Audit trail.

Vericto's immutable record of every evaluation decision: what gets stored, how to view and filter it, how long it is kept, and how to export it as compliance evidence.

Overview

The audit trail is the chronological, immutable record of every decision Vericto makes when it evaluates a query. Each time a query passes through the rules engine, Vericto notes what was evaluated, which rule applied, and what the outcome was. Nothing is overwritten or deleted early: it is a write-only log meant to be a source of truth.

This record is built for compliance. If your organization needs to prove that data access controls exist and are applied consistently, the audit trail is the direct evidence SOC2 or ISO 27001 auditors expect to see.

The audit trail is immutable. Events are not edited or deleted manually. Records older than your plan's retention window stop being returned, but while they are within the window they remain intact exactly as they were recorded.

What gets recorded

Each audit trail entry represents an evaluation decision and captures the following fields:

  • Query: the statement that was evaluated. It may appear in full or with normalized literals depending on the telemetry mode, and its text may be encrypted at rest.
  • Status: the outcome of the decision, one of blocked, allowed, or warning.
  • Severity: the risk level associated with the rule that triggered the decision.
  • Rule code: the identifier of the applied rule, to trace exactly which control acted.
  • Database: the connected database against which the query was evaluated.
  • Latency: how long the evaluation took, useful for checking Vericto's impact on your query path.
  • Timestamp: the exact moment of the decision, the basis of the timeline.

Together, these fields answer concrete questions: which query was blocked, by which rule, on which database, and when. That is exactly the kind of traceability a data access audit requires.

How to view it

The audit trail is viewed in Dashboard → Audit. Viewing it requires the audit.view capability. The view is organized into two tabs:

Timeline and Controls tabs

  • Timeline: the chronology of decisions, from most recent to oldest. Each row is an event with its status, rule, database, latency, and timestamp.
  • Controls: the mapping of recorded activity to compliance controls, meant for preparing audits and responding to assessors.

Filters and time window

The Timeline tab offers three ways to narrow what you see:

  • By status: filter across all, blocked, allowed, and warning.
  • Text search: searches over what is visible in the browser. Since the query text may be encrypted or normalized, search operates on what is shown, not on the encrypted content.
  • Time window: presets of 24h, 7d, 30d, 90d, and All to focus on the period you care about.

The time window you pick cannot recover events older than your plan's retention. Even if you select All, the server only returns events within the current retention window.

Retention by plan

How long audit trail events are kept depends on your plan. Retention is enforced on the server: events older than your plan's window are simply not returned in the query.

Plan Audit trail retention
Free 7 days
Builder 30 days
Team 90 days
Enterprise Configurable

If you need to keep evidence beyond your plan's window, export the audit trail periodically. A signed export stays valid even after the original events leave the retention window.

Export

You can export the audit trail as CSV or JSON. Export requires the Team plan or higher, through the audit.export capability.

Asynchronous export

Export is asynchronous: when you request it, Vericto generates the file in the background and makes it available for download once it is ready. For large exports this avoids blocking the interface while the file is prepared.

Reports signed with Ed25519

Exported reports are signed with Ed25519, so they are verifiable offline: anyone can confirm the file was not altered since Vericto generated it, without contacting our servers. The verification procedure is documented in detail in the report verification guide.

See Verify reports for the step by step of the offline Ed25519 signature verification.

Compliance: SOC2 and ISO 27001

The audit trail is designed as a source of evidence for compliance frameworks. Its immutability and per-decision traceability respond directly to the controls that SOC2 and ISO 27001 auditors assess.

  • Data access control: every blocked, allowed, or warning decision documents that access policies are applied consistently.
  • Traceability: the rule code and timestamp let you reconstruct which control acted and when, for any recorded query.
  • Exportable evidence: exports signed with Ed25519 serve as evidence you can hand to auditors, independently verifiable.

The dashboard's Controls tab helps align recorded activity with the specific controls your audit needs to cover.

Frequently asked questions

Can an audit trail event be edited or deleted?

No. The audit trail is immutable: events are not edited or deleted manually. Records stop being returned once they fall outside your plan's retention window, but while inside they remain exactly as recorded.

Why don't I see old events even when I select the All window?

Retention is enforced on the server. Even if you pick All, only events within your plan's window are returned: 7 days on Free, 30 on Builder, 90 on Team, and configurable on Enterprise. To keep more history, export periodically.

Who can view and who can export the audit trail?

Viewing the audit trail requires the audit.view capability. Exporting as CSV or JSON requires the audit.export capability, available on the Team plan or higher.

Why does text search not find some queries?

Text search runs client-side, over what is shown on screen. If the query text is encrypted or appears with normalized literals depending on the telemetry mode, search only matches what is visible, not the encrypted content.

How do I verify that an exported report was not altered?

Each export is signed with Ed25519 and verified offline with Vericto's public key. The full procedure is in the Verify reports guide.