Security

Logging and Audit Trails: Building for Compliance from Day One

7 min read

Adding audit logging retroactively is one of the most painful engineering projects a team can take on. Every code path that touches sensitive data needs to be threaded with logging. Database schemas need new columns. Event pipelines need to be built. Old data is lost forever.

Building it from day one is barely additional work. Here is the model that scales from MVP to SOC 2 to SOC 2 + HIPAA + HITRUST without needing to be redone.

What audit logs are actually for

Three audiences. Each one wants different information from the same underlying data.

Compliance auditors. Who accessed what data, when, from where. Used during SOC 2, HIPAA, ISO 27001 audits to demonstrate access controls work as documented.

Security incident response. When something looks suspicious, the audit log is how you reconstruct what happened. Did the attacker access customer data? Which records? When?

Customer trust. Increasingly, enterprise customers want to export their own audit logs to their SIEM. Their security teams use this for their own monitoring and compliance.

The schema that works

Every audit log entry needs the same six fields:

  • Actor. Who did the thing. User ID, service account ID, system process. Include the auth method (password, SSO, API key).
  • Action. What they did. Use a controlled vocabulary, not free text. "user.login", "customer_record.read", "billing.update". Stable across versions.
  • Resource. What they did it to. Type plus ID. "customer:cust_abc123".
  • Outcome. Success or failure. If failure, the reason.
  • Timestamp. ISO 8601 with timezone, microsecond precision.
  • Context. IP, user agent, request ID, session ID. Whatever is useful for reconstructing the request.

Optional but valuable: the before/after state for mutations, the request ID linking the audit log to your application logs, a hash of the previous audit entry for tamper-evidence.

What to actually log

Not everything. Logging every read of every record drowns the signal in noise.

Always log:

  • Authentication events (login, logout, MFA challenge, password change).
  • Authorization changes (role granted, permission updated).
  • Access to sensitive data (customer PII, financial records, PHI).
  • Mutations to important state (customer record updates, billing changes, configuration changes).
  • Administrative actions (impersonation, data export, account deletion).
  • Failed authentication or authorization attempts.

Do not log every page view, every API call, every routine read. Those belong in application logs, not audit logs. The audit log is for the things that matter for compliance and security investigation.

Storage and retention

Audit logs go to a separate, append-only store. Not the same database as your application data. The two key properties are: hard to tamper with, easy to query for audit and incident purposes.

The pattern that works: write audit events to a queue (Kinesis, SQS, Kafka), have a consumer that writes them to an immutable store (S3 with object lock, dedicated audit log database with restricted write access). Index the events for query in something searchable (OpenSearch, ClickHouse, BigQuery).

Retention varies by framework:

  • SOC 2: typically 1 year minimum, your auditor will define.
  • HIPAA: 6 years for records related to PHI.
  • PCI DSS: 1 year minimum, 3 months immediately accessible.
  • GDPR: as long as needed for stated purpose, no fixed minimum.

The pragmatic answer for a multi-framework startup is 7 years to cover everything.

What to give customers

Enterprise customers will eventually ask for their audit logs. Plan for it. The minimum: an API or export that returns their audit events in a defined format (JSON or CSV), filterable by date range. The customer should not need to ask support to get their own audit log.

For larger enterprise customers, support real-time streaming to their SIEM. SCIM-style standards exist; pick one that fits your customer base.

Tamper evidence

For higher-trust environments, audit logs should be tamper-evident. The pragmatic approach: each entry includes a hash of the previous entry, forming a chain. Anyone with the chain can verify no entries were modified or deleted in the middle. This is cheap to implement and meaningful for security investigations.

Building for compliance?

We help engineering teams design audit logging that satisfies SOC 2, HIPAA, and enterprise customer requirements without becoming a maintenance burden.

Get an architecture review

Not ready for a call? Same.

Get the playbook, not a sales pitch

If this was useful, Jacob sends a few short, practical notes on locking down your startup without a big security team. No fluff, unsubscribe in one click. Just reply if you want to talk; it reaches him directly.

From Jacob Masse, founder of traztech. No spam, unsubscribe in one click.

// keep reading

You may also like

Security

Case Study: Zero to SOC 2 Type II for a Venture-Backed Startup

A venture-backed security startup needed SOC 2 Type II to unlock enterprise deals. Here is how we implemented 76 controls, a multi-layer change-approval flow, and a 60+ asset security audit across a team of 15, and passed the audit.

May 20, 2026 · 9 min read
Security

What to Do in the First 72 Hours After a Data Breach

The clock starts the moment you discover the breach. Here is a step-by-step playbook for the first 72 hours, from containment to customer communication.

Mar 21, 2026 · 8 min read
Security

We Failed Our SOC 2 Audit. Here's What We Did Next

Failing a SOC 2 audit feels like a disaster. It is not. Here is how one startup turned a failed audit into a stronger security posture in 90 days.

Mar 20, 2026 · 7 min read

Need help with any of this?

We help startups build secure, scalable infrastructure. Book a free strategy call and let\'s talk about your stack.

Book a free consultation