Compliance

Audit log — who changed what, when.

Every admin-relevant action lands in the audit log: login, configuration changes, quarantine releases, licence activation, API key rotation. Written per node, aggregated cluster-wide on read, CSV-exportable for ISO 27001 and GDPR audits.

What is recorded

  • Authentication: login (success + failed attempts), logout, TOTP setup/reset, API key usage
  • User management: admin user created/changed/deleted, role/permissions changed, password reset
  • Configuration changes: domain added/removed, mail filter created/changed, RBL provider on/off, DKIM key rotated, DMARC policy changed
  • Quarantine actions: mail released / discarded / trained as spam/ham — per mail with subject + sender + recipient
  • Cluster operations: node join/leave, licence activated/renewed, backup triggered, restore executed
  • Security events: brute-force detection triggered, rate-limit hit, session-hijack attempt detected

Cluster architecture

The audit log is written locally per node into an append-only table — no sync, no central database, no single point of failure. When read in the admin UI the logs from all nodes are aggregated via mTLS and merged chronologically. Benefit: every action is recorded on the node where it happened — if a node fails, its logs aren't lost (they live locally on the node), and the aggregate simply shows "node X temporarily unreachable" instead of blocking.

Tamper resistance

Audit log entries are append-only. There is no UPDATE/DELETE path in the code, neither in the UI nor in the API. Every entry is signed via HMAC with a per-node secret; later database manipulation would break the signature and be flagged as "integrity violation" on read. Operator roles can read and export the log, but cannot edit it.

Retention & export

  • Default retention: 365 days (configurable per cluster between 90 days and "forever")
  • Cleanup: a daily cron job deletes entries older than the retention window — the deletion itself is recorded back into the audit log
  • CSV export: filter by time range / user / action / domain, then CSV download with all columns (timestamp, node_id, user, action, target, ip_address, user_agent, success, signature)
  • JSON export via API: GET /api/v1/audit-log?from=...&to=... — for SIEM integration (Splunk, Wazuh, Elastic)
  • Syslog forwarding: optional via rsyslog forwarder straight to an external SIEM

Use cases

ISO 27001 / SOC 2 audit: auditor asks "who made configuration changes on 14 March between 09:00 and 12:00?" — set filter, CSV export, attach to audit report. Done.

GDPR subject access: data subject asks "when was my quarantined mail handled?" — filter by recipient + action "quarantine.release", attach entries as PDF to the response.

Incident response: suspected compromised admin account — filter by user + IP address shows every action of the past 30 days, including failed login attempts and API key usage from unfamiliar locations.

Four-eyes principle: compliance officer checks monthly that every DKIM key rotation was confirmed by two different admin users.

Compliance without Excel tracking.

Audit log enabled by default, no configuration effort, ISO 27001 ready.

See pricing