We pull seat usage + audit log from GitHub's own admin API, hash usernames at ingest, and bundle it monthly into an Ed25519-signed evidence pack. For when compliance or HR asks: 'who has Copilot, when activated, last used when, what settings changed, by whom?'
If your company has Copilot Business or Enterprise, GitHub is the 'provider' of the AI system (they built the model), but YOU are the 'deployer' (you're rolling it out to your employees). Art. 26 puts obligations on deployers:
We provide the logging input. You remain responsible for the judgement.
github.com → Settings → Developer settings → Fine-grained tokens. Scopes: manage_billing:copilot · read:audit_log · read:org. 90-day expiry (we warn 7 days before).
Dashboard → Copilot Audit → '+ Connect org'. We verify the token works immediately (HTTP probe on /orgs/{org}). PAT is AES-256-GCM encrypted before insert — not retrievable via API afterwards.
Our worker runs hourly: pull all seats (snapshot), pull new audit events (cursor pagination, only 'action:copilot.*'). Usernames are SHA256-hashed; only a 4-char prefix is kept for display.
On the 1st of each month, download a signed evidence pack — gzipped tarball with seats.jsonl + events.jsonl + manifest.json + manifest.sig. Verifiable offline by your auditor, same tool as for AI observability.
Based on average seat count over the month (daily snapshot, averaged). Tenant with no connected org pays nothing. No need for the 'Standard' tier of AI observability — Copilot Audit is a separate add-on.
Example: 30 seats in January, 35 in February → invoice Jan €30, Feb €35.
Billed monthly on the same Stripe invoice as your server monitoring + AI observability. Separate line item 'monsys.ai Copilot Audit — N seats × €1.00'.