Audit & Compliance
Immutable audit logs, access tracking, and compliance readiness
LaserData Cloud provides comprehensive audit logging and data protection capabilities designed for enterprise compliance requirements.
Audit Logging
Every state-changing operation in the platform is recorded in an immutable audit log. Audit records cannot be modified or deleted.
What's Logged
- All mutations — every create, update, and delete operation across all resources
- Actor information — who performed the action, with user ID and name
- Resource context — tenant, division, environment, and deployment associated with the action
- Previous values — for update operations, the previous state is recorded alongside the new state
- Timestamps — precise time of every operation
Viewing Audit Logs
- Navigate to your tenant or deployment in the Console
- Open the Audit tab
- Browse or search through the audit history
Tenant Isolation
Audit logs are isolated per tenant. Each tenant's audit data is stored separately — no cross-tenant data leakage.
Encryption
All audit data is encrypted at rest, including actor names, resource names, and event payloads.
Access Logs
Access logs track who read sensitive data, answering the question: "who looked at user information?"
Access logs are recorded for reads of sensitive endpoints:
- User profile reads
- Member listings
- Invitation reads
- Audit log access
- Data exports
Access logs include the request ID, actor, action, IP address, and User-Agent.
Security Events
The platform captures security events for anomaly detection and incident response:
- Permission denied — when a user attempts an action they don't have permission for
- Authentication failed — on login failures, with the failure reason and request metadata
Data Protection (GDPR)
Encryption at Rest
All personally identifiable information (PII) is encrypted at rest:
- User emails and names
- Identity provider external IDs
- Invitation emails
- Audit log fields containing personal data
Email addresses are stored as one-way hashes for lookups — the system can find accounts without decrypting every record.
Data Export
Users can export all their personal data in JSON format via the Console or API, covering:
- Profile information
- Identity provider connections
- Active sessions
- Tenant memberships
- Pending invitations
- Account settings
Right to Erasure
User accounts can be fully deleted, removing identities, memberships, and invitations. Audit logs are retained under legitimate interest for security purposes, as permitted by GDPR.
Compliance
| Framework | Status |
|---|---|
| SOC 2 Type II | In progress |
| ISO 27001 | In progress |
| GDPR | Implemented — PII encryption, data export, right to erasure |
Audit Retention
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Audit log retention | 7 days | 90 days | 365 days |
Required permission: audit:read at the tenant level
API Reference
Get Audit Event Types
curl https://audit.laserdata.cloud/audit/types \
-H "ld-api-key: YOUR_API_KEY"Returns the list of all available audit event types for filtering.
Get Tenant Audit Logs
curl "https://audit.laserdata.cloud/audit/tenants/{tenant_id}?page=1&results=10" \
-H "ld-api-key: YOUR_API_KEY"{
"data": [
{
"type": "deployment_created",
"name": "Deployment Created",
"author": { "id": 1, "name": "Jane Smith" },
"division": { "id": 1, "name": "Platform Engineering" },
"environment": { "id": 1, "name": "production" },
"deployment": { "id": 42, "name": "prod-cluster" },
"timestamp": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"results": 10,
"total": 1
}Get User Activity
curl "https://audit.laserdata.cloud/audit/users/activity?page=1&results=10" \
-H "ld-api-key: YOUR_API_KEY"Export Account Data (GDPR)
curl https://api.laserdata.cloud/account/export \
-H "ld-api-key: YOUR_API_KEY"Returns a JSON export of all personal data associated with the account.