Audit logs: a tamper-evident history of every change

Audit logs in Deskwoot are an immutable, append-only record of every privileged action in your workspace. They answer the question "who did what, when, and from where" without trusting any individual admin not to delete the trace afterwards. Audit logs are the backbone of SOC 2 access-control evidence, GDPR Article 28 processor recordkeeping, and any internal incident-response process where you need to reconstruct a sequence of changes after the fact.

What gets logged

Every action that mutates account, agent, conversation, or integration state writes an audit row. The current event coverage:

• Identity: login (success + failure), 2FA enable / disable, password reset, recovery-code generation, session revocation.
• Agents and roles: agent invite, accept, suspend, delete; role change (Administrator / Agent / custom role); team membership change.
• Billing: plan change, agent-seat change, top-up, auto-recharge trigger, refund, subscription cancel.
• Conversations: delete, merge, reassign, status change (resolved / reopened), label add / remove, manual SLA override.
• Configuration: inbox create / delete, automation rule create / edit / disable, macro change, canned-response edit, business-hours change, SLA policy change.
• AI and Bot: bot enable / disable, BYOK API-key change, training-source add / delete.
• Integrations: Stripe / Shopify / WooCommerce / Slack / Zapier connect and disconnect.
• Translation charges: every Help Center article translation that was billed against the prepaid balance.

What each log entry contains

One audit row carries: timestamp (UTC), actor user-id and email at time of action, action name, target type and id, before/after JSON diff for the affected fields, source IP address, user agent, and the request id we use to correlate with our application logs if you ever need to trace through to a specific HTTP call. The JSON diff lets you see exactly what changed — useful when the question is "did someone widen a custom role's permissions" rather than just "did someone touch this role".

Why "immutable"

Audit log rows have no UPDATE or DELETE path from the application layer. Even an Administrator can't redact an entry: there's no UI button, no API route, and the database role used by the app server has no DELETE privilege on the audit table. If you need to remove personal data for a GDPR erasure request, we provide a separate hashed-redaction path that nulls the email field while preserving the action chain — so the record of what happened survives even when the who is removed.

Searching and exporting

From Settings → Audit Logs you can filter by actor, action type, target object, and date range. Common views: "everything user X did in the last 30 days", "every conversation that was deleted last quarter", "every billing change this year". Export to CSV for compliance reports.

Webhook stream for SIEM

If you forward audit logs to a SIEM (Datadog, Splunk, Sumo Logic, Elastic), enable the audit-log webhook and we push each event in near-real-time. Each delivery is signed; subscribers verify the HMAC before accepting. This is what enterprise teams plug into their existing detection-rule pipeline.

Retention

Audit logs are retained for the lifetime of your account on the Enterprise plan. Lower plans don't have audit logs at all (no partial-history confusion). If you want longer retention than your subscription, export periodically to CSV or stream to your own SIEM.

Plan availability

Available on the Enterprise plan. The lower plans don't get a partial audit log because a partial audit log is worse than no audit log: it implies coverage that doesn't actually exist.

Typical compliance use cases

• SOC 2 access control evidence: point your auditor at the search filter "action = role_changed" to enumerate every privilege change in the audit window.
• ISO 27001 A.12.4 logging: the immutability + signed-export combination satisfies the standard's tamper-evident requirement.
• GDPR Article 28 processor recordkeeping: the audit log is the canonical record of what the controller (you) instructed Deskwoot (us) to do with personal data.
• Incident response: "Did anything weird happen between 14:00 and 15:00 UTC?" — open the audit log, scroll the window, look for unfamiliar actors or unusual action types.