Audit Trail
The audit trail is a tamper-evident log of every significant action taken on project records in Workflows. It captures who performed each action, what changed, when it happened, and the context of the change — providing the evidentiary record required for ISO compliance, contract disputes, project closeout, and internal governance reviews.
What is captured per event
Every audit entry records the following fields:
| Field | Description |
|---|---|
| Entity type | The type of record affected (document, workflow, transmittal, etc.). |
| Entity ID | The unique identifier of the affected record. |
| Action | The specific action performed. |
| Actor — User ID | The internal ID of the user who performed the action. |
| Actor — Name | The display name of the user at the time of the action. |
| IP address | The network address from which the action was performed. |
| User agent | Browser and OS information for the session. |
| Timestamp | Precise UTC timestamp of the event. |
| Before state | JSON snapshot of the record's state before the change (for update and delete events). |
| After state | JSON snapshot of the record's state after the change. |
Entity types covered
| Entity type | Examples of what is tracked |
|---|---|
| Document | Upload, revision, status change, lock, unlock, supersede, confidentiality toggle. |
| Workflow | Created, started, completed, rejected, cancelled. |
| Workflow step | Assigned, activated, response submitted, delegated, due date changed. |
| Transmittal | Created, issued, acknowledged, recalled. |
| Correspondence | Created, sent, responded, closed. |
| User | Invited, role changed, removed, password reset. |
| Organisation | Settings changed, project created, storage provider updated. |
| Project | Settings changed, member added, numbering scheme updated. |
| Access control group | Created, membership changed, permissions changed, deleted. |
| Distribution list | Created, members changed, deleted. |
| Review matrix | Rule added, edited, deactivated. |
| Guest share | Created, accessed, revoked, expired. |
Action types
Common action values in the trail include:
created, updated, deleted, status_changed, locked, unlocked, transmitted, viewed, downloaded, approved, approved_with_comments, rejected, acknowledged, commented, delegated, workflow_started, workflow_completed, step_activated, step_completed, step_overdue, share_created, share_accessed, share_revoked, member_invited, member_removed, role_changed, settings_updated
Accessing the audit trail
Organization-level trail
Available to Org admins via Admin → Audit trail. Shows all events across all projects and administrative actions at the organization level.
Project-level trail
Available to users with the view_audit_log permission via Project → Audit trail. Scoped to events within that project.
Record-level trail
Every document, workflow, transmittal, and correspondence item has an Activity tab showing its own subset of the audit log. This is the most common way team members access audit information.
Filtering and searching
The audit trail viewer supports filtering by:
| Filter | Options |
|---|---|
| Entity type | Select one or more entity types from the list. |
| Action | Select specific action types. |
| Actor | Search for events performed by a specific user. |
| Date range | From / to date and time selectors. |
| Entity ID | Look up all events on a specific record by its ID. |
| IP address | Filter by originating IP for security reviews. |
Multiple filters combine as AND conditions. Results are displayed in reverse chronological order by default.
Exporting the audit log
The full filtered audit log can be exported as a CSV file using the Export button in the audit trail viewer. The export includes all columns: entity type, entity ID, action, actor name, IP address, timestamp, and the before/after state JSON.
Exports are recorded in the audit trail itself (a audit_log_exported event), capturing who exported the log and when.
Compliance use cases
| Scenario | What to check |
|---|---|
| ISO audit | Filter by document entity, check status_changed events for formal review compliance records. |
| Contract dispute | Filter by transmittal entity to confirm issue date, recipients, and acknowledgement timestamps. |
| Unauthorised access investigation | Filter by entity type = document, action = viewed or downloaded, filter by date range and actor. |
| Project closeout | Export the full project log and confirm all required workflow completions and transmittal acknowledgements. |
Related
- Document Activity — per-document event timeline
- Access Control Groups —
view_audit_logpermission - Guest and External Reviewers — guest share access events in the trail