DIREKT Audit Logging¶
Audit events¶
Mandatory for:
- sign-in/security changes;
- role/provider membership;
- evidence access;
- verification assignment/decision/override;
- field visit submission;
- public location consent/change;
- publication/suspension/reinstatement;
- complaint/enforcement/appeal;
- subscription/ledger adjustment;
- export;
- configuration change;
- account deletion/retention action.
Event shape¶
- event ID/type/version;
- actor and actor role;
- subject/resource;
- provider/tenant scope;
- timestamp;
- correlation/request ID;
- action outcome;
- reason code;
- safe changed-field summary;
- source/IP/device metadata only where justified;
- previous/new state references, not raw sensitive payload.
Integrity¶
Append-only application interface, restricted database permissions, retention and monitoring for gaps. Audit records are not edited to “fix” history; corrective event is appended.
Access¶
Role- and purpose-controlled. Viewing/exporting audit logs is itself audited.
Privacy¶
Do not log document content, OTPs, tokens, full identity numbers or exact coordinates unless a narrowly approved audit requirement exists.