[DOC-240] Audit Log

[ElTimuro]

• Transparency is one of the most fundamental principles of trust
• Therefore giving users a details overview of the timeline of all events of a transaction from creation to completion helps ensure a more secure and auditable process
• An Audit log should be generated for every signing workflow and distributed with every document
• Content of the log should be
  • the relevant events (e.g. document creation, viewing by X, signed by X) with timestamps and user IP, auth entity identification like e.g. name, email, and organization
  • Document/ Transaction Creation
  • Document Viewing
  • Signing Event
  • Auth/ Reaauth
  • Document Completion
  • Signer Position and Role
  • Stakeholder Security Level (email login, 2FA, etc.)
  • Reauthentication events
  • IP-Addresses
• While beeing thorough, privacy concerns should be well considered
• The audit log should be digitally signed like the document itself to ensure authenticity and integrity

While different use-cases require different levels of audit logs, the same log should ideally be used in every case to reduce complexity and raise the base-audit-level.

_{From SyncLinear.com | DOC-240}

[stp-ip]

As self-hosting might make proofing stuff a little bit less trustworthy as there is no third party involved in the log and timestamps.

Opentimestamps for timestamping the signed doc and maybe the audit log or something might be a nice addition. Verifiable and should hold up in court as well.

In theory documenso could be the optional third party service for logging and timestamps even as a paid add on in self-hosting I'd assume. Aka replicating logs or timestamping and providing signatures on events etc. One option in terms of verifiable audit logs: https://github.com/google/trillian

[konstantinrudi]

Hey guys, any news on this project :)? Best