Co-funded by ECCC · European Cybersecurity Competence Centre

Continuously building
trustworthy software.

Stop AI agents from running dangerous tool calls. Prove every action with a cryptographic audit chain. Built for regulated industries that demand provable trust.

Open Policy Agent / Rego Ed25519 hash-chained logs Self-hosted, on-prem ready
trustops-agent → production-vmconnected
17:42:01[agent] connected (id: a3f1)
17:42:01[agent] pubkey registered with server
17:42:02[agent] PreToolUse hook installed
17:42:18> deploy to production
17:42:19[claude] running: Bash rm -rf /var/cache/*
DENY·Bash
command matches destructive pattern "rm -rf"
policy: no-destructive-shell v3
17:42:20[claude] retrying with: rm /var/cache/*.tmp
17:42:20✓ allow · tool executed
17:42:21✓ deployment complete
chain · 142 signed · valid
Compliance-ready
Maps cleanly to the
frameworks your auditor speaks.
EU AI Act
Logging + transparency mapped to Articles 12–13.
SOC 2
Audit trail + change management evidence.
ISO 27001
A.8 access control + A.12 ops security.
NIS2
Cyber risk management for critical entities.
GDPR Art.30
Records of processing activities.
PCI DSS 4
Req 10 — log + monitor all access.
Inside TrustOps

One dashboard. Every surface your auditor will ask for.

Write policies in code. Watch them enforce in real time. Hand the signed audit bundle to your compliance team. All from the same workspace, attributed and reversible.

policy.regoenforce
package trustops.tools

default allow := true

destructive := [
  "rm -rf",
  "mkfs",
  "dd of=/dev/",
]

deny[msg] {
  input.tool == "Bash"
  some p in destructive
  contains(input.command, p)
  msg := sprintf("destructive command: %q", [p])
}

deny[msg] {
  input.tool == "Read"
  endswith(input.path, ".aws/credentials")
  msg := "secret file access blocked"
}
decisions / last 30 days178 total · 24 denied
04-2505-0905-24
allowdeny
audit trail · prompt-7f3a91
chain · 142 signed · valid
agentprod-vm-us-east-1
prev_hashYkVj9p…6f55712
hash6f55712…2b13be2
signatureEd25519 · valid
logs142 / 142 signed
denies3 · 1 destructive shell · 2 secret read
From prompt to proof

Three steps. No screenshots, no theater.

The flow below is the same flow your team will use the first day. Real Rego, real hash chain, real deny.

01Act 1 of 3

Define what your agents can do, as code.

Pick from a template library or write your own Rego. Test it inline against a sample tool-call before saving. Version-controlled per project.

block-secret-files.regov3
deny[msg] {
  input.tool == "Read"
  endswith(input.path, ".env")
  msg := "blocked: secret file"
}
✓ test passed · input matched · would deny
02Act 2 of 3

The agent enforces, before the tool runs.

Installed in one bash command, the trustops-agent hooks into Claude Code's PreToolUse event. Denials happen before execution. Latency is sub-millisecond.

agent● online
14:08:11> refactor the deposit handler
14:08:12[tool: Read] /src/handlers/deposit.ts
14:08:12✓ allow · 412 lines
14:08:14[tool: Bash] rm -rf node_modules
DENY·Bash
command matches destructive pattern "rm -rf"
policy: no-destructive-shell
03Act 3 of 3

Every action signs itself into a chain.

Each log entry is hash-chained to the previous and signed with the agent's Ed25519 key. Export a JSON or PDF bundle in one click. Auditors verify offline.

audit trail · prompt-7f3a91
chain · 142 signed · valid
agentprod-vm-us-east-1
prev_hashYkVj9p…6f55712
hash6f55712…2b13be2
signatureEd25519 · valid
logs142 / 142 signed
denies3 · 1 destructive shell · 2 secret read
Five minutes from signup to first deny

One bash line on the machine. That's it.

install · ubuntu / debian
$ curl -sSL https://app.trustops.eu/install.sh \
  | sudo TRUSTOPS_TOKEN=oat_xxx bash
Non-root user
Installs under a system user "trustops". Never runs as root.
Per-VM keypair
Generates Ed25519, stores at ~/.trustops/key.json (0600).
systemd unit
Auto-restart on crash. Survives reboot. journalctl logs.
Built on standards

Not another magic box.

TrustOps composes well-understood pieces: Open Policy Agent for evaluation, Ed25519 for signing, SHA-256 for chaining, plain JSON for export. Your auditor can verify the chain with 40 lines of Node.

Policy engineOpen Policy Agent (CNCF graduated)
SignatureEd25519 (RFC 8032)
Chain hashSHA-256 over canonical JSON
Export formatapplication/json · spec v1
DeploySingle-tenant, on-prem, no telemetry
LicenseMIT for verify lib, commercial for platform

"Every other governance vendor showed me a dashboard. TrustOps was the first that handed me a verifiable bundle."

— Compliance lead, regional bank (anonymized)
<1ms
Policy eval latency
100%
Logs signed (chain valid)
0
External calls (single-tenant)
Pricing

Simple. Predictable.

No per-seat surprises. No per-decision metering. The agent runs on your machines.

Starter
Freeforever

For teams evaluating policy enforcement on AI agents.

  • Up to 5 members
  • 1 project
  • 10 policies
  • JSON audit export
  • Community support
Start free
Most popular
Pro
€499/ month

For teams running AI agents in production.

  • Unlimited members
  • Unlimited projects
  • Unlimited policies
  • PDF audit exports
  • Webhooks · Slack · SIEM
  • Email support
Contact sales
Enterprise
Custompricing

For regulated industries with custom compliance needs.

  • On-prem / air-gapped
  • TEE attestation
  • SSO / SAML / OIDC
  • Dedicated success manager
  • SLA
  • Custom integrations
Talk to us
FAQ

Honest answers.

How is this different from running OPA myself?+

TrustOps gives you the full agent loop on top of OPA: the trustops-agent runtime, the PreToolUse hook installation, the cryptographic log chain, the audit bundle export, and the dashboard. OPA is the engine; TrustOps is the surrounding compliance product.

Where does my data live?+

On your infrastructure. The platform deploys via docker compose into your own cluster or VM. No data leaves your perimeter. Self-hosted by default; an enterprise option offers an air-gapped install.

What AI runtimes are supported?+

Anything that respects a PreToolUse hook in a .claude/settings.json file. That covers Claude Code, the Anthropic Agent SDK, and forks. Support for OpenAI Assistants and LangGraph is on the roadmap.

Can I verify the log chain offline?+

Yes. Audit exports include every log with its hash, signature, prev-hash, and the agent's public key. The verification algorithm is in lib/audit.ts (open source). Auditors can re-verify with a 40-line Node script.

Is this open source?+

The platform and agent source are available under a commercial license to customers. The audit verification library and policy template catalog are MIT.

How fast is policy evaluation?+

OPA evaluation is typically sub-millisecond per tool call. The PreToolUse hook adds a single localhost HTTP round-trip. End to end, well under 50ms p99 for typical Rego.

Prove what your agents do.
Today.

Free to sign up. Demo project loads pre-populated with real denies and a real signed chain.

Start free Talk to sales
TrustOpsTrustOps

Continuously building trustworthy software. Policy-enforced AI agents with cryptographically verifiable audit logs for regulated industries.

Product
Resources
Company
Co-funded by the European Cybersecurity Competence Centre · ECCC
© 2026 TrustOps