Documentation
Audit log
Append-only, tamper-evident record of every action in your tenant.
Last updated May 10, 2026
Every action that affects compliance state is recorded. The log is append-only and tamper-evident.
What's logged
- User events: sign in, sign out, role change, GitHub re-auth.
- Repo events: connected, disconnected.
- Scan events: requested, started, completed, failed.
- Document events: generated, requested-review, approved, published, archived (N-of-M approvals captured per signer).
- Subprocessor events: added, modified, removed; Art. 28(2) objection events from the public objection page.
- DPA events: signed, version diff sent.
- Webhook events: delivered, failed, replayed.
- Assistant events:
assistant.message(one per turn),assistant.tool.proposed,assistant.tool.<name>for each confirmed mutating action,trust_qna.questionfor every public Q&A turn. Conversation contents are committed to the chain via redacted-content hashes — seeassistant/privacy-and-budget. - Settings events:
settings.assistant.update,settings.trust_qna.update, license-policy edits, BYO-LLM configuration, custom-domain changes.
Tamper evidence
Each entry includes the SHA-256 of the previous entry, forming a hash
chain. The current head hash is published on your trust center at
/audit-head.txt. The export PDF / JSON additionally carries an
Ed25519 signature over the head hash so auditors can verify the chain
and attribute it to your tenant's signing key without trusting our
servers.
Offline verification
npx @attestly/audit-cli verify ./audit-export.json
# ✓ chain ok (12,478 entries) head=4c91…ff03 signature=valid
The CLI is open-source under packages/audit-cli/ — share it with
your auditor, no Attestly account needed.
Retention
13 months by default. Extendable to 7 years on Enterprise.
Export
Settings → Audit Log → Export. CSV, JSON, or PDF. The PDF includes the head hash and the Ed25519 signature; the JSON additionally includes the chain prefix the verifier needs.
Programmatic access
curl https://api.attestly.dev/v1/audit \
-H "Authorization: Bearer $ATTESTLY_API_KEY" \
-G --data-urlencode "since=2026-01-01"
Returns NDJSON, one event per line. Paginate with the next cursor
in the last line of each page.