Logs, Audit Logs, and Backups

Scope

This page covers platform logs, audit logs, and backup schedules. For retention of evaluation data and exports, see Evaluation Data Retention.

Authentication Logs

• Auth0 sign-on and failure logs: Retained for 6 days

• Extended analytics: Authentication events are forwarded to Segment.io with 180-day retention

• Monitoring: Threshold-based monitoring runs via scheduled cron jobs

• Analysis: Currently, no active real-time analysis is performed on authentication logs

Audit Logging

Every API request generates an audit log entry containing:

• JTI (JWT Token ID)

• User ID

• Token thumbprint

• Token expiration time

• Request timestamp

• Resolver-level access logs for data access operations

This zero-trust transaction recording ensures complete traceability of all platform actions.

Data Backup Schedule

PostgreSQL Database:

• Hourly backups with minimum 3-day retention

• Encrypted and compressed backups stored behind firewall

• Nightly off-site backups for disaster recovery

• State tracking with built-in attribution and archiving

Redis Database:

• Replicated database with persistent storage

• Designed for continuous availability

• Persistent storage on backed-up volumes

• Stores current state (not historical data)

Object Storage:

• Used for evaluation configurations, generated exports, cached calculations, and static assets

• Buckets are private and not publicly accessible

• Access is key-based and scoped per service (least privilege)

• Encryption keys are held by application services, not stored in object storage

• Sensitive buckets use additional encryption controls

• Most objects are regenerable from the database (backups focus on databases)

Block Storage:

• Linode-managed with replication

• Periodic snapshots for application data

• Database data handled through PostgreSQL/Redis mechanisms above