Logging & retention
Last reviewed 2026-05-18
Log categories and retention
| Category | Source | Retention | Access | Purpose |
|---|---|---|---|---|
| Audit log | Firestore auditLog (append-only) | 2 years | Security Officer, admins (read-only UI) | Forensics, compliance, access reviews |
| AI call audit | Firestore aiCallAudit (metadata only: no prompts/completions) | 1 year | Security Officer, Privacy Officer / data-protection contact | AI governance, anomaly detection |
| Security audit monitor runs | Firestore securityAuditMonitorRuns | 365 days | Security Officer | Hourly audit-log anomaly-monitor evidence |
| Application error logs | Sentry | 90 days | Engineering | Debugging, performance |
| Performance traces | Sentry (10% sample) | 90 days | Engineering | Performance |
| Platform logs | Vercel logs + enabled Vercel log drain to Sentry for production/preview selected sources | Vercel vendor retention; Sentry retention 90 days | Security Officer, Engineering | Ops visibility |
| Firebase Auth logs | GCP Logging | 400 days (GCP default) | Security Officer | Auth forensics |
| Stripe webhook logs | Stripe dashboard | 180 days | Engineering | Payment ops |
| Mail delivery logs | SendGrid dashboard | 30 days activity + 90 days suppressions | Security Officer, Engineering | Deliverability |
| Deleted-user audit | Firestore deleted_users | 365 days | Security Officer | Fraud / abuse detection, restoration |
| Recovery snapshots | Firestore deleted_account_snapshots | 30 days | Automated only | Accidental-deletion recovery |
| Account-deletion feedback | Firestore deleted_account_feedback | 365 days | Privacy Officer / data-protection contact + Product | Churn signal |
| Break-glass log | Internal record | Permanent | Security Officer | Governance |
| Incident post-mortems | Internal record | Permanent | Security Officer | Lessons learned |
PII handling in logs
- Sentry has
beforeSendhooks that scrub known PII fields (email, resume, contact names) before transmission. - Audit log records user IDs (UIDs), never prompts or resume content.
- AI call audit records metadata (tokens, duration, model) and a hash of the prompt, never the prompt itself.
- Vercel request logs contain URLs and headers; we avoid putting PII in URLs (use POST bodies or opaque IDs).
- Mail logs contain recipient email (Confidential): retained by SendGrid per their policy.
Tamper resistance
- The Firestore audit log is append-only at the rules layer: client SDK writes, updates, and deletes are denied for all users (including administrators); only server-side admin SDK code can write. The same no-client-write posture applies to the AI call audit and the security-monitor-run collections.
- Firestore rules prevent client-side audit-log mutation. Firestore PITR and managed daily backups are enabled in live GCP and can support recovery within their retention windows.
- Sentry data and Vercel drained logs are tamper-resistant at the vendor level.
Time synchronization
- Server clocks use the hosting platform's NTP synchronization (Vercel + GCP): sub-second accuracy.
- Timestamps in audit log use UTC.
Export to customers
- The self-service account export includes the user's profile, user-owned subcollections, subscription row, linked authentication/session records, and user-specific
auditLogandaiCallAuditrows. securityAuditMonitorRunsstores monitor metadata and hashed actor/IP identifiers for findings; it is internal operating evidence, not a customer-facing event log.- Institution-scoped audit-log export and SIEM integration are available on enterprise engagement.
Alerting
- Sentry: issue alerting and the Sentry safety-net GitHub workflow are configured for production error visibility.
- Audit-log anomaly monitoring runs hourly and queries the audit log for failed MFA bursts, MFA disablement, high admin mutation volume, all-session revocation bursts, and emergency-change creation. Findings are retained in the security-monitor-run collection and reported to Sentry.
- Stripe webhook failures route through the application's webhook error handling and notification workflows.
- Log-pipeline failures (e.g., missing audit-log writes) are captured to Sentry.
Retention enforcement
- A scheduled retention enforcement job runs daily and enforces TTLs for short-lived records and timestamp cutoffs for the audit log and the AI call audit.
- Longer retention targets currently enforced by the same runner: audit log 2 years, AI call audit 1 year, security-monitor-runs 365 days, and deleted-user records 365 days.
- Vercel + Sentry retention is vendor-configured.
Review
Retention policy reviewed annually; quarterly sanity check in internal audit that:
- Cron enforcement is running (see its log)
- Audit-log volume matches expected activity
- Sentry ingest is operating