Zum Hauptinhalt springen

Audit Log

Atrium maintains a comprehensive audit log of security-relevant events and data changes. The audit log is designed for compliance reviews, security investigations, and operational accountability.

What's logged

Authentication events

  • User login (successful and failed attempts, with IP address).
  • User logout.
  • Password changes and resets.
  • Kiosk device pairing and token revocation.
  • Agent mTLS connections and disconnections.

Visitor lifecycle events

  • Visit created (pre-registration) — who invited whom, when.
  • Visit checked in — time, method (dashboard or kiosk), device ID.
  • Visit checked out — time, trigger (manual or automatic expiry).
  • Visit cancelled — who cancelled, when.
  • Documents signed — which documents, which versions, when.
  • WiFi voucher created and revoked.

Configuration changes

  • Site created, modified, or deleted — with old and new values.
  • User created, modified, or deactivated — role changes, site assignment changes.
  • Document template created or new version published.
  • Integration settings changed (CRM, calendar, IdP configuration).
  • License status changes.

Data access

  • Visitor profile viewed or exported (for GDPR audit trail).
  • Archived PDF downloaded.

Accessing the audit log

Tenant-Admins can access the audit log from Settings → Audit Log in the admin dashboard. The log is searchable and filterable by:

  • Time range — View events from a specific period.
  • Event type — Filter by authentication, visitor lifecycle, configuration, or access events.
  • Actor — Who performed the action (user, system, or device).
  • Entity — Which resource was affected.

Audit log retention

Audit log entries follow the tenant's data retention policy. By default, audit logs are retained for 36 months — longer than visitor records (12 months) because audit data is often required for compliance reviews that span multiple years.

Audit log entries are tenant-scoped (RLS applies). No cross-tenant visibility.

For IT audits

If you need to provide audit evidence for an IT security review or compliance audit (ISO 27001, SOC 2, GDPR Article 30), the audit log provides:

  • Evidence of access controls (who accessed what, when).
  • Evidence of data processing activities (visitor data collected, processed, deleted).
  • Evidence of configuration management (who changed what settings).
  • Evidence of authentication security (failed login tracking, password policy enforcement).

The audit log can be exported for offline review.