Tamper-Evident Audit Log — Verify integrity in one click

TrackLayer

Start free

Language

EN DE FR ES PT JA

Theme

Currency

Start free

← /security overview

TRACKLAYER · COMPLIANCE

Tamper-evident audit log.
Verify integrity in one click.

Every destination pause, schema drift, and configuration change is written to an immutable hash chain. SHA-256(prev_hash || material) prevents retroactive edits. SOC2-ready compliance proof.

Start free trial →READ THE DOCS

THE SOC2 ANGLE

▸ Audit trails are a SOC2 Type II requirement for SaaS that processes PII
▸ Regulated customers demand verifiable logs — who changed what and when
▸ Traditional logs can be edited or deleted without traceability
▸ Hash chains provide mathematical proof that logs haven't been tampered with

TrackLayer's audit log is write-only. Events are appened, never modified. Verify endpoint re-computes the chain on demand — if a single hash doesn't match, the entire chain is flagged as compromised.

$ tracklayer audit verify --merchant m_abc123

// audit_events · hash chain verification

ae_9a2f1

prev_hash: null // genesis event

hash: h8f3a2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8

computed: ✓ matches

ae_9b3e2

prev_hash: h8f3a2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8

hash: ha1c5e9b2d3f4a5b6c7d8e9f0a1b2c3d4e5f6a7

computed: ✓ matches

▸ ✓ Chain integrity verified · 14,832 events · 0 breaks · last event 2026-04-23 14:02:11 UTC

§ 01

SHA-256 hash chain mechanics.

Each audit event stores prev_hash (hash of the prior event) and hash (SHA-256 of prev_hash || serialized_material). Material includes event_type, resource_id, actor, timestamp, and payload.

§ 01

Serialize material

JSON.stringify({ event_type, resource_id, actor, timestamp, payload })

§ 02

Compute hash

SHA-256(prev_hash || material). Genesis event uses null as prev_hash.

§ 03

Append event

Insert into audit_events with prev_hash, hash, material. prev_hash from last event.

§ 04

Verify chain

Recompute hash for each event. If computed !== stored.hash, chain is broken.

// hash computation · pseudocode

function computeHash(prevHash: string | null, material: AuditMaterial): string {
  const serialized = JSON.stringify({
    prev_hash: prevHash,
    event_type: material.event_type,
    resource_id: material.resource_id,
    actor: material.actor,
    timestamp: material.timestamp,
    payload: material.payload,
  });
  return crypto.subtle.digest('SHA-256', serialized);
}

// Genesis event (first in chain)
const genesis = await computeHash(null, {
  event_type: 'account_created',
  resource_id: 'm_abc123',
  actor: 'system',
  timestamp: '2026-01-01T00:00:00Z',
  payload: { plan: 'pro', region: 'eu-west-1' }
});
// hash = h8f3a2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8

§ 02

Per-merchant advisory lock.

Enterprise can enable write protection on audit events. Once locked, no actor (including system_worker) can append events without unlocking via advisory key.

// merchants · advisory_lock_enabled

merchant_id | advisory_lock_enabled | advisory_key_hash | locked_at        | locked_by
-----------+----------------------+--------------------+-----------------+------------
m_abc123  | true                 | h7d2e8f...        | 2026-04-15     | admin_user_42
m_def456  | false                | null               | null            | null

// Attempting to append without unlock key
POST /v1/audit/events
{
  "merchant_id": "m_abc123",
  "event_type": "destination_pause",
  "resource_id": "tiktok_abc123",
  ...
}
→ 403 Forbidden: advisory lock enabled. Provide advisory_key header.

Advisory lock is optional for Pro+ and required for Enterprise contracts with compliance SLAs. Lock key is generated once at enablement and hashed for storage. Unlocking requires the original key.

§ 03

GET /v1/audit/verify endpoint.

Verify chain integrity on demand. Returns chain status, break count, and list of broken events if any.

# verify audit chain via API

curl -H "Authorization: Bearer $TRACKLAYER_API_KEY" \
  https://tracklayer-api.sublime.workers.dev/v1/audit/verify?merchant_id=m_abc123

# Response
{
  "merchant_id": "m_abc123",
  "chain_status": "valid",
  "total_events": 14832,
  "break_count": 0,
  "first_event": "ae_9a2f1",
  "last_event": "ae_9b4e3",
  "last_verified_at": "2026-04-23T14:02:11Z"
}

The verify endpoint can be called from CI/CD pipelines, SOC2 auditors, or dashboard UI. It's read-only — no state modification. Use it to prove log integrity during compliance audits.

§ 04

Dashboard verify UI.

One-click verification from the audit log page. Visual chain view shows event sequence with hash links.

/audit · verify · m_abc123

CHAIN STATUS✓ VALID

TOTAL EVENTS

14,832

BREAK COUNT

LAST VERIFIED

2026-04-23
14:02:11 UTC

LATEST 5 EVENTSVIEW FULL CHAIN →

ae_9b4e3destination pause14:02:11✓

ae_9b3e2schema drift14:01:58✓

ae_9b2e1config change14:01:45✓

§ 05

Weekly R2 export (optional).

Grant token permissions and TrackLayer exports audit_events to your private R2 bucket weekly. Export includes full chain material for offline verification.

// r2_exports · configured buckets

bucket_path                    | export_schedule | last_exported_at   | event_count
-------------------------------+-----------------+---------------------+-------------
tracklayer-audit-abc123/backup | weekly (sun 02:00)| 2026-04-20 02:01:23| 14,732

// Export file structure
backup/2026/04/20/audit-events-m_abc123-2026-04-20.json
{
  "merchant_id": "m_abc123",
  "exported_at": "2026-04-20T02:01:23Z",
  "events": [
    { "event_id": "ae_9a2f1", "prev_hash": null, "hash": "h8f3...", ... },
    { "event_id": "ae_9b3e2", "prev_hash": "h8f3...", "hash": "ha1c...", ... },
    ...
  ]
}

Exports are gzip-compressed and stored under a merchant-specific prefix. Retention policy is 90 days. Configure exports in Settings → Compliance → Audit Export.

// HOW IT COMPARES