Compliance requires knowing who did what and when.
SOC 2, HIPAA, PCI-DSS, and enterprise customer requirements all ask: who accessed what data, when, from where, and what did they do? Audit logs are the technical answer. Building them correctly means they're tamper-resistant, queryable, and retained for the required period.
Compliance requirement or enterprise customer asking for audit logs — a history of who took which actions in the application, with timestamps and user attribution
Audit logs answer the question: "Who did this, when, and from where?"
This question matters in multiple contexts:
SOC 2 compliance. SOC 2 Type II auditors review whether the organization has controls over data access. Audit logs demonstrate that access to sensitive data is logged and reviewable.
HIPAA. The HIPAA Security Rule requires audit controls: hardware, software, and procedural mechanisms that record and examine activity in information systems that contain ePHI.
Enterprise customer requirements. Larger customers ask during sales due diligence: "Can we see a log of who accessed our data?" Without audit logs, the answer is no.
Incident investigation. When something goes wrong (unauthorized access, data modification), audit logs provide the investigation trail.
The audit log data model:
audit_events {
id
tenant_id
user_id
action (create | read | update | delete)
resource_type (user | document | payment)
resource_id
changes (JSON diff of before/after for updates)
ip_address
user_agent
created_at
}
Implementation considerations:
Tamper-resistance. Audit logs should be append-only — no updates or deletes. Application users should not be able to modify or delete audit records.
Performance. Writing an audit event on every action adds latency. Async logging (fire-and-forget to a queue) keeps the main request fast.
Retention. SOC 2 typically requires 1 year. HIPAA: 6 years. Configure retention policies accordingly.
Queryable. Administrators need to search by user, date range, action type, and resource. Index the relevant columns.
Audit log system that records all sensitive actions with user, timestamp, IP, and action details — queryable by administrators and exportable for compliance review
Audit events table
with full event schema
Middleware or service
that records events on sensitive actions
Admin UI
for searching and filtering audit events
CSV export
for compliance review
Retention automation
that archives old events
One honest number to start.
Fixed-scope, fixed-price. The number below is the starting point — final scope is built from your brief.
Audit log system that records all sensitive actions with user, timestamp, IP, and action details — queryable by administrators and exportable for compliance review
Three steps, every time.
The same repeatable engagement on every project. No surprises, no mystery, no billable ambiguity.
Brief & discovery.
We send you questions, then get on a call. Output: a written scope with every step, feature, and integration listed.
Build & ship.
Fixed schedule, weekly reviews. No scope creep unless you change the scope — and if you do, we reprice it transparently.
Warranty & retainer.
30-day warranty on every launch. Most clients stay on a monthly retainer for ongoing features and maintenance.
Why Fixed-Price Matters Here
Audit log scope is defined by which actions need to be logged. Scoped from the compliance requirements.
Questions, answered.
Minimum: authentication events (login, logout, failed login), sensitive data access (viewing PII), sensitive data modifications (create/update/delete), and permission changes (role assignments).
Server logs record HTTP requests. They're useful for debugging but not compliance-grade. They don't typically capture user context, before/after state, or structured action data.
Tell Ryel about your project.
Describe what you’re building and what outcome you need. You’ll have a written, fixed-price scope within the week.