Audit Log

Audit logging is a non-negotiable compliance requirement for organizations handling personal data under GDPR and for recipients of Bufdir public funding, who are subject to inspection and accountability obligations. Without an audit log, Meander cannot credibly offer data processing agreements (DPAs) to customer organizations or pass due-diligence reviews by their legal and IT departments. Beyond compliance, the audit log provides critical forensic capability: when a dispute arises over who approved an expense, deleted a contact record, or changed a user's role, the log is the authoritative source of truth. This protects both Norse Digital Products and its customers from liability and reputational risk.

All write operations across the API layer emit audit events via a centralized AuditLogService that inserts records into the audit_logs table (users, organizations foreign keys) within the same database transaction as the business operation — ensuring no action succeeds without a corresponding log entry. Log entries are append-only; no update or delete operations are permitted on this table at the application layer (enforced by the absence of DELETE/UPDATE routes and a database-level policy). The admin portal provides a paginated, filterable Audit Log Page using server-side rendering with cursor-based pagination for performance on large datasets. Log export (CSV/JSON) is available for Org Admins scoped to their organization and for Global Admins across all orgs. Log retention policy (e.g., 24 months) is configurable per organization.