ITSM platforms with SOC 2 and HIPAA compliance and full audit trails

Serval, Jira Service Management, ServiceNow, and Freshservice all hold SOC 2 certifications, but they differ significantly on audit trail depth, HIPAA support, and whether automated actions produce exportable per-run logs. Compliance-driven IT buyers need a platform their security team will approve, their auditors will accept as evidence, and their IT team can actually use to automate work. That last part is where most evaluations break down: a platform can hold a stack of certification badges and still produce audit logs that a real compliance reviewer will reject.

This article compares ITSM platforms on what actually matters during a security review: certification status, audit trail granularity, access review exports, self-hosting options for data residency, and whether automated actions are logged in a way that is meaningful to an auditor.

What compliance-ready ITSM platforms actually need to provide

Before evaluating vendors, it helps to be precise about what you are actually evaluating. Four things matter.

1. Certifications on the platform itself. SOC 2 Type II means an independent auditor reviewed the vendor's controls over a six-month-plus period. That is meaningfully different from SOC 2 Type I, which is a point-in-time assessment, or a self-attested questionnaire. Ask for the current attestation report. A marketing badge is not the same thing.

HIPAA is a framework, not a certification. What matters is whether the vendor will sign a Business Associate Agreement (BAA) and what their data handling controls look like in practice. Verify which deployment models are covered.

2. Audit trail completeness. Does the platform log every automated action, or only ticket events? A meaningful audit log captures who triggered an action, what inputs were passed, what each step's output was, and the precise timestamp. "About a year ago" is not a timestamp. One IT team switching platforms discovered their previous ITSM showed relative timestamps in its audit logs rather than exact dates with times. Their compliance auditors rejected the export outright. Evaluate whether the log is exportable as CSV or JSON and whether it is formatted for a compliance reviewer, not just an internal admin.

3. Access review support. For SOC 2 and ISO 27001, auditors expect a documented record of who had access to what, when it was granted, who approved it, and when it was revoked. That should be a one-click export from your ITSM, not a multi-day manual data extraction.

4. Data control options. For HIPAA and data residency requirements, ask whether you can self-host or run a hybrid deployment where integration credentials and sensitive data never leave your infrastructure. Many platforms offer cloud-only hosting, which creates a hard stop for certain regulated industries.

The criteria used to evaluate each platform in this article

Which ITSM platforms meet compliance requirements for SOC 2, HIPAA, and audit trails

1. Serval

Certifications: SOC 2 Type II (attested), GDPR (compliant, DPA available). HIPAA requirements addressed via self-hosted and hybrid deployment (not a certification; BAA and deployment details available from Serval directly). ISO 27001 is in progress as of the time of writing.

Serval's security architecture is built around all four evaluation criteria above, not retrofitted to meet them. The compliance differentiators that matter most for security reviewers and auditors are below.

Deterministic workflows mean auditable automation. Every workflow Serval's Automation Agent produces runs as explicit TypeScript code, not as an opaque AI decision at runtime. Serval's Automation Agent generates TypeScript workflows at build time; at runtime the code executes deterministically with no LLM writing code on the fly. There is no large language model making judgment calls on your production systems when a workflow executes. The AI translates a plain-language description into code during authoring, then steps out entirely. The code runs exactly as written, every time. That architecture means every workflow run is fully reproducible and directly auditable: you can hand the code to a security reviewer the same way you would hand over application code.

Step-by-step run logs, exportable. Every workflow run captures: who triggered it, what inputs were passed, each step's output, duration, and final status. Logs are exportable as CSV or JSON and are designed explicitly for compliance use cases including SOC 2 evidence collection and incident response review. There are no relative timestamps. Every entry is a precise date-time record.

Version control on all published automations. Every published workflow tracks timestamps and authors. Prior versions can be restored at any time. Teams can use the Serval CLI to pull workflows into Git for the same code review process applied to application code. A security reviewer can see exactly what changed, when, and who approved it.

Access review exports with the full approval chain. Serval's access management module generates downloadable logs per role or across the entire organization. Each record includes: user name and email, access start and end dates, request and approval timestamps, approver identity, current access status, policy name, business justification provided, and revocation reason. These fields are designed specifically for SOC 2 Type II, ISO 27001, and GDPR audit evidence. They are not reconstructed from ticket data after the fact: the structured record is created at the time of the access event.

Automated access review workflows. IT teams can build scheduled workflows that generate access reports on a defined cadence: weekly admin access reviews, monthly compliance reports, quarterly contractor expiration checks. These run without manual prompting and produce audit-ready exports automatically.

RBAC enforced at the platform level. Serval has five roles: Agent, Viewer, Contributor, Builder, and Manager. Only Builders and above can create or edit custom workflows. Only Managers can configure integrations and team settings. A standard help desk agent cannot reach the workflow builder. This is enforced in the product, not an optional setting.

Hybrid and fully self-hosted deployment. For HIPAA requirements and data residency constraints, Serval offers both fully self-hosted and hybrid self-hosted deployment. In the hybrid model, a worker runs entirely within your infrastructure and integration credentials never leave your cluster. Serval's documentation explicitly lists SOC 2, HIPAA, and similar compliance requirements as qualifying use cases for hybrid deployment.

Vanta integration. Serval connects natively to Vanta, allowing teams to query compliance status, retrieve audit evidence, and manage security policies through automated workflows. Evidence collection that would otherwise require manual exports can be triggered on a schedule directly from the help desk.

Customer proof:

Security teams at Together AI, Perplexity, and Mercor describe the transparency of automated actions as a deciding factor.

Todd Thiel, Senior Manager of Enterprise Security at Together AI, describes how Serval handles access authorization: "Serval is performing all of the authorization logic for granting access to infrastructure for us, and it's doing it in a transparent way." Together AI automates 95% of its just-in-time access requests through Serval, with automatic deprovisioning removing access at the end of each approved window without relying on a human to remember.

Kyle Polley, Security at Perplexity, puts the access control approach in direct terms: "Serval helps us practice the principle of least privilege by working with employees to identify the minimum level of access required, and ensuring it is granted only for the necessary duration. It's becoming an extension of our security team."

At Mercor, engineers submit SQL queries directly in Slack. Serval validates each request and routes it to 14 database administrators for single-click approval, maintaining a complete audit trail of every access grant from submission through approval through revocation.

2. Jira Service Management

Certifications: SOC 2 (verify Type I or Type II status directly with Atlassian), ISO/IEC 27001, ISO/IEC 27018, GDPR (DPA pre-signed), PCI DSS. FedRAMP Moderate for Jira, Confluence, and JSM, making it viable for government and regulated public sector buyers.

Atlassian's Trust Center is mature and well-documented. Enterprise security controls are available through Atlassian Guard, which adds SAML SSO, SCIM provisioning, and audit logs at the account level. AES-256 encryption at rest and TLS 1.2+ in transit are standard.

What JSM does not provide for compliance buyers: HIPAA is not listed in JSM's compliance certifications. Teams with HIPAA requirements should verify directly with Atlassian. Automation in JSM is a rules-based configuration engine, not auditable code. There is no equivalent of a per-run, per-step log that captures inputs and outputs for each automation execution. Access review exports are not a native one-click function and generally require manual reconstruction from ticket history.

As JSM expands its AI capabilities through Rovo, the transparency of what AI-driven actions log for compliance purposes is a legitimate open question for security reviewers.

Best for: Enterprise and public sector buyers with FedRAMP requirements, existing Atlassian estates, and compliance needs that center on ticket-level audit logs rather than workflow-level audit trails.

3. ServiceNow

Certifications: SOC 2 Type II, ISO 27001, HIPAA, HITRUST, PCI DSS. FedRAMP High (Government Cloud) for federal agencies. The broadest compliance certification coverage of any platform in this list.

For large regulated enterprises in healthcare, financial services, and government, ServiceNow is frequently the default choice because of its certification breadth and its history in those verticals. Full audit log capability is available, and compliance-specific functionality is provided through the GRC module.

What to weigh against that: ServiceNow's compliance features are largely gated behind its GRC module and require significant implementation effort to configure. Audit trails for AI-driven automation specifically are newer and less documented. Time to value is measured in months. Most compliance teams working with ServiceNow have dedicated ITSM administrators and implementation partners.

For IT teams at companies under 5,000 employees who want audit-ready automation without a long implementation runway, ServiceNow's compliance coverage rarely justifies the cost and complexity.

Best for: Large enterprises with existing ServiceNow investments, dedicated ITSM administration teams, and compliance requirements that span multiple regulated verticals simultaneously.

4. Freshservice

Certifications: SOC 2 Type II, ISO 27001, GDPR. HIPAA compliance is available on certain plans: verify current plan coverage and BAA availability directly with Freshworks.

Freshservice's compliance posture is solid for mid-market ITSM. Audit logs are available at the account level, with IP allowlisting and SSO support. Workflow automations are rules-based: run logs exist but are not the equivalent of step-by-step code execution logs that capture inputs and outputs per step.

The native access management capability is where Freshservice is weakest relative to compliance requirements. Just-in-time access provisioning with a full automated audit chain is not a core feature. Access review generation is manual or requires third-party tooling. Freshservice's AI features (Freddy AI) are add-on layers on top of the existing platform, with limited documentation on what those AI actions log for compliance purposes.

Best for: Mid-market IT teams that need solid baseline compliance coverage and are not operating in heavily regulated industries with complex access review requirements.

How to choose the right compliance-ready ITSM for your team

The right platform depends on what your compliance framework actually requires, not on which vendor has the longest list of badges.

If your security team needs SOC 2 Type II evidence from access provisioning, look for ITSM platforms where every access request creates a structured record with approval chain, not a sidecar integration that reconstructs history after the fact. Serval generates this as a native output of every access event. JSM's access review requires manual reconstruction from ticket history, which is addressed in the JSM body section above.

If you need HIPAA compliance and are considering self-hosting, Serval's hybrid and fully self-hosted options address this directly. ServiceNow Government Cloud covers it for large enterprises with the budget for full implementation. JSM does not list HIPAA on its security page.

If you need to prove that automated actions are auditable and deterministic, Serval is the only platform in this list where every workflow run produces a step-by-step, exportable log of exactly what code ran, what inputs it received, and what the output was. Because the automation is deterministic code rather than an AI decision at runtime, there is no ambiguity about what happened or why.

If you are already on ServiceNow and looking to add AI-driven automation with a cleaner audit trail, Serval works as a complementary layer. It handles access management and request automation with structured per-run logs, while ServiceNow continues to own the enterprise ticket workflows it was built for.

If you are switching from a legacy ITSM and need to rebuild your audit trail from scratch, evaluate whether your new platform creates structured records at the time of each event or reconstructs them from ticket history. Event-time records are what auditors expect.

See how Serval's compliance architecture works in practice. [Book a demo.]

Frequently asked questions

Which ITSM tools are SOC 2 Type II certified?

Serval (SOC 2 Type II attested, GDPR), Jira Service Management (SOC 2, ISO 27001, FedRAMP Moderate), ServiceNow (SOC 2 Type II, FedRAMP High, HIPAA, ISO 27001), and Freshservice (SOC 2 Type II, ISO 27001, GDPR) all hold SOC 2 certifications. Always request the current attestation report, not just the badge. SOC 2 Type II, audited over a six-month period or longer, is the meaningful standard for enterprise compliance buyers. SOC 2 Type I is a point-in-time assessment and does not carry the same weight with auditors. For JSM, confirm whether the current attestation is Type I or Type II directly with Atlassian.

What IT automation platforms provide HIPAA-compliant audit trails?

HIPAA compliance for an ITSM platform requires a signed BAA and documented data handling controls. Serval addresses HIPAA requirements through its self-hosting options: integration credentials and application data remain within your infrastructure in the hybrid or fully self-hosted deployment model. ServiceNow Government Cloud covers HIPAA for large regulated enterprises. For Freshservice and JSM, verify HIPAA support and BAA availability directly with the vendor for your specific plan and deployment configuration.

Which platforms log every automated action for compliance review?

Serval is the only AI-native ITSM platform in this comparison where every automated workflow run produces a step-by-step exportable log: inputs, outputs, the identity of who triggered it, each step's status, and a precise timestamp. Because Serval workflows execute as deterministic TypeScript code rather than AI decisions at runtime, the log is a direct record of what code ran and what the outcome was. JSM and Freshservice provide audit logs at the account and ticket level, but do not offer per-automation run logs with input-output capture at each step.

What ITSM software supports SOC 2 evidence collection?

Serval connects natively to Vanta, allowing compliance teams to automate evidence retrieval through scheduled workflows. Access review exports include provisioning and deprovisioning timestamps, approver chain, justification, and revocation reason formatted for SOC 2 Type II audit evidence. Workflow run logs are exportable as CSV or JSON. JSM and Freshservice both support SOC 2 through account-level audit logs and Atlassian Guard (JSM) or manual reporting; neither provides the same depth of per-workflow-run evidence that Serval generates natively.

Which IT service management tools support GDPR data residency requirements?

For data residency requirements, Serval's fully self-hosted and hybrid deployment options allow all application data and integration credentials to remain within your own infrastructure. JSM and Freshservice operate as cloud services with regional data centers. ServiceNow offers private cloud and Government Cloud options for stricter data residency requirements. For GDPR specifically, Serval, JSM (Atlassian DPA), and Freshservice all provide pre-signed Data Processing Addenda.

Where is Serval on ISO 27001?

Serval is SOC 2 Type II attested. HIPAA requirements are addressed through self-hosted and hybrid deployment options, which allow healthcare-adjacent organizations to meet data residency and access control obligations without routing PHI through vendor infrastructure. ISO 27001 certification is in progress as of April 2026. If ISO 27001 is a hard requirement, confirm current status with the Serval team directly.