Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Matproof’s Audit Trail (/[orgId]/audit-trail) records every action taken across your compliance program in an immutable, tamper-proof log. This gives you full visibility into platform activity and provides the evidence trail that regulators and external auditors expect.
Audit trail entries cannot be edited or deleted. This is by design — any modification would compromise its integrity as evidence.

What gets logged

Every significant action in Matproof creates an audit trail entry:
CategoryActions captured
PoliciesCreated, updated, published, reviewed, archived
EvidenceUploaded, linked to control, deleted, expiry changed
ControlsStatus changed, owner reassigned, framework mapping updated
UsersInvited, role changed, removed
VendorsAdded, risk assessment updated, removed
SettingsOrganisation settings changed, SSO configured, integrations added
Audit programsCreated, finding logged, report generated
Risk registerRisk created, score updated, treatment changed
Each entry records:
  • Timestamp — exact date and time (UTC)
  • User — who performed the action
  • Action type — what they did
  • Object type — what was affected (policy, control, user, etc.)
  • Object ID — the specific record
  • Details — before/after values where applicable

Filtering and searching

Use the filter bar to narrow the audit trail:
FilterOptions
Date rangeCustom start/end date
UserFilter by specific team member
Action typee.g. evidence_uploaded, control_status_changed
Object typePolicy, Control, Evidence, User, Vendor, etc.
You can combine filters — for example, show all evidence uploads by a specific user in the last 30 days.
When preparing for an external audit, filter by date range and export the relevant window. Auditors typically want to see activity for the period under review.

Exporting for auditors

The full audit trail — or any filtered view — can be exported as CSV. To export:
  1. Apply any filters needed to scope the export
  2. Click Export CSV in the top right
  3. The file downloads with all visible columns: timestamp, user, action, object type, object ID, details
This CSV is commonly requested by:
  • DORA supervisors during ICT risk examinations
  • ISO 27001 certification auditors reviewing access and change controls
  • Internal audit teams conducting periodic reviews

Data retention

Audit trail data is retained for a minimum of 5 years.
DORA Art. 12 requires financial entities to retain logs for a minimum of 5 years. ISO 27001 Annex A 8.15 requires logging and monitoring of system activities. Matproof’s default retention satisfies both requirements.

Why it matters for compliance

DORA (Digital Operational Resilience Act) DORA requires financial entities to maintain logs of ICT-related activities and provide them to competent authorities on request. The audit trail covers ICT risk management actions, user access changes, and system configuration events. ISO 27001 Annex A 8.15 — Logging ISO 27001 requires that logs record user activities, exceptions, and information security events. The audit trail provides this evidence across your compliance program operations. ISO 27001 Annex A 8.16 — Monitoring activities The ability to filter, review, and export activity logs supports the monitoring controls required under ISO 27001.
If you are subject to DORA examination, regulators may request the audit trail for a specific time window with short notice. Keep exports current and make sure your team knows how to generate them.