Every regulated workload needs the same three things: a record of what was true, a proof of when you knew it, and a way to forget on demand without breaking the proof. We built them in.
AT RECORDED '2026-03-05T10:00:00Z' reconstructs the database as it stood at that instant. No event-sourcing harness. No ETL. The auditor gets the answer the first time they ask. Walkthrough →derivedFrom edges to trace any AI-generated value back to its inputs. Every committed write is hash-chained — db.verifyAclChain() proves the history hasn't been touched. Walkthrough →db.destroySubjectKey('user-42') — every encrypted property for that subject becomes unrecoverable ciphertext, retroactively across every snapshot, backup, and audit replay. GDPR Article 17 and SOX retention, finally compatible. Walkthrough →A narrated walkthrough of the NYDFS Part 500 incident-disclosure request — tamper-evident chain verification, full decision lineage, the works. Fourteen verticals available below.
One post per regulator. The engineering that makes a five-minute audit response possible.
Most graph databases punt that constraint to your application layer. InvariantDB starts from the procurement checklist — HIPAA's "minimum necessary," GDPR's right to erasure, SEC 17a-4's non-rewriteable mandate, NAIC model audit rules — and asks: what would the database have to do natively for a regulator to accept it without a custom integration?
This page maps four regulated verticals to the specific InvariantDB primitives that solve their compliance problems.
Every primitive on this page satisfies four conditions:
db.verifyAclChain proves intact.curl, not via a screenshare. The auditor runs the same procedure your engineer does.If a feature doesn't meet all four, it's not on this page.
Field-level ACL + audit chain.
Patient.ssn declared with acl: { read: ["compliance_officer"] } returns Null for an analyst's MATCH (p:Patient) RETURN p.ssn query — enforced by the engine, not the resolver. Every denied read appends a hash-chained row to acl_events.log. db.aclEvents replays the log; db.verifyAclChain proves no record was tampered. This is the minimum necessary rule, mechanized.
Crypto-shredding + erasure receipts.
Per-subject AES-GCM keys make right-to-erasure mathematical, not hopeful. Destroy the key (db.destroySubjectKey('patient_42')) and every encrypted property for that subject becomes unrecoverable ciphertext — retroactively across every snapshot, backup, and audit replay. db.proveErasure('patient_42') returns a signed receipt your DPO hands the patient.
HIPAA doesn't require crypto-shred. But for the patient who escalates to OCR, it's the only path to "we erased it, and here is the proof."
Bitemporal AT VALID '<ts>' natively in Cypher.
MATCH (p:Patient {mrn: 'M12345'})
AT VALID '2024-03-15'
AT RECORDED '2024-03-15'
RETURN p
AT VALID asks "what was clinically true that day?" AT RECORDED asks "what was in the chart that day?" — not the same question when a result was backdated. The legal record can be replayed verbatim for malpractice, billing review, or a public-health audit.
Differential privacy on aggregates.
Issue a research collaborator an API key with privacyMode: {epsilon_budget: 1.0, period: "Daily"}. The planner refuses any non-aggregate return — they can compute count, sum, avg for publication, never see individual records. Laplace noise + ε budget + dp_events.log audit replay give the IRB an actual proof.
Bitemporal + immutable snapshots.
Every order, position, hedge, and exposure on the desk is a node; every state change is a versioned edge. AT RECORDED '2024-10-15 14:32:17.4' returns the exact graph the firm's risk engine operated against at that moment — not a reconstruction, the actual state.
For SR 11-7 model risk audit: "the same Cypher query against the same RECORDED timestamp returns the same answer forever" is the property a regulator wants to hear.
WORM mode + hash-chained audit log.
WORM mode (irrevocable) refuses every mutation except audit events. The hash chain links every committed snapshot to a SHA-256 of its predecessor; GET /graphs/{name}/audit/verify re-walks the chain and reports tamper-evidence. SEC 17a-4(f) "non-rewriteable, non-erasable" — answered.
Per-property provenance.
MATCH (a:Application {id: $appId})
CALL db.propertyProvenance(id(a), 'approved')
YIELD value, validFrom, version, txnAt, actor, source, reason, confidence
RETURN value, actor, source, reason, confidence, validFrom
ORDER BY version DESC
Every property version records the who, when, from what source, and with what confidence. Adverse-action explanations, model-risk audits, ECOA fair-lending defensibility — one walk of the provenance log.
Differential privacy on aggregate queries.
A research API key in private mode lets the quant team compute avg(position_size) and count(...) over the firm's real positions without ever exposing per-position records — the planner refuses individual returns, Laplace noise is calibrated to the dpClamp bounds you declared, and the ε budget gives a math-backed guarantee. Pairs with the inverse: a production-trader API key with full access, gated by capability tokens with short TTLs.
InvariantDB's hosted demo is an insurance graph — 500K nodes across Submission → Quote → Policy → Coverage → Claim → Reserve → Payment. Every transition is bitemporal; every AT VALID '<ts>' returns the legal record at that effective date.
For a rate filing review: the same MATCH (p:Policy)-[:HAS_COVERAGE]->(c) AT VALID '<filing-effective-date>' RETURN ... query reproduces the filing's exhibit dataset from the live database, weeks or years later. No ETL pipeline; no separate immutable archive.
db.propertyHistory — full bitemporal version history.
MATCH (r:Reserve {id: $reserveId})
CALL db.propertyHistory(id(r), 'amount')
YIELD value, validFrom, validTo, version, txnAt
RETURN version, txnAt, validFrom, validTo, value
ORDER BY version
Provenance + capability tokens + audit chain.
Every binding decision records actor, source (model run id, or underwriter login), reason, confidence. Capability tokens give each underwriter their own time-limited credential — the audit log records which capability authorized the binding.
NAIC Model Audit Rule § 6 mandates controls testing. InvariantDB's audit chain is the test artifact.
Differential privacy.
Issue the state's data partner an API key with privacyMode configured. They get the aggregate statistics needed for the rate review filing without ever seeing individual claimant records.
Data residency in Raft replication (in flight).
InvariantDB's HA cluster (Raft, 3 nodes default) can be constrained to a single AWS region or sovereign jurisdiction. The graph's residency schema field is enforced by the cluster's membership controller. (Status: design complete, implementation in flight. The single-region single-node deployment satisfies most FedRAMP-moderate boundaries today.)
Capability tokens with per-session audit + WORM mode.
Mint a capability token with the agent's PIV cert principal claim, a session id, an expiry. Every Cypher query under that capability appends a row to the audit chain naming the principal, property, timestamp, result. WORM mode prevents an insider from rewriting that history.
db.destroySubjectKey runs on a cron schedule keyed to the retention table. The receipt (db.proveErasure) goes to the authorizing official.
Same answer as healthcare / finance. US Census Bureau pioneered DP for the 2020 decennial; state and local agencies asking the same question — "publish statistics from sensitive registries without re-identification risk" — get the same answer.
Every primitive on this page is shipped — but compliance is ultimately a controls program, not a feature checklist. InvariantDB makes the database side defensible. We do not:
What we do claim: every primitive is mechanically auditable, every mutation hash-chained, every property bitemporal, every erasure cryptographic, every aggregate optionally noised, and every design choice captured in a public design principle a regulator can read.
| Goal | Read |
|---|---|
| See the primitives end-to-end | Compliance dashboard |
| Wire field-level ACL + purpose binding | See compliance and features |
| Issue a private-mode (DP) API key | Features › Differential privacy |
| Run the demos — insurance, AML, clinical-trial | Home page lists six |
| Talk under NDA | Contact |
Or read the design principles cold; every claim reduces to a capability we commit to.