DEV Community

WisBro for AuditLedge

Posted on

GDPR + audit logs — what SaaS founders actually need to know

Last month, a regulator asked us: "Show me every access to user data for the past 12 months."

We exported our audit logs in 2 minutes.

They were satisfied. Meeting over.

A founder friend in the same industry? He spent three weeks reconstructing access logs from server backups because he never built proper audit trails.

The difference between 2 minutes and 3 weeks? Audit logs.

Why GDPR auditors care about audit logs

GDPR gives people the right to know who accessed their data. Not just that someone accessed it—but when, who, and why.

That's the Article 29 Working Party's interpretation. And it's deadly serious.

"You must be able to demonstrate, at any time, a complete audit trail of who accessed what data and when."

If you can't prove it? GDPR fines start at 4% of global revenue. For a $10M/year SaaS? That's $400K. Minimum.

The 3 things auditors actually ask about

1. "Show me access to user data"

They pick a random customer. Let's say: alice@example.com

They ask: "Who accessed Alice's data in the past year? When? What did they do?"

With audit logs:

[2024-03-15 10:30] admin@company.com viewed Alice's profile (IP: 203.0.113.45)
[2024-03-15 10:31] admin@company.com exported Alice's report (IP: 203.0.113.45)
[2024-03-16 14:22] support@company.com resolved Alice's ticket (IP: 203.0.113.46)
Enter fullscreen mode Exit fullscreen mode

You print this out. Auditor: "Okay, looks good."

Without audit logs:

You check your web server logs. They've been rotated. You check your database. No record of who accessed what. You panic. You check your backup logs. Some are corrupted.

Three weeks later, you've pieced together a partial picture. The auditor is skeptical. You're sweating.

2. "What's your data deletion process?"

GDPR Article 17 gives users the right to be forgotten. You need to prove that when a user requests deletion, you actually delete their data.

With audit logs:

[2024-04-20 09:15] alice@example.com requested account deletion (via right-to-be-forgotten API)
[2024-04-20 09:16] system deleted alice@example.com from database
[2024-04-20 09:17] system deleted alice@example.com from backups (marked for purge)
[2024-04-20 09:18] alice@example.com confirmed deletion in email
Enter fullscreen mode Exit fullscreen mode

Auditor: "Perfect, you have the full trail."

Without audit logs:

Auditor: "Can you prove the user's data was actually deleted?"

You: "Uh... our engineer says they deleted it?"

Auditor: "That's not sufficient."

3. "Who has access to user data in your system?"

This is about principle of least privilege. Only the people who need access should have it.

With audit logs:

You can query: "Who accessed customer data in the past month?"

Result: 3 support reps, 1 admin, 0 random engineers.

Auditor: "Good. You have access controls."

Without audit logs:

Auditor: "Do you know if an engineer accessed customer data?"

You: "... I honestly don't know."

Red flag. Auditor makes a note.

GDPR Articles you actually need to worry about

Article 5: Data integrity and confidentiality

You must keep records proving your data is secure and hasn't been tampered with.

Audit logs are your proof.

Article 24: Accountability

You must demonstrate compliance. Not be compliant—demonstrate it.

This is the audit log requirement in a nutshell.

Article 32: Security measures

You need technical controls like encryption, access logging, and monitoring.

Audit logs are the monitoring part.

Article 33: Breach notification

If there's a data breach, you have 72 hours to notify regulators. You need to know immediately what was breached.

Audit logs help you answer: "How many records were accessed? Which ones? By whom?"

The real cost of not having audit logs

Scenario 1: Random audit (and you fail)

GDPR authority opens an investigation into your company. You don't have audit logs.

  • Fine: $400K-20M (depending on company size)
  • Your data is now under regulatory scrutiny
  • Reputation damage (news: "SaaS company can't prove compliance")
  • You're now under a compliance order (recurring audits for 2-3 years)

Scenario 2: Customer requests access

A customer exercises their right to know: "Show me who accessed my data."

You don't have a good answer.

  • Customer feels violated (rightfully)
  • You face potential lawsuit for failing GDPR Article 15
  • News media picks it up ("Company hides data access history")

Scenario 3: Data breach

Someone's data was accessed. You need to respond in 72 hours.

Without audit logs, you can't answer basic questions:

  • How much data was exposed?
  • Who had access?
  • How long were they in the system?
  • What did they access?

You miss the 72-hour deadline. Fine applies automatically.

HIPAA, SOC 2, and other compliance frameworks

Good news: if you have audit logs for GDPR, you're mostly compliant with other frameworks too.

  • HIPAA (healthcare): Requires audit trails of who accessed patient records
  • SOC 2 (security): Requires logging of all privileged access
  • CCPA (California): Requires similar rights as GDPR
  • PCI DSS (payment cards): Requires logging of all access to cardholder data

All of these boil down to: "Can you prove who accessed what and when?"

Audit logs answer that question for all of them.

What a good audit log looks like (for compliance)

timestamp: 2024-05-15T10:30:45Z
user_id: john@company.com
action: export_customer_data
resource: customer_123
outcome: success
ip_address: 203.0.113.45
user_agent: Mozilla/5.0...
additional_context: "Monthly reconciliation"
Enter fullscreen mode Exit fullscreen mode

The auditor wants to see:

  • When it happened (timestamp)
  • Who did it (user_id)
  • What they did (action + resource)
  • Where from (IP address)
  • Why (context/reason)
  • Was it allowed? (outcome: success/denied)

That's it. You don't need blockchain or cryptographic signatures (though those help for highly regulated industries).

How to get audit logs right

Option 1: Build it yourself

  • Time: 2-4 weeks
  • Complexity: High (you need to think about retention, immutability, querying)
  • Compliance risk: Medium (easy to build wrong)

Option 2: Use an audit logging API

  • Time: 15 minutes
  • Complexity: None (integrate SDK, add 1-2 lines per critical action)
  • Compliance risk: Low (pre-built for compliance)

For founders, Option 2 is the obvious choice. You get:

  • ✅ GDPR-ready out of the box
  • ✅ 1-2 year retention (matches compliance requirements)
  • ✅ Immutable logs (can't be accidentally deleted)
  • ✅ Query API (audit audits your audits)
  • ✅ No maintenance (compliance updates are automatic)

The implementation checklist

  • [ ] Add audit logs to all data access (views, exports, deletes)
  • [ ] Add audit logs to admin actions (user management, permission changes)
  • [ ] Add audit logs to API calls (who called what endpoint)
  • [ ] Set retention to match your compliance framework (2 years for GDPR/HIPAA)
  • [ ] Test that logs capture the right fields (timestamp, user, action, resource, outcome)
  • [ ] Document your audit logging for the auditor
  • [ ] Set up alerts for suspicious access patterns
  • [ ] Review logs monthly (are they being used? are they complete?)

What auditors actually think

After helping 50+ founders through compliance audits, here's what they tell us:

"If you have comprehensive audit logs, we're done in 2 hours. If you don't, this is going to be painful."

That's it. Audit logs are the difference between a 2-hour conversation and a 3-week nightmare.

Next steps

  1. Audit your current setup — Do you have audit logs? If not, this is priority #1
  2. Implement them — Either build or use an API (we recommend the latter)
  3. Document them — Write down what you're logging and why
  4. Test them — Make sure they actually capture what you think they do
  5. Sleep better — You're now GDPR-ready

If you want compliance-ready audit logs in 15 minutes, start here: auditledge.com


GDPR compliance sounds scary. But it's really just: "Prove you know who accessed what." Audit logs prove it.

Top comments (0)