Trust & security · Audit

Audit logs.

Every action Axiom takes is logged immutably. Connection events, scans, findings, approvals, executions, Terraform exports, rollbacks — all queryable from the dashboard, exportable to SIEM, and SOC 2 / ISO 27001 control-mapped.

The contract

Audit logs are immutable. Once written, no Axiom employee, no API caller, no automation can modify or delete them. The audit fabric is append-only by design.

01 · Event types

What gets logged

Connection events

Indefinite

Provider connected, disconnected, role assumed, role assumption failed, External ID rotated.

Scan events

90 days · exportable

Scan started, completed, failed, partial. Includes region, account, scan duration, resource counts.

Findings

90 days · exportable

Every finding produced by a scan with category, severity, affected resources, confidence, and timestamp.

Recommendations

90 days · exportable

Every recommendation tied to a finding — rationale, risk level, monthly impact, disposition.

Execution plans

Indefinite

Plan generated, phases, blast radius, rollback strategy, expected impact. Immutable per plan version.

Approvals

Indefinite

Approver identity, plan items approved/rejected, optional note, timestamp. Captures multi-party approval chains.

Terraform exports

Indefinite

Plan downloaded — who, when, which phases, what bytes were served. Marks 'applied externally' if user confirms.

Apply events

Indefinite · SOC 2 evidence

Each cloud mutation: provider, resource, action type, before-state, after-state, status, RTO if rolled back.

Rollback events

Indefinite

Trigger reason, snapshot used, rollback path executed, post-rollback verification result.

User actions

90 days · exportable

Sign-in, sign-out, settings changes, connection management, approval policy edits.

Workflow events

90 days · exportable

Recurring workflow runs, drift detection cycles, post-execution verification jobs, compliance sweeps.

ReleaseOps events

Indefinite

Release assessed, approved, deployed, blocked, rolled back, drift detected, readiness score updated.

02 · Access

Where to find audit logs

  • Dashboard/dashboard/command-center shows live activity feed; /dashboard/memory shows 90-day timeline with filtering
  • API — REST endpoint at GET /api/operations/events returns recent activity stream
  • Export — full audit export from Settings → Audit → Export (CSV, JSON, or SIEM-formatted)
  • SIEM integration — webhook delivery to your SIEM for real-time forwarding (Enterprise tier)
  • Desktop app — local audit log lives in OS-native storage, exportable to disk without leaving your machine

03 · Format

Audit event shape

Every event has a stable schema:

  • id — globally unique event ID
  • timestamp — ISO 8601 UTC
  • organizationId — tenant scope
  • userId — actor (user, service, or "system" for agent-initiated events)
  • provider — aws | azure | gcp | system
  • actionType — event kind (one of the categories above)
  • resourceIds — affected resources (array of strings)
  • beforeState / afterState — JSON state snapshots (for apply events)
  • status — pending | applied | failed | rolled_back
  • riskLevel — low | medium | high
  • metadata — extra context (region, cost impact, approver, etc.)

04 · Enterprise trust

Why audit logs matter

  • SOC 2 / ISO 27001 evidence — control mappings built in; audit-export is the artifact auditors actually want
  • Incident forensics — when something goes wrong, the timeline of every action is queryable in seconds
  • Compliance reporting — quarterly reports generate themselves from the same audit fabric
  • Vendor accountability — if Axiom misbehaves, the proof is in your own audit logs, not ours
  • Internal governance — who approved what, when, with what justification — is the entire audit story

05 · Hard guarantees

Immutability guarantees

  • No API endpoint allows modification or deletion of audit events
  • No internal Axiom tool allows modification
  • Application-layer encryption protects sensitive fields (before/after states) without breaking auditability
  • Cross-region replication on Enterprise tier — audit fabric survives single-region failure
  • Audit-log integrity hash chain (planned) — tamper detection at the row level

06 · Retention

Retention

  • Operational events (scans, findings, recommendations, workflow runs) — 90 days at the platform; exportable indefinitely
  • Material actions (connections, plans, approvals, applies, rollbacks, exports) — indefinite retention
  • Custom retention — Enterprise tier supports configurable retention windows up to 7 years
  • Customer-controlled storage — Enterprise tier can write audit events directly to your own S3/Azure Blob/GCS

Trust questions

What gets logged?

Every action Axiom takes — connections, scans, findings, approvals, executions, exports, rollbacks, user operations.

Why does it matter?

SOC 2 / ISO 27001 evidence, incident forensics, compliance reporting, vendor accountability, internal governance — all run off the same audit fabric.

Is it safe and tamper-proof?

Yes — append-only, no modification API, application-layer encryption on sensitive fields, planned integrity hash chain.

What's the retention?

90 days for operational events, indefinite for material actions. Configurable up to 7 years on Enterprise.

Where do I find it?

Dashboard (activity feed + memory timeline), REST API, full CSV/JSON export, SIEM webhook delivery.

Can Axiom employees see my audit logs?

No. Tenant isolation is enforced at the data layer. Support access requires a documented break-glass process with your prior approval.

Need a human?

Most flows are documented — but we'll help if anything is unclear.

Talk to Vision XIX Labs