TrustAudit + monitoring

The audit log is a feature, not a footnote.

The Trust posture page makes the headline claim — user actions and the reasoning behind them are logged. This page is the procurement-grade unpacking of that claim: seven structured layers — six of them live on the platform today — that together make the log a working compliance surface, not a dormant evidence locker. Outside counsel, the CISO, and the firm’s ethics partner all have a stake in what’s below.

We label each layer by what is true today. Six of the seven are live on the platform now — audit logging, the typed event taxonomy, the daily case auditor, the user-level behavioral auditor, retention with a legal-hold override, and the signed long-term archival tier. The remaining one — the compliance-alerts engine — is on the near-term roadmap, and we mark it rather than blur the line.

  1. Layer 01 — Action logging

    Actions and reasoning, on the record.

    Live today
    User actions inside the tenant — sign-in, view, edit, generate, sign, send, file — are written to a structured tenant audit log with actor identity, timestamp, action type, and matter reference. The reasoning steps behind an action are recorded alongside it, so the action record and the reasoning record can be read together for a single matter. The audit log is exportable as JSON for litigation discovery, ethics review, or malpractice-insurance audit.
  2. Layer 02 — Structured audit events

    A typed taxonomy, not free-text.

    Live today
    Audit events are written against a typed action taxonomy — not free-text strings — so the log can be queried, filtered, and reported on by action type rather than parsed by hand. The taxonomy is the substrate the operational auditing layers below build on. The richer, per-workflow event vocabulary (distinct events for demand-package generation, case assembly, billing reconciliation, and the rest) is being expanded as those layers come online.
  3. Layer 03 — Case auditor (matter-level)

    A daily auditor on every open file.

    Live today
    The case auditor is a scheduled job that runs daily against every active matter in the tenant. It surfaces treatment gaps that exceed the configured threshold, deadlines coming due, missed or stale matter activity, unresolved liens at settlement, and other matter-state issues the supervisor didn’t catch during the day — and, for the most serious findings, a short AI synthesis. The results surface in the firm-admin dashboard and the daily morning briefing.
  4. Layer 04 — Behavioral auditor (user-level)

    Compliance pattern detection across users.

    Live today
    The behavioral auditor operates at the user level rather than the matter level. It runs daily, building a per-firm activity profile — per-attorney usage, AI-adoption, feature breadth, and adoption gaps (for example, someone uploading documents but never running AI analysis) — which feeds the firm’s insights surface with real data. It does not surveil legitimate work; it surfaces the patterns a firm’s own policy would flag for review.
  5. Layer 05 — Compliance alerts engine

    Detect once. Notify the right person.

    On the roadmap
    The compliance-alerts engine subscribes to the structured audit-event stream and applies firm-configurable rules to surface compliance issues in real time — the bridge between the audit log (which records what happened) and the firm’s decision-making (which decides what to do). Alerts route to the firm-admin user with a notification cadence the firm sets — immediate, daily digest, or weekly summary. The alert data model is in place on the current stack; the rules-and-routing engine on top of it is on the near-term roadmap.
  6. Layer 06 — Retention policies

    Retained, held, and never silently dropped.

    Live today
    Matter and audit data are retained while the account is active and as required by law or contract. Deletion is a soft-delete that honors a legal-hold override, so data under hold is never removed — case data is never hard-deleted out from under a retention obligation. Firm-configurable, per-state-bar retention policies — expressed as a structured, auditable policy object that can be reviewed and exported like the underlying data — are on the near-term roadmap.
  7. Layer 07 — Audit archival

    Long-term storage at archival cost.

    Live today
    The audit archival job runs nightly, moving audit records older than 90 days to long-term cold storage as compressed, integrity-signed (HMAC-SHA256) batches — each batch carries a signature so its contents can be verified on retrieval. Records remain exportable through the firm-admin surface; retention obligations are preserved while storage cost drops. (Write-once / immutability hardening on the archive container is a separate, planned step.)

Why every layer matters to the buyer.

Procurement officers approve software that produces audit evidence they can defend to regulators. CISOs approve software whose monitoring posture matches their own. Ethics partners approve software whose behavioral surveillance is defensible under the firm’s own policy. Insurance carriers approve software whose audit trail survives a malpractice claim.

Almost all of it is live today: actions and their reasoning are logged against a typed taxonomy (Layers 01–02), the daily case auditor (Layer 03) and user-level behavioral auditor (Layer 04) run every day, retention with a legal-hold override is enforced (Layer 06), and the long-term archival tier (Layer 07) signs every batch it moves to cold storage. The one piece still on the near-term roadmap is the compliance-alerts engine (Layer 05) — the rules layer that turns the audit stream into routed, real-time alerts. We would rather show you that line than blur it.

← Back to the Trust posture