Security
Audit logs
Every read, write, sync, and permission decision is logged per tenant — append-only, exportable.
What's logged
ThorStack logs every action that affects state or accesses data:
| Event family | Examples |
|---|---|
| Auth | Login, MFA challenge, password reset, session token issued. |
| Permission | Role change, group membership, record-grant change. |
| Data read | API list/get, search, export, agent retrieval. |
| Data write | Create, update, delete on every module. |
| Integration | OAuth grant, sync run, sync error, disconnect. |
| Agent | Tool call, gate decision, knowledge update. |
| Workflow | Trigger fire, run start, node enter/exit, run end. |
Logs are append-only — you cannot edit or delete a row, including as Owner.
What a log entry contains
Each entry has:
- Timestamp (UTC, microsecond precision).
- Tenant id, actor id (user or agent), actor IP for human actors.
- Action key (e.g.
crm.deal.update). - Target (object id and type).
- Before / after diff for state changes (redacted for sensitive fields like LLM keys).
- Outcome (
allow,deny,error).
Viewing
Open Settings → Audit log. Filter by actor, action, target, or time. The UI is paginated to 200 rows; for larger queries, use the export.
Export
Export to CSV or JSON over the API. Sovereign customers can also configure a continuous export to their own SIEM (Splunk, Sumo Logic, Datadog) over signed webhooks.
Retention
Default retention is 365 days in hot storage and 7 years in cold storage. Both are tenant-configurable on the Operator and Sovereign plans, subject to a 90-day floor.
Next
- SOC 2 controls — how logs feed compliance.
- RBAC — who can read the audit trail.