Audit Log Retention Policy

Effective Date: January 1, 2025

1. Purpose

This Audit Log Retention Policy defines what activities Summit Digital Innovations logs, how long audit logs are retained, and how they are used to ensure security, compliance, and accountability.

2. Scope

This policy applies to all audit logs generated by the Summit Digital Innovations platform, including:

• User authentication and access events
• Financial record changes (create, update, delete, void)
• Permission and role changes
• Security events (failed logins, suspicious activity)
• System configuration changes
• API access logs

3. What We Log

3.1 Authentication Events

Logged Events:

• Successful logins (user, timestamp, IP address, device type)
• Failed login attempts (username, timestamp, IP address, failure reason)
• Logouts (user, timestamp)
• Multi-factor authentication (MFA) events (method used, success/failure)
• Password changes and resets
• Session expirations and revocations

Purpose: Detect unauthorized access attempts, monitor account security, investigate security incidents.

3.2 Financial Record Changes

Logged Events:

• Invoice creation, updates, voids, and deletions
• Bill creation, updates, voids, and deletions
• Payment applications and reversals
• Journal entry creation and modifications
• Account creation and updates (Chart of Accounts)
• Bank reconciliation approvals
• Customer and vendor record changes

Log Details:

• Who: User ID, name, and role
• What: Record type, record ID, action (create/update/delete/void)
• When: Timestamp (UTC)
• Before/After: Field-level changes (old value → new value)
• Why: Reason for change (if provided, e.g., void reason)

Purpose: Audit trail for financial compliance, fraud detection, dispute resolution, regulatory audits.

3.3 Permission and Role Changes

Logged Events:

• User role assignments and removals
• Custom role creation, updates, and deletions
• Permission grants and revocations
• Company access grants (user added to company)
• Company access removals (user removed from company)

Purpose: Track access control changes, detect privilege escalation, investigate unauthorized access.

3.4 Security Events

Logged Events:

• Failed login attempts (repeated failures may indicate brute force attack)
• Account lockouts
• Suspicious activity (unusual IP addresses, device types, access patterns)
• MFA enrollment and removals
• Password policy violations
• API authentication failures

Purpose: Detect and respond to security threats, prevent account compromise, investigate incidents.

3.5 System Configuration Changes

Logged Events:

• Company profile updates
• Stripe Connect account linking
• Bank feed connections (Plaid)
• Tax rate configuration changes
• Closing period locks

Purpose: Track administrative changes, troubleshoot configuration issues.

3.6 API Access

Logged Events:

• API authentication attempts
• API endpoint access (method, path, response status)
• Rate limit violations
• API key creation and revocation

Purpose: Monitor API usage, detect abuse, troubleshoot integration issues.

4. What We Do NOT Log

To protect privacy and security, we do NOT log:

• Passwords: Never logged in plaintext or hashed form
• MFA Codes: Verification codes are never logged
• Credit Card Numbers: Full card numbers are never logged (we use Stripe, which handles card data)
• Social Security Numbers: SSNs are never logged in audit trails
• Banking Credentials: Plaid handles bank credentials; we never see or log them

5. Retention Periods

5.1 Active Audit Logs

Retention Period: 90 days in active database

Access: Available to users in "Activity Log" report within the application

Storage: PostgreSQL database with indexed queries for fast retrieval

5.2 Archived Audit Logs

Retention Period: 90 days to 1 year in cold storage

Access: Available to Summit staff for security investigations and compliance audits

Storage: AWS S3 with restricted access

5.3 Purge After Retention Period

Automated Deletion: After 1 year, audit logs are permanently deleted

Rationale: Balances security monitoring needs with privacy obligations

Exception: Logs related to ongoing security incidents, legal investigations, or regulatory audits may be retained longer as required by law

6. Audit Log Access

6.1 User Access

Users can view their own activity and company-wide activity (if authorized) via the "Activity Log" report:

• Location: Settings → My Activity Log
• Filter By: User, date range, action type, record type
• Export: Download CSV for external audit or backup
• Permissions: Users see only logs for companies they have access to

6.2 Internal Access

Summit staff access to audit logs is restricted:

• Platform Admins: Can view all audit logs for security monitoring and incident response
• Customer Support: Cannot access audit logs unless explicitly authorized by the customer
• Access Logged: All internal audit log access is itself logged for accountability

6.3 Third-Party Access

Audit logs are never shared with third parties except:

• As required by court order or legal process
• With explicit customer consent for troubleshooting or audits
• Anonymized/aggregated data for security research (no PII included)

7. Security of Audit Logs

7.1 Immutability

Audit logs are immutable:

• No Editing: Once written, audit log entries cannot be modified
• No Deletion: Individual log entries cannot be deleted before retention period expires
• Tamper Detection: Logs are integrity-checked to detect unauthorized modifications

7.2 Encryption

Audit logs are encrypted:

• In Transit: TLS 1.3 for all log transmission
• At Rest: AES-256 encryption in database and S3 storage

7.3 Access Controls

Access to audit logs is restricted via role-based access control (RBAC):

• Database Level: Read-only access for audit log tables
• Application Level: Permission checks before displaying logs
• Administrative Access: Requires MFA and logged for accountability

8. Audit Log Use Cases

8.1 Security Incident Investigation

When a security incident is detected, audit logs are used to:

• Identify the source and scope of the breach
• Determine what data was accessed or modified
• Track the timeline of events
• Identify affected users and accounts

8.2 Compliance Audits

During financial or regulatory audits, audit logs provide:

• Proof of who made changes to financial records
• Timeline of when changes occurred
• Before/after values for modified records
• Evidence of access controls and segregation of duties

8.3 Dispute Resolution

Audit logs help resolve disputes about:

• Who created or voided an invoice
• When a payment was applied
• Who changed account settings
• Whether a user had permission to perform an action

8.4 Performance Monitoring

Anonymized audit log data is used to:

• Identify slow or failing operations
• Optimize database queries
• Improve user experience

9. Compliance with Regulations

9.1 SOX Compliance (Sarbanes-Oxley Act)

For public companies and their service providers, audit logs support SOX compliance by:

• Maintaining audit trails of financial record changes
• Demonstrating segregation of duties
• Preventing unauthorized access to financial data

9.2 GDPR Compliance

Under GDPR, users have the right to know how their data is processed. Our audit logs:

• Demonstrate accountability (Article 5(2))
• Support data subject access requests (Article 15)
• Provide evidence of lawful processing (Article 6)

9.3 IRS Requirements

Audit logs support IRS recordkeeping requirements by:

• Tracking changes to financial records
• Providing evidence of transaction authenticity
• Supporting tax return accuracy

10. User Rights

10.1 Access Your Audit Logs

You can access your activity log at any time via Settings → My Activity Log.

10.2 Export Your Audit Logs

You can download a CSV export of your activity log for external backup or audit.

10.3 Request Full Audit Trail

For compliance audits or legal purposes, you can request a complete audit trail by contacting privacy@summit-di.com. We will provide audit logs in a machine-readable format (CSV or JSON).

10.4 Audit Log Deletion

Audit logs are automatically deleted after 1 year. If you close your account, audit logs are retained for the full 1-year period even after account closure (to support security investigations and legal requirements).

11. Changes to This Policy

We may update this policy to reflect changes in logging practices, legal requirements, or security best practices. Material changes will be communicated via:

• Email notification to active account holders
• In-app notice upon next login
• Updated effective date on this page

12. Contact Us

For questions about audit logs or to request a full audit trail:

Summit Digital Innovations
Email: privacy@summit-di.com
Security: security@summit-di.com
Support: support@summit-di.com

Related Policies:

• Privacy Policy
• Data Retention & Deletion Policy
• Backup Retention Policy
• Information Security & Incident Response Policy
• All Policies