Skip to main content

Audit Trail Design

Status: DRAFT Owner: Engineering Last Review: 2026-02-21 Applicable Standards: SOC 2 (CC4.1, CC4.2, CC7.2, CC7.3) / GDPR (Art. 30) / SEC (recordkeeping)

1. Purpose

This document describes the audit trail mechanisms in the Equa platform — how user actions, system events, and AI agent operations are recorded, stored, and surfaced. It identifies gaps in the current implementation and recommends improvements to meet SOC 2, GDPR, and SEC recordkeeping requirements.

2. Scope

ComponentIn ScopeNotes
equa-serverYesActions table, EventLogs table, activity module
equa-server (agent)YesAgent audit logger with sensitive field sanitization
equa-webPartialDashboard display of organization activity
PostgreSQLYesAudit data storage
For the full technical architecture, see Event and Activity Model.

3. Current Implementation

The platform uses a dual audit system: structured Actions for high-level user operations and flexible EventLogs for detailed event records.

3.1 Actions Table

Source: equa-server/modules/persistence/src/schema.ts (Actions entity)
ColumnTypePurpose
hashHash (PK)Content-addressable identifier (extends HashedTable)
organizationUUID (nullable)Organization context (nullable for user-level actions)
typeUUIDAction type identifier (links to action type definitions)
userUUIDUser who performed the action
createdDateTimestamp (@CreateDateColumn)
formatsmallintSchema version number (default: 1)
Key characteristics:
  • Content-addressable: The hash-based primary key means identical actions produce the same hash, providing implicit deduplication
  • Immutable by design intent: The HashedTable base class uses the hash as the primary key, making updates semantically incorrect (a modified record would have a different hash). However, DELETE operations are not prevented at the database level
  • No payload field: The Actions table stores only the action type UUID — detailed context must be correlated from other sources

3.2 EventLogs Table

Source: equa-server/modules/persistence/src/schema.ts (EventLogs entity)
ColumnTypePurpose
idUUID (PK)Unique event identifier
typestringEvent type (e.g., "login", "share_transfer", "document_upload")
userUUID (nullable)User who triggered the event
organizationUUID (nullable)Organization context
dataJSONArbitrary event payload (flexible schema)
createdDateTimestamp
modifiedDateLast modification timestamp
Key characteristics:
  • Flexible schema: The data JSON field can store any structured payload, making it adaptable to new event types without schema migrations
  • Mutable: Both created and modified timestamps exist, and the record can be updated or deleted
  • Semi-queryable: JSON payloads can be queried via PostgreSQL JSON operators, but there are no dedicated indexes on the data field

3.3 Activity Flow

3.4 Activity API Endpoints

Source: equa-server/modules/api/src/endpoints/activity-endpoints.ts
MethodPathPermissionPurpose
POST/organization/:organization/actioncanViewOrganizationCreate an action record
GET/organization/:organization/actioncanViewOrganizationRetrieve actions for an organization

4. Agent Audit Logger

Source: equa-server/modules/agent/src/security/guardrails.ts The AI agent (Equanaut) has a dedicated audit logger that records all tool executions with enhanced detail.

4.1 Logged Fields

FieldDescription
Tool nameWhich tool was invoked
ArgumentsInput parameters (sanitized — see 4.2)
Resultsuccess, failed, or cancelled
UserUser who initiated the agent session
OrganizationTarget organization
Conversation IDLinks to the agent conversation context
Execution timeDuration in milliseconds

4.2 Sensitive Field Sanitization

Before logging tool arguments, the audit logger redacts values for fields matching these patterns:
PatternExample Fields Redacted
passwordUser passwords, temporary passwords
tokenOAuth tokens, API keys
secret2FA secrets, client secrets
apiKeyProvider API keys
credentialStored credentials
Sanitized fields are replaced with [REDACTED] in the log output.

4.3 Agent Rate Limit Logging

The guardrails system also logs rate limit events:
EventTrigger
Tool call rate exceededMore than 30 tool calls per minute (configurable)
Write rate exceededMore than 10 write operations per minute (configurable)
Destructive rate exceededMore than 5 destructive operations per hour (configurable)

5. Frontend Display

Source: equa-web/src/modules/organization-dashboard/ The organization dashboard displays recent actions for the active organization, providing visibility into team activity. This is a read-only view that queries the activity API endpoints.

6. Audit Trail Gaps

6.1 Mutability

Both actions and event_logs tables allow UPDATE and DELETE operations at the database level. While the HashedTable pattern for Actions discourages updates (the hash would change), there is no technical enforcement preventing deletion of audit records.Risk: An attacker with database access could delete or modify audit records to cover their tracks.

6.2 No Before/After State Tracking

Neither audit system captures the state of an entity before and after a change. For example, when a shareholding is modified, the log records that a change occurred and who made it, but not what the previous values were.Risk: Forensic investigation of unauthorized changes requires correlating multiple data sources and cannot definitively reconstruct the state at a given point in time.

6.3 No Comprehensive Coverage

Not all state-changing operations in the platform trigger audit log entries. The audit system is opt-in — each endpoint must explicitly call the activity module to create records.Risk: Some operations may not be captured, creating blind spots in the audit trail.

6.4 No Log Export or Compliance Reporting

There is no mechanism to export audit logs in a standardized format (e.g., CSV, SIEM-compatible JSON) or to generate compliance reports from the audit data.Risk: Manual effort required for audit preparation and regulatory reporting.

6.5 No External Log Shipping

Audit logs are stored only in the application database. There is no log shipping to external, append-only storage (e.g., AWS CloudWatch, Datadog, Splunk).Risk: If the database is compromised, all audit data is compromised.

6.6 No Real-Time Alerting

There is no real-time monitoring or alerting on audit events. Suspicious patterns (e.g., bulk data access, privilege escalation, off-hours activity) are not detected automatically.Risk: Security incidents may go undetected until manual review.

7.1 Priority 1: Immutable Audit Storage

ImprovementImplementation
Append-only audit tableCreate a new audit_log table with database-level REVOKE DELETE, UPDATE on the application role
Structured payloadsInclude entity_type, entity_id, action, before_state (JSON), after_state (JSON), ip_address, user_agent
Trigger-based captureUse PostgreSQL triggers on critical tables (users, shareholdings, members, roles) to auto-capture before/after states

7.2 Priority 2: External Log Shipping

ImprovementImplementation
Ship to cloud loggingConfigure PostgreSQL logical replication or application-level shipping to AWS CloudWatch Logs or a SIEM
Separate retentionExternal logs retained for 7+ years (SEC requirement) independently of the application database
Tamper evidenceExternal storage provides an independent copy that cannot be altered by application-level access

7.3 Priority 3: Comprehensive Coverage

ImprovementImplementation
Middleware-level loggingAdd Express middleware that automatically logs all state-changing requests (POST, PUT, PATCH, DELETE)
Opt-out instead of opt-inDefault to logging all mutations; require explicit exclusion for non-sensitive operations
Include request metadataLog IP address, user agent, request ID for correlation

7.4 Priority 4: Monitoring and Alerting

ImprovementImplementation
Anomaly detectionAlert on: bulk data access (>100 records/min), off-hours admin operations, repeated auth failures, privilege escalation
SIEM integrationForward structured audit events to a SIEM platform for centralized monitoring
DashboardBuild an audit dashboard showing event volume, unusual patterns, and compliance metrics

7.5 Priority 5: Export and Reporting

ImprovementImplementation
Audit export APINew endpoint to export audit logs as CSV or JSON with date range and entity filters
Compliance reportsPre-built report templates for SOC 2 auditors (access reviews, change logs, incident timelines)
GDPR Art. 30 reportAutomated Records of Processing Activities report generation

8. What Should Be Audited

For SOC 2 and SEC compliance, the following events should be captured in the audit trail:
CategoryEvents
AuthenticationLogin success/failure, logout, password change, 2FA enable/disable, magic link generation
AuthorizationRole assignment/removal, permission changes, member addition/removal
Equity OperationsShare issuance, transfer, cancellation, option grant, exercise, vesting events
Document OperationsUpload, download, delete, rename, data room access grant/revoke
Financial OperationsPayment creation, billing changes, subscription modifications
Organization ManagementCreate, update, delete organization, settings changes
Admin OperationsSite admin actions, user enable/disable, global role assignments
Agent OperationsTool calls (already logged), confirmation requests, rate limit events

9. Regulatory References

StandardRequirementCurrent Status
SOC 2 CC4.1Design and implement monitoring activitiesGap — no real-time monitoring or alerting
SOC 2 CC4.2Evaluate and communicate deficiencies in a timely mannerGap — no automated deficiency detection
SOC 2 CC7.2Monitor system components for anomaliesGap — only health check exists
SOC 2 CC7.3Evaluate security events to determine incidentsPartial — agent audit logger exists, but no general event evaluation
GDPR Art. 30Records of processing activitiesPartial — EventLogs capture some processing, but not comprehensive
SEC 17a-4Recordkeeping for financial recordsGap — audit logs are mutable and not exported

10. Revision History

DateVersionAuthorChanges
2026-02-210.1Agent (Phase 5 Session A)Initial draft from code analysis