Audit and Logging Policy
This policy defines baseline logging controls for systems that store, process, transmit, or provide access to customer data.
Objectives
Section titled “Objectives”- Detect unauthorized access and anomalous behavior
- Support incident response, root-cause analysis, and forensics
- Provide evidence for operational, compliance, and customer assurance needs
Required Event Coverage
Section titled “Required Event Coverage”Audit logs should capture, as applicable:
- Event timestamp
- Actor or service identity
- Event type and target resource
- Success or failure outcome
- Source context such as IP address or device identifier where available
Authentication and Authorization Events
Section titled “Authentication and Authorization Events”- Sign-in attempts (success and failure)
- Session and credential lifecycle events
- Account creation, disablement, and role or permission changes
- Privileged access usage and administrative actions
System and Security Events
Section titled “System and Security Events”- Significant service health events, failures, and restarts
- Configuration and policy changes
- Security detections, alert state changes, and response actions
- Audit log access, modification attempts, or deletion attempts
Log Protection and Integrity
Section titled “Log Protection and Integrity”- Logs are managed through platform-provided logging infrastructure (for example Supabase and Netlify) and centralized where feasible.
- Access to logs is restricted to authorized personnel with a documented need.
- Logs are protected against unauthorized modification or deletion using platform controls.
- Logs in transit and at rest are encrypted using provider-managed encryption.
Monitoring and Review
Section titled “Monitoring and Review”- Security-relevant logs are reviewed on a regular operational cadence.
- Alerting is configured for high-risk events, with findings triaged as they occur.
- Review findings are used to tune detections and improve controls over time.
Retention
Section titled “Retention”- Retention periods are defined by legal, contractual, and operational requirements.
- At retention end-of-life, logs are disposed of according to approved data destruction practices.
For details on what telemetry and operational data is collected, see Telemetry & Data Egress. For kiosk monitoring signals, see Uptime, Availability & Monitoring.