Comprehensive audit trail system for compliance with GDPR, SOC2, HIPAA, and other regulatory requirements. Delivers immutable audit logging, user consent tracking, data access monitoring, automated compliance violation alerts, and export capabilities for auditors.
Implementation:
ImmutableAuditLogmodel with digital signatures and hash chainsauditComplianceService.logImmutableAudit()method- Automatic logging for all security-relevant events
- Support for 50+ action types (authentication, data operations, security events)
Key Capabilities:
- Tamper-evident blockchain-style hash chaining
- Comprehensive metadata capture (IP, user agent, geolocation, device info)
- Risk level classification (low, medium, high, critical)
- Compliance flag tagging (SOX, GDPR, PCI_DSS, HIPAA, SOC2, ISO27001)
Implementation:
- Pre-save middleware generates SHA-256 hash chains
- HMAC-SHA256 digital signatures for each log entry
- Sequential numbering prevents record deletion
verifyAuditIntegrity()method validates chain integrity
Security Features:
- Previous hash linking creates tamper-evident chain
- Signature key stored in environment (
AUDIT_SIGNATURE_KEY) - Automatic integrity verification on demand
- Genesis block initialization (sequence 1)
Implementation:
retentionPolicyfield withretainUntildates- Legal hold functionality for litigation
- Configurable retention periods via environment variables
- Automatic expiration tracking
Configuration:
AUDIT_LOG_RETENTION_DAYS=2555 # 7 years (SOX, GDPR)
DATA_ACCESS_LOG_RETENTION_DAYS=2555
CONSENT_RECORD_RETENTION_DAYS=3650 # 10 yearsImplementation:
GET /api/audit-compliance/audit-logs- Paginated searchGET /api/audit-compliance/forensics/timeline- Timeline reconstructionGET /api/audit-compliance/forensics/anomaly-correlation- Anomaly detection
Filter Capabilities:
- User ID, workspace ID, action type, entity type
- Date range, risk level, request/correlation/session IDs
- Compliance standard, status, severity
- IP address, geolocation, device patterns
Implementation:
generateComplianceReport()- Standard-specific reportsPOST /api/audit-compliance/compliance/reports- Report generation endpoint- Support for SOX, GDPR, PCI_DSS, HIPAA, SOC2, ISO27001, CCPA, PIPEDA
Report Contents:
- Total log count, standard-specific flags
- Violation summary (open, critical, resolved)
- Evidence collection for auditors
- Time-range scoped analysis
Implementation:
UserConsentmodel with 14 consent types- Digital signature verification for consent records
- Proof-of-consent storage (checkbox text, button clicked, screenshot)
- GDPR Article 6(1) legal basis tracking
API Endpoints:
POST /api/audit-compliance/consent/record- Record consentPOST /api/audit-compliance/consent/withdraw- Withdraw consentGET /api/audit-compliance/consent/history- Consent historyGET /api/audit-compliance/consent/check/:type- Check active consentGET /api/audit-compliance/consent/proof/:id- Retrieve proof (admin)
Consent Types:
- Terms of service, privacy policy, data processing
- Marketing communications, analytics tracking, cookie usage
- Data sharing, third-party integrations
- Biometric data, health data, financial data processing
- Cross-border data transfer, automated decision-making, profiling
Legal Basis Support:
- Consent, contract, legal obligation
- Vital interests, public task, legitimate interest
Implementation:
DataAccessLogmodel with sequential integrity verificationlogDataAccess()method with automatic risk scoringGET /api/audit-compliance/data-access/resource/:type/:id- Resource access historyGET /api/audit-compliance/data-access/user/:userId- User access historyGET /api/audit-compliance/data-access/analytics- Access analytics dashboard
Access Types Tracked:
- Read, write, update, delete, export, download, print
- Share, decrypt, search, bulk_access, api_access
Resource Types:
- Expense, budget, user_profile, workspace, report
- Invoice, receipt, bank_connection, api_key, encryption_key
- Audit_log, personal_data, financial_data, health_data, sensitive_document
Data Classifications:
- Public, internal, confidential, restricted
- PII (Personally Identifiable Information)
- PHI (Protected Health Information)
- PCI (Payment Card Information)
Risk Assessment:
- Automated risk scoring (0-100)
- Risk level classification (low, medium, high, critical)
- Anomaly detection (high frequency, bulk access, unauthorized attempts)
- Time-based risk (off-hours access detection)
Implementation:
createComplianceAlert()- Automatic alert creation- Real-time Socket.IO notifications (
compliance:alertevent) - Severity-based alert routing (critical/high alerts immediate)
- Integration with existing
ComplianceViolationmodel
Alert Triggers:
- Suspicious data access patterns
- Unauthorized access attempts
- High-risk score thresholds
- Anomaly detection events
- Bulk data access operations
- Sensitive data access without consent
Configuration:
DATA_ACCESS_HIGH_RISK_THRESHOLD=50
DATA_ACCESS_CRITICAL_RISK_THRESHOLD=70
ANOMALY_DETECTION_ENABLED=true
COMPLIANCE_ALERT_EMAIL=compliance-alerts@expenseflow.com
COMPLIANCE_SEND_REAL_TIME_ALERTS=trueAlert Workflow:
- Risk scoring during data access logging
- Threshold comparison (high: 50+, critical: 70+)
- Automatic
ComplianceViolationcreation - Immutable audit log entry
- Real-time Socket.IO broadcast
- Email/webhook notifications (configurable)
Implementation:
POST /api/audit-compliance/audit-logs/export- Legacy audit log exportPOST /api/audit-compliance/compliance/export- Comprehensive compliance export- Format support: JSON, CSV, XML
Export Contents:
- Audit logs (immutable event trail)
- Data access logs (who accessed what)
- User consents (proof of consent records)
- Compliance violations (open and resolved)
Export Security:
- Admin-only access (compliance_officer or admin role)
- Automatic export action logging
- Workspace access validation
- Record limit protection (max 50,000 records)
- Download headers for file attachment
API Endpoint:
POST /api/audit-compliance/compliance/export
{
"format": "csv",
"workspaceId": "workspace_id",
"startDate": "2025-01-01",
"endDate": "2025-12-31",
"limit": 10000
}
Implementation:
GET /api/audit-compliance/compliance/dashboard- Basic metricsGET /api/audit-compliance/compliance/dashboard-enhanced- Enhanced metricsgetComplianceDashboard()- Aggregation service method
Dashboard Metrics:
Audit Log Statistics:
- Total log entries (time-scoped)
- Critical events count
- High-risk events count
Data Access Statistics:
- Total access operations
- Unauthorized access attempts
- Anomaly detection count
- Sensitive data access count (PII/PHI/PCI)
Consent Management:
- Total consents recorded
- Active consents count
- Withdrawn consents count
- Recent consent withdrawals (last 10)
Compliance Violations:
- Violations by status (open, investigating, resolved)
- Critical violations count
- Recent violations (last 10)
- Violations by compliance standard
Overall Compliance Score:
- Calculated score (0-100)
- Weighted penalty algorithm:
- Violation penalty (up to -40 points)
- Critical violation penalty (up to -30 points)
- High-risk activity penalty (up to -20 points)
High-Risk Activity Monitoring:
- Recent high/critical risk data access (last 10)
- User access patterns
- Resource access frequency
- Top users by access volume (top 20)
Time-Range Analysis:
- Default: Last 30 days
- Configurable start/end dates
- Trend analysis support
Location: models/ImmutableAuditLog.js
Key Fields:
sequenceNumber- Auto-incrementing, uniquepreviousHash/currentHash- Blockchain-style chainingsignature- HMAC-SHA256 digital signatureuserId,workspaceId,action,entityType,entityIdchanges- Before/after snapshotsmetadata- IP, user agent, geolocation, device infocomplianceFlags- Array of compliance standard tagsriskLevel- low, medium, high, criticalretentionPolicy- Retention dates, legal hold status
Indexes: 10 indexes for query performance
Location: models/UserConsent.js
Key Fields:
userId,workspaceId,consentType,consentGivenconsentVersion,legalBasis,consentMethodconsentTimestamp,withdrawnAt,expiresAtmetadata- Context capture (IP, user agent, geolocation)proofOfConsent- Evidence (checkbox text, button, screenshot, signature)regulations- Array (GDPR, CCPA, HIPAA, etc.)auditTrail- Consent lifecycle eventsconsentHash- SHA-256 integrity verification
Methods:
verifyIntegrity()- Hash validationisValid()- Active consent checkwithdraw()- Consent withdrawal with audit trailgetActiveConsents()- Static method for active consent lookuphasConsent()- Static method for consent verification
Indexes: 6 indexes for query performance
Location: models/DataAccessLog.js
Key Fields:
sequenceNumber,userId,workspaceIdaccessType- 12 types (read, write, export, decrypt, etc.)resourceType- 15 types (expense, personal_data, health_data, etc.)resourceId,resourceOwner,dataClassificationaccessReason- 9 reasons (routine, audit, legal, etc.)accessAuthorization- Authorization metadataaccessDetails- Fields accessed, record count, data volumemetadata- IP, user agent, geolocation, durationriskAssessment- Risk score, risk level, anomaly flagscomplianceRelevance- Regulations, data subject rightsstatus- success, failure, blocked, unauthorizedaccessHash,digitalSignature,previousHash- Integrity chain
Methods:
verifyIntegrity()- Hash and signature validationlogAccess()- Static method for access logginggetResourceAccessHistory()- Static method for resource auditgetUserAccessHistory()- Static method for user audit
Indexes: 14 indexes for query performance
Location: models/ComplianceViolation.js
Enhanced Usage:
- Automatic creation via
createComplianceAlert() - Real-time Socket.IO broadcasts
- Integration with data access anomaly detection
- Severity-based alert routing
Location: services/auditComplianceService.js
New Methods:
Consent Tracking:
recordConsent(data)- Record user consent with proofwithdrawConsent(userId, consentType, reason, metadata)- Withdraw consentgetConsentHistory(userId, workspaceId)- Consent historycheckConsent(userId, consentType, workspaceId)- Active consent checkgetConsentProof(consentId)- Retrieve proof with integrity verification
Data Access Logging:
logDataAccess(data)- Log access with risk scoringcalculateAccessRiskScore(data)- Risk score algorithmgetRiskLevel(score)- Risk level classificationdetectAccessAnomalies(data)- Anomaly detectiongetDataAccessHistory(resourceType, resourceId, options)- Resource auditgetUserDataAccessHistory(userId, options)- User auditgetDataAccessAnalytics(filters)- Access analytics aggregation
Compliance Alerts:
createComplianceAlert(data)- Create violation alertsendComplianceAlert(violation)- Dispatch notificationsgetComplianceAlerts(filters)- Retrieve alerts
Dashboard & Metrics:
getComplianceDashboard(workspaceId, dateRange)- Comprehensive metricsgenerateComplianceExport(format, filters)- Multi-format exportbuildFilterQuery(filters)- Query builderconvertComplianceToCSV(data)- CSV export formatterconvertComplianceToXML(data)- XML export formatter
Existing Methods (Retained):
logImmutableAudit()- Core audit loggingverifyAuditIntegrity()- Chain verificationreconstructTimeline()- Timeline aggregationcorrelateAnomalies()- Anomaly correlationgenerateComplianceReport()- Standard-specific reportsapplyLegalHold()/releaseLegalHold()- Legal hold managementcalculateOverallComplianceScore()- Score calculationconvertToCSV()/convertToXML()- Legacy export formatters
Base Path: /api/audit-compliance
-
POST /consent/record - Record user consent
- Auth: Required
- Validation: Consent type, version, method, legal basis
- Response: Consent record with hash
-
POST /consent/withdraw - Withdraw consent
- Auth: Required
- Validation: Consent type, reason
- Response: Withdrawn consent count
-
GET /consent/history - Get consent history
- Auth: Required
- Query: workspaceId (optional)
- Response: Consent records array
-
GET /consent/check/:consentType - Check active consent
- Auth: Required
- Query: workspaceId (optional)
- Response: Boolean consent status
-
GET /consent/proof/:consentId - Get proof of consent
- Auth: Admin only
- Response: Consent with proof and integrity verification
Base Path: /api/audit-compliance
-
POST /data-access/log - Log data access
- Auth: Required
- Validation: Access type, resource type, resource ID
- Response: Access log with risk assessment
-
GET /data-access/resource/:resourceType/:resourceId - Resource access history
- Auth: Admin only
- Query: limit (optional)
- Response: Access log array
-
GET /data-access/user/:userId - User access history
- Auth: Admin only
- Query: resourceType, startDate, endDate, limit
- Response: Access log array
-
GET /data-access/analytics - Access analytics
- Auth: Admin only
- Query: workspaceId, startDate, endDate
- Response: Aggregated analytics (by type, resource, risk, user)
Base Path: /api/audit-compliance
- GET /compliance/alerts - Get compliance alerts
- Auth: Admin only
- Query: workspaceId, severity, status, standard, limit
- Response: Violation alerts array
Base Path: /api/audit-compliance
-
GET /compliance/dashboard-enhanced - Comprehensive compliance dashboard
- Auth: Admin only
- Query: workspaceId, startDate, endDate
- Response: Full metric aggregation (audit logs, data access, consents, violations, score)
-
POST /compliance/export - Comprehensive compliance export
- Auth: Admin only
- Body: format (json/csv/xml), filters
- Response: File download (audit logs + data access + consents + violations)
GET /audit-logs- Search audit logsPOST /audit-logs/verify-integrity- Verify chain integrityGET /forensics/timeline- Timeline reconstructionGET /forensics/anomaly-correlation- Anomaly correlationGET /compliance/violations- Get violationsPUT /compliance/violations/:id- Update violationPOST /compliance/reports- Generate compliance reportPOST /legal-hold/apply- Apply legal holdPOST /legal-hold/release- Release legal holdGET /compliance/dashboard- Basic dashboardPOST /audit-logs/export- Audit log export
# ========================================
# Compliance & Audit Logging Framework (Issue #920)
# ========================================
# Digital signature keys for immutable audit logs
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
AUDIT_SIGNATURE_KEY=your_audit_signature_key_32_bytes_hex
DATA_ACCESS_SIGNATURE_KEY=your_data_access_signature_key_32_bytes_hex
# Compliance admin emails (comma-separated)
COMPLIANCE_ADMIN_EMAILS=compliance@expenseflow.com,security@expenseflow.com
# Data retention policies (in days)
AUDIT_LOG_RETENTION_DAYS=2555 # 7 years (SOX, GDPR)
DATA_ACCESS_LOG_RETENTION_DAYS=2555 # 7 years
CONSENT_RECORD_RETENTION_DAYS=3650 # 10 years (GDPR Art. 7)
# Compliance alerting
COMPLIANCE_ALERT_WEBHOOK_URL=
COMPLIANCE_ALERT_EMAIL=compliance-alerts@expenseflow.com
COMPLIANCE_SEND_REAL_TIME_ALERTS=true
# Risk thresholds for automated alerts
DATA_ACCESS_HIGH_RISK_THRESHOLD=50
DATA_ACCESS_CRITICAL_RISK_THRESHOLD=70
ANOMALY_DETECTION_ENABLED=true
# Export limits
MAX_COMPLIANCE_EXPORT_RECORDS=50000
COMPLIANCE_EXPORT_ALLOWED_FORMATS=json,csv,xml
# Consent management
CONSENT_DEFAULT_EXPIRY_DAYS=365
CONSENT_RENEWAL_REMINDER_DAYS=30- Route Registration: Already wired in
server.jsline 432 - Authentication: Uses existing
authmiddleware - Role-Based Access: Leverages
adminAuthmiddleware (admin or compliance_officer role) - Workspace Access: Uses
ensureWorkspaceAccesshelper - Socket.IO: Integrates with
global.iofor real-time alerts - Database: MongoDB with Mongoose ODM
// Compliance alert broadcast
global.io.emit('compliance:alert', {
violationId: violation._id,
severity: violation.severity,
standard: violation.standard,
description: violation.description,
timestamp: new Date()
});// Configure webhook URL in .env
COMPLIANCE_ALERT_WEBHOOK_URL=https://your-webhook-service.com/alerts- ✅ Article 6(1) - Legal basis for processing (consent tracking)
- ✅ Article 7 - Conditions for consent (proof of consent)
- ✅ Article 15 - Right of access (data access logging)
- ✅ Article 17 - Right to erasure (consent withdrawal)
- ✅ Article 30 - Records of processing activities (audit logs)
- ✅ Article 32 - Security of processing (immutable logs, digital signatures)
- ✅ CC6.1 - Logical and physical access controls (data access logging)
- ✅ CC6.2 - System operations (audit trail)
- ✅ CC6.3 - Change management (immutable logs)
- ✅ CC7.2 - System monitoring (compliance dashboard)
- ✅ CC7.3 - Incident response (automated alerts)
- ✅ §164.308(a)(1)(ii)(D) - Information system activity review (audit logs)
- ✅ §164.312(b) - Audit controls (immutable audit trail)
- ✅ §164.312(c)(2) - Mechanism to authenticate (digital signatures)
- ✅ §164.308(a)(3)(ii)(A) - Authorization/Supervision (access logging)
- ✅ Section 404 - Internal controls (audit trail)
- ✅ 7-year retention requirement (configurable retention)
- ✅ Audit trail integrity (hash chains, digital signatures)
- ✅ Requirement 10 - Track and monitor all access to network resources and cardholder data
- ✅ Requirement 10.2 - Implement automated audit trails
- ✅ Requirement 10.3 - Record audit trail entries
- ✅ Requirement 10.5 - Secure audit trails
- Hash Chaining: Each log links to previous via SHA-256 hash
- Digital Signatures: HMAC-SHA256 signatures prevent tampering
- Sequential Numbering: Auto-incrementing prevents deletion
- Integrity Verification:
verifyAuditIntegrity()validates entire chain
- Admin-Only Endpoints: Compliance dashboard, exports, user access history
- User-Scoped Endpoints: Consent management, personal data access
- Workspace Isolation: Workspace access validation on all queries
- Role-Based Access: Admin or compliance_officer role required
- Encryption: Digital signatures use HMAC-SHA256
- Key Management: Signature keys stored in environment variables
- Geolocation Privacy: Optional field, not required
- Data Minimization: Only essential metadata captured
-
Hash Chain Integrity:
- Create 100 sequential logs
- Verify each hash links to previous
- Attempt modification of middle record
- Verify integrity check detects tampering
-
Consent Lifecycle:
- Record consent → verify hash generated
- Withdraw consent → verify audit trail updated
- Check active consent → verify expiration logic
- Retrieve proof → verify integrity verification
-
Risk Scoring:
- Test classification-based scoring (PII vs public)
- Test access type scoring (delete vs read)
- Test time-based risk (off-hours access)
- Verify threshold alerts trigger correctly
-
API Endpoint Coverage:
- Test all 12 new endpoints
- Verify authentication enforcement
- Verify admin-only access restrictions
- Test workspace isolation
-
Export Functionality:
- Export 10,000 records in JSON
- Export 10,000 records in CSV
- Export 10,000 records in XML
- Verify format correctness
-
Real-Time Alerts:
- Create high-risk data access
- Verify Socket.IO event broadcast
- Create critical violation
- Verify alert routing
-
High-Volume Logging:
- 1,000 audit log writes/second
- 500 data access log writes/second
- Verify sequential integrity maintained
- Monitor database performance
-
Dashboard Performance:
- Query aggregations with 1M+ records
- Test pagination and limits
- Verify response time < 2 seconds
- Generate secure
AUDIT_SIGNATURE_KEY(32 bytes hex) - Generate secure
DATA_ACCESS_SIGNATURE_KEY(32 bytes hex) - Configure
COMPLIANCE_ADMIN_EMAILS - Set retention policies (default: 7 years)
- Configure alert thresholds (high: 50, critical: 70)
- Set up compliance alert webhook (optional)
- Review data classification defaults
- Verify MongoDB indexes created (28 total indexes)
- Test query performance on large datasets
- Configure backup retention for compliance data
- Set up automated retention cleanup jobs
- Enable Socket.IO event monitoring
- Configure compliance alert notifications
- Set up dashboard for real-time metrics
- Monitor hash chain integrity daily
- Test export functionality (JSON, CSV, XML)
- Verify proof-of-consent retrieval
- Test integrity verification API
- Generate sample compliance reports
POST /api/audit-compliance/consent/record
Authorization: Bearer <jwt_token>
Content-Type: application/json
{
"consentType": "data_processing",
"consentGiven": true,
"consentVersion": "1.0.0",
"consentMethod": "explicit",
"legalBasis": "consent",
"regulations": ["GDPR", "CCPA"],
"proofOfConsent": {
"checkboxText": "I consent to data processing",
"buttonClicked": "Accept",
"formData": {}
}
}POST /api/audit-compliance/data-access/log
Authorization: Bearer <jwt_token>
Content-Type: application/json
{
"accessType": "read",
"resourceType": "personal_data",
"resourceId": "user_12345",
"dataClassification": "pii",
"accessReason": "user_request",
"accessAuthorization": {
"authorized": true,
"method": "consent_based",
"consentId": "consent_abc123"
},
"accessDetails": {
"fieldsAccessed": ["email", "name", "address"],
"recordCount": 1
}
}GET /api/audit-compliance/compliance/dashboard-enhanced?workspaceId=workspace_123&startDate=2025-01-01&endDate=2025-12-31
Authorization: Bearer <jwt_token>Response:
{
"success": true,
"data": {
"period": { "start": "2025-01-01", "end": "2025-12-31" },
"complianceScore": 87,
"auditLogs": { "total": 15420, "critical": 23, "highRisk": 145 },
"dataAccess": { "total": 8934, "unauthorized": 5, "anomalies": 12, "sensitiveAccess": 2341 },
"consents": { "total": 543, "active": 521, "withdrawn": 22 },
"violations": { "open": 3, "open_critical": 1, "investigating": 2, "resolved": 18 },
"recentViolations": [...],
"highRiskAccess": [...],
"consentWithdrawals": [...],
"generatedAt": "2025-03-02T12:00:00Z"
}
}POST /api/audit-compliance/compliance/export
Authorization: Bearer <jwt_token>
Content-Type: application/json
{
"format": "csv",
"workspaceId": "workspace_123",
"startDate": "2025-01-01",
"endDate": "2025-12-31",
"limit": 10000
}Response: CSV file download with audit logs, data access logs, consents, and violations.
- Daily: Monitor compliance dashboard for critical violations
- Weekly: Review high-risk data access logs
- Monthly: Generate compliance reports for auditors
- Quarterly: Verify hash chain integrity
- Annually: Review and update retention policies
-
Hash Chain Break Detected:
- Run
POST /api/audit-compliance/audit-logs/verify-integrity - Identify sequence number with break
- Check for database corruption
- Restore from backup if necessary
- Run
-
High Risk Score False Positives:
- Review risk scoring algorithm thresholds
- Adjust environment variables
- Whitelist legitimate bulk access patterns
-
Export Timeout:
- Reduce
limitparameter - Use date range filters
- Consider background job for large exports
- Reduce
- 28 total indexes across 3 models
- Covering indexes for common queries
- Compound indexes for filter combinations
- Sparse indexes for optional fields
- Pagination enforced (max 1,000 per page)
- Date range filters recommended
- Workspace scoping reduces dataset
- Aggregation pipelines optimized
- Horizontal scaling via MongoDB sharding
- Read replicas for dashboard queries
- Background jobs for retention cleanup
- Caching layer for dashboard metrics
- Machine learning for anomaly detection
- Blockchain integration for external audit verification
- SIEM integration (Splunk, ELK, Azure Sentinel)
- Automated compliance report scheduling
- User-facing privacy dashboard
- Consent renewal reminders
- Data subject access request (DSAR) automation
- Cross-system audit trail correlation
- Issue #920
Complete implementation of 10/10 features:
✅ Detailed audit logging
✅ Immutable event storage with digital signatures
✅ Data retention policies
✅ Audit trail search and filtering
✅ Compliance report generation
✅ User consent tracking and proof of consent
✅ Data access logging
✅ Automated compliance violation alerts
✅ Export capabilities for auditors
✅ Analytics dashboard for compliance metrics
Ready for production deployment with GDPR, SOC2, HIPAA, SOX, and PCI DSS compliance capabilities. 🎯