 2.0 SSO — per-tenant, every plan.

· Anomaly detection: approval spike, mass-delete, off-hours, login surge.

· Backups encrypted client-side, written to R2 + B2. Failure surfaced, never silent.

· Vault-managed secrets. Per-tenant DEK. No plaintext key at rest on VPS.

Integrations & Reporting

· Slack, Microsoft Teams, PagerDuty — per-event, per-channel routing.

· SIEM JSON-line forwarder — any webhook or log-drain target.

· ServiceNow bi-directional sync + CMDB asset import.

· Jira Cloud — incidents and control tasks pushed to issues.

· CSV / Markdown / executive PDF — deterministic, hash-verifiable.

· 4-framework board PDF: ISO 27001, SOC 2, NIST CSF 2.0, PCI DSS. Mapped to real records.

Stack

Connects to your stack.

Identity providers, a generic SIEM forwarder, ticketing, storage, and open standards — already wired in.

Identity & Access

Microsoft Entra ID Office 365 Microsoft Graph Teams Okta Auth0 Google Workspace

Alerting & Ticketing

Slack PagerDuty ServiceNow CMDB ServiceNow Incident Jira Cloud

SIEM & Observability

SIEM forwarder (JSON) — Splunk, Sentinel, Elastic, any log drain

Infrastructure & Storage

Cloudflare Tunnel Cloudflare Pages Cloudflare R2 Backblaze B2 HashiCorp Vault

Data & Standards

NVD (NIST CVE) RFC 3161 timestamping FIDO2 / WebAuthn SAML 2.0 OIDC DLP

Trust

EU-PL region · data never leaves the EU security.txt Subprocessor list /api/audit/public · live chain status DPA available on request SOC 2 Type I · pre-GA · no claim made

§ 06

Procedure

From "we don't comply" to a recorded,
time‑boxed risk decision in three movements.

I
Submit

The requester puts the deviation on the record.

Describe the policy, the asset, the residual risk, the compensating controls. Attach evidence — encrypted, hashed on receipt. The state machine writes DRAFT → UNDER_REVIEW into the audit log; reviewers are notified.

DRAFT→UNDER_REVIEW
II
Review

The approver decides — with reasoning, not vibes.

Configurable one‑ or two‑level approval. Comments are mandatory. Rejections and returns are first‑class — they yield a paper trail, not silence. Workflow transitions are stored as DB rows; the engine is a validator, not a state generator.

UNDER_REVIEW→APPROVED
UNDER_REVIEW→REJECTED
III
Govern

The exception lives — for a stated, finite term.

Active exceptions emit reminders at 90, 60, 30 days. Owners re‑attest. Renewals chain to their predecessors so an auditor can trace the original justification across cycles. At expiry the exception terminates — automatically, audited.

APPROVED→ACTIVE→EXPIRING_SOON→EXPIRED

§ 07

Early access

Signing a small number of design partners before public beta.

Write to us if you carry the spreadsheet — or inherit it when someone leaves. One call, honest questions, no NDA, no pre‑sales theatre.

Write to hello@exceptao.com → Provision a tenant now →

EU‑resident · response within two business days · GMT+1

Policy exceptions, on the record.

A tamper‑evident audit log, by construction.

Tenant isolation in the database, not the application.

No public inbound. Not on day one. Not ever.

Security features are not a price gate.

What is shipped today.

Connects to your stack.

From "we don't comply" to a recorded, time‑boxed risk decision in three movements.

The requester puts the deviation on the record.

The approver decides — with reasoning, not vibes.

The exception lives — for a stated, finite term.

Signing a small number of design partners before public beta.

Policy exceptions,
on the record.

A tamper‑evident audit log,
by construction.

Tenant isolation in the database,
not the application.

No public inbound.
Not on day one. Not ever.

From "we don't comply" to a recorded,
time‑boxed risk decision in three movements.