Audit Log
The EDS maintains a metadata-only audit log for every job. The audit log contains no content — only job lifecycle events with timestamps. It is retained for 12 months regardless of the job's TTL tier.
Schema
{
"job_id": "uuid",
"tenant_id_hashed": "sha256(tenant_id + salt)",
"tier": "ephemeral | retained",
"modules": ["ALZ", "AKS"],
"created_at": "ISO8601",
"collection_written_at":"ISO8601",
"assessment_read_at": "ISO8601",
"report_delivered_at": "ISO8601",
"deleted_at": "ISO8601 | null",
"deletion_trigger": "ttl_expiry | client_request | null",
"quality_score": 87,
"error_count": 2,
"collection_duration_s":48
}
Privacy Design
The tenant ID is stored as a salted SHA-256 hash. The plaintext tenant ID is not retained after job deletion. This means:
- The audit log provides operational visibility without exposing client identity
- CYC operations can verify "a job ran and was deleted" without knowing which specific client it was
- In the event of an audit log leak, tenant identities cannot be reconstructed without the salt
Retention Policy
| Data | Retention period | Reason |
|---|---|---|
| Audit log metadata | 12 months | Operational oversight, compliance |
| Encrypted content files | Per TTL tier (48hr or 90 days) | Privacy by design |
| Plaintext tenant ID | Not retained after job deletion | Privacy by design |
What the Audit Log Is Not
The audit log is not a system log, an application log, or a debug trace. Those are separate and do not contain any client-identifiable information or data content. The audit log is specifically the compliance-oriented record that answers: "did this job run, when, and was data deleted on schedule?"