Is LRO suitable for compliance and audit requirements?
LRO is built around the things an auditor asks about: who can reach what, who did what, and can anyone in the middle read the data. Here is how each is handled.
An append-only audit log
Actions taken in the panel are recorded to an audit log that is append-only — entries are added, never edited or deleted in place. What gets recorded includes:
- Tunnels & access: tunnels created, updated, deleted, paused and resumed; permissions granted, revoked and changed.
- Accounts & agents: user accounts created, updated and removed; password changes; agent creation, update, removal and capability/mode changes; endpoints created, updated and removed.
- Organizations: invites issued, accepted and revoked, and members joining or leaving.
- Billing & administration: subscriptions started, cancelled, renewed and plan-changed; auto-topup settings and top-ups; pricing-catalog changes (plans, traffic and coin packages); admin balance and credit-limit adjustments.
- Infrastructure: cores registered, removed and drained.
Each entry records the acting user and their IP address — or the system itself for automatic events such as a subscription renewal — and is written in the same database transaction as the change it describes, so the record and the action are committed together, not as a best-effort afterthought. The log captures who did what in the panel; it is not a session or keystroke recorder, and the financial ledger of amounts and balances lives in the separate billing history.
Operators cannot read your traffic
Tunnel traffic is end-to-end encrypted between the agents. The server relays opaque ciphertext and holds no key to decrypt it, so “the provider can read our sessions” is simply not a risk in the model.
Least-privilege access
Access is granular: organizations group machines, and permissions are assigned per user and per endpoint, so a person sees and reaches only what they have been granted. That maps directly onto least-privilege and separation-of-duties expectations.
Grant least-privilege access and keep an audit trail of every action.
Create an account →