Audit Trail - Logging & Compliance
12 min read
Audit Trail Documentation
Version 1.4 | Last Updated: January 2025
ClientFlow maintains comprehensive audit logs of all user actions, data access, and system events for compliance, security, and troubleshooting.
What Gets Logged
| Event Category | Examples | Retention |
|---|---|---|
| Authentication | Logins, logouts, password changes, 2FA | 2 years |
| Data Access | View client, edit payment, delete note | 2 years |
| Data Modifications | Create customer, update appointment | 2 years |
| Administrative | Change settings, add team member | 2 years |
| Payment Events | Card stored, payment processed | 7 years |
| Security Events | Failed logins, suspicious activity | 2 years |
Log Immutability
Audit logs are append-only - they cannot be edited or deleted:
- Database Protection: PostgreSQL policies prevent UPDATE/DELETE
- Tamper Detection: SHA-256 checksums for critical logs
- Weekly Integrity Check: Automated verification of log integrity
Authentication Events
auth.login.success- Successful loginauth.login.failure- Failed login attemptauth.password_changed- Password changeauth.2fa_enabled- Two-factor authentication enabledauth.logout- User logout
Data Access & Modification Events
customer.created/customer.updated/customer.deletedpayment.created/payment.updated/payment.deletednote.created/note.viewedfile.uploaded/file.downloaded/file.deleteddata.exported- Data export requests
Privacy Note: We log WHO accessed WHAT and WHEN, but NOT the actual data content (e.g., "user viewed client 123" not the client's name).
Security Events
| Event | Severity | Auto-Action |
|---|---|---|
| Brute force detected (5+ failures) | Warning | Account locked 30 min |
| API rate limit exceeded | Warning | HTTP 429 throttle |
| Session hijacking detected | Critical | Session invalidated |
| Unauthorized access attempt | Critical | Alert security team |
Accessing Audit Logs
PRO/Team Tier
- Navigate to Settings → Security → Audit Logs
- Filter by date range, action type, severity, or IP address
- Export logs as CSV, JSON, or PDF report
Free/Starter Tier
Last 30 days visible in dashboard (cannot download). Upgrade for full access.
Compliance Mappings
- GDPR Article 30: Records of processing activities
- HIPAA §164.312(b): Audit controls for ePHI access
- SOC 2 TSC CC7.2: System monitoring for security events
- PCI DSS Req 10: Track access to cardholder data
Retention Periods
| Event Category | Retention | Reason |
|---|---|---|
| Payment/Billing | 7 years | Tax/financial records |
| Authentication | 2 years | GDPR, HIPAA compliance |
| Data Access | 2 years | GDPR Article 30 |
| Security Events | 2 years | Incident investigation |
| System/Errors | 30 days | Troubleshooting |
Contact
Audit Log Questions: support@clientflow.center
Compliance Export Requests: compliance@clientflow.center
Data Protection Officer: dpo@clientflow.center
Read time: ~12 minutes | Audience: Compliance Officers, IT Security
Was this helpful?
Related Documents
Featured
Security Whitepaper - Encryption & Data Protection
Comprehensive security architecture, compliance, and best practices
25 minView Details
Featured
GDPR Compliance - Data Protection Guide
How ClientFlow ensures GDPR compliance for your client data
20 minView Details
HIPAA Considerations - Healthcare & Therapy
Using ClientFlow safely for healthcare and therapy practices
15 minView Details