Articles on: Security & Admin

Compliance & Audits

Compliance & Audits


This article explains what to log and retain for compliance, how to design audit trails for admin actions, and practical steps to prepare for audits (internal or external).




Goals

  • Provide tamper-evident records of administrative and sensitive actions.
  • Establish retention and deletion policies that meet business / regulatory needs.
  • Make it easy to answer audit requests (who did what, when, and from where).




What to log

At a minimum, maintain structured logs for:

  • Authentication events: sign-in, sign-out, failed sign-ins, SSO assertions.
  • Admin actions: user invites, role changes, tenant integration updates (Mapbox, payment connectors), secret rotations. The repository demonstrates activity logging for property create/update events. :contentReference[oaicite:0]{index=0}
  • Data changes to sensitive objects: create/update/delete for clients, properties, invoices, payments, and any PII. Include before/after snapshots for critical fields.
  • Webhook deliveries & external integration errors (push and payment provider deliveries).
  • System events: failed background jobs (geocoding, sync), server-side function failures.


Log metadata to capture:

  • actor (user id / service account), role, IP address, timestamp, tenant/org id, request id/trace id, and correlation ids for related events.




Retention & privacy

  • Define retention periods per data type (for example: audit logs 1–7 years depending on regulation).
  • Implement deletion/archival workflows for tenant data when a tenant requests data removal or when retention periods expire.
  • Mask or redact sensitive data in logs where possible (payment card numbers, full PII). Store only the minimum required for auditing and troubleshooting.




Tamper resistance & integrity

  • Forward logs to an append-only store or a managed logging service that offers immutability and access controls (e.g., cloud logging, Splunk, ELK with guarded write access).
  • Protect log integrity by limiting write access to logs and enabling logging of log-access events.




Audit readiness checklist

  • [ ] Audit log coverage: auth events, admin actions, data changes, integrations, and errors. :contentReference[oaicite:1]{index=1}
  • [ ] Centralized log collection and retention policy.
  • [ ] Role-based access to logs and an audit trail for log access.
  • [ ] Documented data retention & deletion policies and a tested workflow for tenant data removal.
  • [ ] Periodic review of logs and an incident response plan that references log artifacts.




Practical notes

  • Use structured JSON logs to make queries and export for regulators simple.
  • Correlate client-side errors (Sentry) with server-side logs (request id) for complete audit trails — the project includes Sentry for error monitoring. :contentReference[oaicite:2]{index=2}


Updated on: 10/01/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!