Decision database · For regulated industries

Compliance is a constraint, not a feature.

Interactive walkthrough · 90 seconds
See it: a regulator asks a question, the database answers.
A live, recorded auditor request, reconstructed end-to-end — with tamper-evident chain verification, full decision lineage, and a right-to-be-forgotten that doesn't break the audit log. Pick a vertical:
Insurance · NAIC Healthcare · HIPAA Finance · FINRA
Three primitives, one engine

Truth, time, and the freedom to forget.

Every regulated workload needs the same three things: a record of what was true, a proof of when you knew it, and a way to forget on demand without breaking the proof. We built them in.

Time · Bitemporal
Ask what the system knew when it acted.
Native Cypher: AT RECORDED '2026-03-05T10:00:00Z' reconstructs the database as it stood at that instant. No event-sourcing harness. No ETL. The auditor gets the answer the first time they ask. Walkthrough →
Truth · Provenance
Every value carries its receipts.
Who set it, when, from what source, with what confidence. Walk derivedFrom edges to trace any AI-generated value back to its inputs. Every committed write is hash-chained — db.verifyAclChain() proves the history hasn't been touched. Walkthrough →
Forgetting · Crypto-shred
Forget on demand — without breaking the chain.
Per-subject AES-GCM keys. db.destroySubjectKey('user-42') — every encrypted property for that subject becomes unrecoverable ciphertext, retroactively across every snapshot, backup, and audit replay. GDPR Article 17 and SOX retention, finally compatible. Walkthrough →

Most graph databases punt that constraint to your application layer. InvariantDB starts from the procurement checklist — HIPAA's "minimum necessary," GDPR's right to erasure, SEC 17a-4's non-rewriteable mandate, NAIC model audit rules — and asks: what would the database have to do natively for a regulator to accept it without a custom integration?

This page maps four regulated verticals to the specific InvariantDB primitives that solve their compliance problems.

What "built for compliance" means here

Every primitive on this page satisfies four conditions:

  1. Engine-enforced, not application-convention. Your Cypher, your SDK, your MCP tool — they all hit the same enforcement point at the storage layer.
  2. Auditable from the database, not from logs you wrote. Every relevant mutation lands in a hash-chained audit log that db.verifyAclChain proves intact.
  3. Documented in an ADR. Procurement asks "how does this work?" We answer with a public design doc, not a sales sheet.
  4. Verifiable with curl, not via a screenshare. The auditor runs the same procedure your engineer does.

If a feature doesn't meet all four, it's not on this page.

Healthcare — HIPAA / HITECH / 21st Century Cures

1. "Who saw which patient field, and when?"

Field-level ACL + audit chain.

Patient.ssn declared with acl: { read: ["compliance_officer"] } returns Null for an analyst's MATCH (p:Patient) RETURN p.ssn query — enforced by the engine, not the resolver. Every denied read appends a hash-chained row to acl_events.log. db.aclEvents replays the log; db.verifyAclChain proves no record was tampered. This is the minimum necessary rule, mechanized.

2. "Patient asks us to forget them. Can you prove erasure?"

Crypto-shredding + erasure receipts.

Per-subject AES-GCM keys make right-to-erasure mathematical, not hopeful. Destroy the key (db.destroySubjectKey('patient_42')) and every encrypted property for that subject becomes unrecoverable ciphertext — retroactively across every snapshot, backup, and audit replay. db.proveErasure('patient_42') returns a signed receipt your DPO hands the patient.

HIPAA doesn't require crypto-shred. But for the patient who escalates to OCR, it's the only path to "we erased it, and here is the proof."

3. "What did the patient's chart say on the day of treatment?"

Bitemporal AT VALID '<ts>' natively in Cypher.
MATCH (p:Patient {mrn: 'M12345'})
  AT VALID '2024-03-15'
  AT RECORDED '2024-03-15'
RETURN p

AT VALID asks "what was clinically true that day?" AT RECORDED asks "what was in the chart that day?" — not the same question when a result was backdated. The legal record can be replayed verbatim for malpractice, billing review, or a public-health audit.

Bonus: research data sharing without DUA pain

Differential privacy on aggregates.

Issue a research collaborator an API key with privacyMode: {epsilon_budget: 1.0, period: "Daily"}. The planner refuses any non-aggregate return — they can compute count, sum, avg for publication, never see individual records. Laplace noise + ε budget + dp_events.log audit replay give the IRB an actual proof.

Financial services — SEC 17a-4 / FINRA / SR 11-7 / GLBA

1. "Reconstruct the trader's view at 14:32:17.4"

Bitemporal + immutable snapshots.

Every order, position, hedge, and exposure on the desk is a node; every state change is a versioned edge. AT RECORDED '2024-10-15 14:32:17.4' returns the exact graph the firm's risk engine operated against at that moment — not a reconstruction, the actual state.

For SR 11-7 model risk audit: "the same Cypher query against the same RECORDED timestamp returns the same answer forever" is the property a regulator wants to hear.

2. "Prove these trade records weren't modified after submission"

WORM mode + hash-chained audit log.

WORM mode (irrevocable) refuses every mutation except audit events. The hash chain links every committed snapshot to a SHA-256 of its predecessor; GET /graphs/{name}/audit/verify re-walks the chain and reports tamper-evidence. SEC 17a-4(f) "non-rewriteable, non-erasable" — answered.

3. "Where did this credit decision come from?"

Per-property provenance.
MATCH (a:Application {id: $appId})
CALL db.propertyProvenance(id(a), 'approved')
YIELD value, validFrom, version, txnAt, actor, source, reason, confidence
RETURN value, actor, source, reason, confidence, validFrom
ORDER BY version DESC

Every property version records the who, when, from what source, and with what confidence. Adverse-action explanations, model-risk audits, ECOA fair-lending defensibility — one walk of the provenance log.

4. "Quants want to compute portfolio statistics on real data"

Differential privacy on aggregate queries.

A research API key in private mode lets the quant team compute avg(position_size) and count(...) over the firm's real positions without ever exposing per-position records — the planner refuses individual returns, Laplace noise is calibrated to the dpClamp bounds you declared, and the ε budget gives a math-backed guarantee. Pairs with the inverse: a production-trader API key with full access, gated by capability tokens with short TTLs.

Insurance — NAIC Model Audit Rule / state DOI rate filings

1. "Show me the policy + coverage + claim graph as of the day the loss occurred."

InvariantDB's hosted demo is an insurance graph — 500K nodes across Submission → Quote → Policy → Coverage → Claim → Reserve → Payment. Every transition is bitemporal; every AT VALID '<ts>' returns the legal record at that effective date.

For a rate filing review: the same MATCH (p:Policy)-[:HAS_COVERAGE]->(c) AT VALID '<filing-effective-date>' RETURN ... query reproduces the filing's exhibit dataset from the live database, weeks or years later. No ETL pipeline; no separate immutable archive.

2. "Adjuster changed a reserve estimate. What was it before?"

db.propertyHistory — full bitemporal version history.
MATCH (r:Reserve {id: $reserveId})
CALL db.propertyHistory(id(r), 'amount')
YIELD value, validFrom, validTo, version, txnAt
RETURN version, txnAt, validFrom, validTo, value
ORDER BY version

3. "Underwriting bound a risk. Who approved? What was the basis?"

Provenance + capability tokens + audit chain.

Every binding decision records actor, source (model run id, or underwriter login), reason, confidence. Capability tokens give each underwriter their own time-limited credential — the audit log records which capability authorized the binding.

NAIC Model Audit Rule § 6 mandates controls testing. InvariantDB's audit chain is the test artifact.

4. "Carrier sharing claim statistics with a state DOI"

Differential privacy.

Issue the state's data partner an API key with privacyMode configured. They get the aggregate statistics needed for the rate review filing without ever seeing individual claimant records.

Government / public sector — FedRAMP / FISMA / CJIS

1. "Federal data residency: this graph never leaves us-east-1"

Data residency in Raft replication (in flight).

InvariantDB's HA cluster (Raft, 3 nodes default) can be constrained to a single AWS region or sovereign jurisdiction. The graph's residency schema field is enforced by the cluster's membership controller. (Status: design complete, implementation in flight. The single-region single-node deployment satisfies most FedRAMP-moderate boundaries today.)

2. "Every property read by every credentialed user must be loggable"

Capability tokens with per-session audit + WORM mode.

Mint a capability token with the agent's PIV cert principal claim, a session id, an expiry. Every Cypher query under that capability appends a row to the audit chain naming the principal, property, timestamp, result. WORM mode prevents an insider from rewriting that history.

3. "Suspect-data crypto-shred at end of authorized retention"

db.destroySubjectKey runs on a cron schedule keyed to the retention table. The receipt (db.proveErasure) goes to the authorizing official.

4. "Differential privacy for statistical releases"

Same answer as healthcare / finance. US Census Bureau pioneered DP for the 2020 decennial; state and local agencies asking the same question — "publish statistics from sensitive registries without re-identification risk" — get the same answer.

The honest section

Every primitive on this page is shipped — but compliance is ultimately a controls program, not a feature checklist. InvariantDB makes the database side defensible. We do not:

What we do claim: every primitive is mechanically auditable, every mutation hash-chained, every property bitemporal, every erasure cryptographic, every aggregate optionally noised, and every design choice captured in a public design principle a regulator can read.

What to do next

GoalRead
See the primitives end-to-endCompliance dashboard
Wire field-level ACL + purpose bindingSee compliance and features
Issue a private-mode (DP) API keyFeatures › Differential privacy
Run the demos — insurance, AML, clinical-trialHome page lists six
Talk under NDAContact

Or read the design principles cold; every claim reduces to a capability we commit to.

Quickstart →  ·  Features →  ·  AI memory →  ·  Compliance →