Dashboard & Onboarding
Volidator’s dashboard is built with the same Zero-Knowledge principles as our SDK and ingestion pipelines. Because our servers cannot decrypt your audit logs, the dashboard relies entirely on client-side cryptography to render your data.
Onboarding Flow
Section titled “Onboarding Flow”When you create a new organization and project in Volidator, you undergo a strict key-generation process:
- Passkey Registration: We encourage WebAuthn Passkeys for authentication to prevent phishing and unauthorized access to your tenant.
- Project Creation: Your browser generates the Data Encryption Key (DEK) locally using the Web Crypto API. This 256-bit AES-GCM key encrypts all your payloads.
- Vault Dual-Encryption (E2EE):
To ensure you don’t have to manage long key strings every time your session expires, the dashboard employs Envelope Encryption:
- The browser prompts you for a Vault Password (if using SSO) or leverages your login password.
- It derives a Key Encryption Key (KEK) using PBKDF2 (100,000 iterations) combined with a unique salt.
- The plaintext DEK is dual-encrypted: once with the password-derived KEK, and once with a high-entropy Recovery Key.
- Only the encrypted DEKs and the salt are sent to Volidator’s servers.
The volidator.env file
Section titled “The volidator.env file”At the end of onboarding, you must download your volidator.env file. It contains your API Key, Project ID, Client Secret, and importantly, the Recovery Key.
[!CAUTION]
If you forget your Vault Password and lose yourvolidator.envfile, your encrypted logs cannot be recovered. Volidator’s support team has zero capability to bypass this cryptography.
Dashboard Sidebar Breakdown
Section titled “Dashboard Sidebar Breakdown”A comprehensive guide to all navigation sections in the Volidator dashboard.
1. Overview
Section titled “1. Overview”The central home page of your workspace, offering real-time usage metrics and active environments.
- Key Metrics:
- Total Projects: Count of active, configured audit environments.
- Logs Ingested: Cumulative total volume of logs stored across your tenancy.
- API Calls (24h): The volume of log ingestion requests processed in the last 24 hours.
- Avg Latency: Edge round-trip compute and validation speeds.
- Active Projects list: Quick links to manage project details or copy environment IDs.
- Recent Activity Feed: Displays the last 5 ingested audit logs in real-time.
2. Projects
Section titled “2. Projects”Manage your separated organizational project tenancies.
- Creation/Deletion: Provision new project environments or permanently delete existing ones (requires typing a
DELETEconfirmation to prevent accidental loss). - Project Details: Access configuration details for an environment:
- Masked API key prefixes and ingestion endpoint destination.
- Log Retention Policy settings: Customize log retention periods (7 days, 1 month, 6 months, 1 year, or keep forever). Expired logs are automatically purged in daily database cleanup cron cycles.
3. Activity Page
Section titled “3. Activity Page”Search and audit ingested log history on a decryption-blind view.
- Unlock Vault: Prompts you to enter your Vault Password. Decrypts audit log ciphertexts in-memory using Web Crypto AES-GCM (your decryption keys never cross the wire to our servers).
- Blind Index Search: Search and filter decrypted logs by Actor, Action, or Target. Search operates via one-way HMAC Blind Indexes, ensuring the server remains blind to the query details.
- Detailed Context Panel: Click any row to expand user-agent information, client IP, geographical location, and attached custom JSON metadata.
4. API Keys
Section titled “4. API Keys”Manage credentials and secure ingestion access parameters.
- Format Checksum: Displays masked API keys using the
val_live_{entropy}{checksum}structure. This format embeds a CRC32 checksum for instant pre-hash validation at the edge. - API Key Rotation: Supports zero-downtime key rotation by slotting the old key as a grace-period credential for up to 24 hours before expiration.
- Immediate Revocation: Revoking a project’s key evicts KV cache and blocks ingestion endpoints edge-wide within seconds.
5. SIEM Sync
Section titled “5. SIEM Sync”Forward your audit trail to external Security Information and Event Management (SIEM) systems.
- Datadog & Splunk: Directly configure sync parameters to push events real-time to your security operations dashboards.
- Zero-Knowledge Storage: SIEM authentication tokens are encrypted in the browser using the worker’s RSA-4096 public key before transmission, securing them at rest.
- HMAC Request Signatures: Opt-in to sign outgoing webhook logs with a shared HMAC secret to verify the integrity and origin of forwarded alerts.
- Connection Testing: Run integration tests to generate and verify mock queue pipelines directly.
6. Evidence Export
Section titled “6. Evidence Export”Download pre-packaged audit records formatted to meet major compliance frameworks.
- Supported Frameworks:
- SOC 2 Type II: Filters logins, config shifts, config changes, and role assignments (CC6.1/7.2/9.2).
- HIPAA: Filters PHI access and activity controls (§164.312).
- ISO 27001: Annex A.9 and A.12 security control trail exports.
- FDA 21 CFR Part 11: Electronic records audits and signatures.
- PCI-DSS v4: Cardholder data environments access logs.
- Custom Export: Custom date ranges and unfiltered records.
- Local ZIP Generation: The dashboard fetches the encrypted database rows, decrypts them client-side in the browser, formats the CSV evidence sheets, and builds the ZIP container locally (via
fflate) so plaintext data never travels over the network.
7. Internal Logs
Section titled “7. Internal Logs”A platform-level security trail tracking critical workspace operations.
- Logs administrative actions such as project creations/deletions, key rotations, settings changes, and SIEM config edits.
- Stores IP addresses, user agents, action names, and exact event logs for compliance and security forensics.
8. Settings
Section titled “8. Settings”Configure workspace settings, organization profile parameters, and billing options.
- General Profile: Edit organization name, timezone, and website domains.
- Subscription Management: View active tier usage, log limits, and upgrade plans.
- Danger Zone: Provides purging operations (gated by passkey re-verification and mandatory compliance exports) to purge all organization projects or permanently delete the user account.