Audit Logging

Audit Logging & Evidence

In a finance platform, the audit trail is not telemetry - it is part of the product. Fintra records every consequential action, human or AI, in an append-only log whose entries are hash-chained so tampering is detectable. The result is a trail your auditor can rely on, exportable on demand and monitored continuously by SentriAI.

What gets logged

Coverage is the difference between a log and an audit trail. Fintra logs the actions that matter for financial integrity and security review.

  • Financial mutations: journal entries, invoice changes, payroll runs, budget edits - with before/after values and the acting principal.
  • Access events: sign-ins, MFA challenges, role changes, permission grants, and Fintra-employee production access.
  • AI activity: every agent tool call, policy decision, and human approval, via AgentFence’s trust ledger.
  • Administrative changes: integration connections, API token issuance, tenant settings.

Append-only and hash-chained by design

Audit entries can be written, never updated or deleted - enforced at the database layer, not by application convention. Each entry carries a cryptographic hash of the previous entry, forming a chain: alter or remove any record and every subsequent hash fails verification. Chain integrity is verified continuously as a SentriAI-tested control, so a broken chain is an alert, not a discovery made during an audit.

Retention and export

Audit logs are retained for the life of the account (minimum 1 year of hot, queryable history, with older records in encrypted archive). Admins can filter by actor, entity, and time range in-product, and export logs as CSV/JSON for auditors or SIEM ingestion. Because AgentFence ledger entries and platform audit events share the same integrity model, one export covers both human and AI activity.

From logs to compliance evidence

The audit trail is also the raw material of compliance. SentriAI maps log-backed facts - access reviews completed, MFA enforced, no unapproved AI actions - to specific SOC 2 Trust Services Criteria and ISO 27001 controls, turning day-to-day operations into audit evidence automatically. When your auditor asks "prove it," the answer is a query, not a quarter of archaeology.

Frequently asked questions

Can audit logs be edited or deleted by an admin?

No. The log is append-only at the database layer - no role, including Fintra staff, can update or delete entries. Hash chaining means any out-of-band tampering breaks verification detectably.

How long are audit logs kept?

For the life of your account: at least 1 year hot and queryable in-product, with older entries in encrypted archive retrievable on request. You can export the full trail at any time.

Are AI agent actions in the same audit trail?

Yes. AgentFence records every agent tool call, policy decision, and human approval with the same append-only, hash-chained integrity, and exports cover human and AI activity together.

Can I feed Fintra audit logs into my SIEM?

Yes - logs export as CSV/JSON today, and streaming delivery for SIEM ingestion is on the roadmap. Tell us your target platform at security@fintrahub.com.

Questions about audit logging?

Our security team answers due-diligence questions directly - documentation, DPAs, and evidence available on request.

Talk to our security team