Audit Log Policy

Why Audit Logs Matter

In regulated industries, "trust but verify" isn't enough — you need "verify, then prove you verified." Our audit logs create an unbreakable chain of evidence showing exactly who did what, when, and to which resource. This is the foundation that makes SOC 2, HIPAA, ABA, and SEC compliance possible.

What Gets Logged

Event Type	Tier	Examples
Authentication	Tier 1 (Immutable)	Login, logout, MFA challenge, failed auth, session creation
Authorization	Tier 1	Role assignment, permission change, RBAC escalation
Data Access	Tier 1	Document upload, download, view, share, delete
AI Operations	Tier 1	Prompt submitted, model used, response delivered (no prompt content)
Admin Actions	Tier 1	User creation, org settings change, billing update, export request
Client Access	Tier 1	Client portal login, report view, deliverable download
System Events	Tier 2 (Standard)	Background jobs, sync operations, health checks
Web Search	Tier 3 (No Content)	Search event recorded — prompt text NOT stored

Log Entry Schema

Every audit event contains these fields:

Field	Type	Description
event_id	UUID	Globally unique event identifier
event_type	Enum	Categorized action (AUTH_LOGIN, DOC_ACCESS, AI_PROMPT, etc.)
timestamp	ISO 8601	UTC timestamp with millisecond precision
user_id	UUID	Acting user
user_role	Enum	Admin, Manager, Associate, Client
resource_type	String	Document, prompt, user, setting, report
resource_id	UUID	Specific resource affected
client_matter_id	UUID	Associated client/matter (if applicable)
action	String	CREATE, READ, UPDATE, DELETE, EXPORT, SHARE
outcome	Enum	SUCCESS, FAILURE, DENIED
ip_address	String	Client IP (hashed after 90 days)
session_id	UUID	Session correlation

Storage & Retention

Hot Storage (90 days)

Aurora PostgreSQL — fast querying for active investigations, compliance dashboards, and real-time monitoring.

Cold Archive (6 years)

S3 with Object Lock (WORM compliance). Immutable, append-only. Cannot be deleted or modified — even by admins.