Audit Trail
Every decision, status change, override, escalation, and automated action in the Zenoo platform is recorded in an immutable audit trail. The audit trail is designed for regulatory compliance with FinCEN (5-year retention), OFAC (10-year), FCA, FATF, and EU AMLD5 requirements.
Immutability
Audit log entries cannot be edited or deleted after creation. This is enforced at the platform level via a validation rule that rejects all update operations on existing records. Only inserts are permitted.
Audit log records are immutable by design. The API does not support updating or deleting audit entries. Attempting to do so returns a 403 Forbidden error.
Event types
The audit trail captures 32 event types across seven categories:
Case events
| Event Type | Severity | Description |
|---|
CASE_CREATED | INFO | New case created |
CASE_STATUS_CHANGE | INFO | Case status transition |
CASE_ASSIGNMENT | INFO | Case assigned to a user |
CASE_ESCALATION | WARNING | Case escalated to a manager |
CASE_CLOSURE | INFO | Case closed with resolution notes |
Alert events
| Event Type | Severity | Description |
|---|
ALERT_CREATED | INFO | New alert generated |
ALERT_ACKNOWLEDGED | INFO | Alert claimed by analyst |
ALERT_RESOLVED | INFO | Alert resolved with action and notes |
ALERT_FALSE_POSITIVE | INFO | Alert marked as false positive |
ALERT_ESCALATED | WARNING | Alert escalated to manager |
ALERT_ASSIGNMENT | INFO | Alert assigned to a user |
ALERT_AUTO_DISPOSITION | INFO | Alert auto-disposed by AI pipeline |
Risk events
| Event Type | Severity | Description |
|---|
RISK_ASSESSMENT_CREATED | INFO | New risk assessment initiated |
RISK_SCORE_CALCULATED | INFO | Risk dimensions scored |
RISK_TIER_OVERRIDE | WARNING | Analyst overrode calculated risk tier |
RISK_ASSESSMENT_APPROVED | INFO | Risk assessment approved by reviewer |
Check events
| Event Type | Severity | Description |
|---|
CHECK_STATUS_CHANGE | INFO | Check status transition |
CHECK_WAIVED | WARNING | Check waived by analyst with reason |
CHECK_REJECTED | WARNING | Check result rejected |
CHECK_COMPLETED | INFO | Check execution completed |
Document events
| Event Type | Severity | Description |
|---|
DOCUMENT_UPLOADED | INFO | Document uploaded by client or analyst |
DOCUMENT_REVIEWED | INFO | Document reviewed (accepted or declined) |
Reviewer events
| Event Type | Severity | Description |
|---|
REVIEWER_ADDED | INFO | Reviewer assigned to alert or case |
REVIEWER_REMOVED | INFO | Reviewer removed from alert or case |
REVIEWER_RESPONSE | INFO | Reviewer approved or declined |
Other events
| Event Type | Severity | Description |
|---|
ENTITY_ADDED | INFO | Entity added to a case |
ENTITY_REMOVED | INFO | Entity removed from a case |
COMMENT_ADDED | INFO | Comment added to alert or case |
AUTO_ESCALATION | WARNING | System auto-escalated due to SLA breach |
SLA_BREACH | ERROR | SLA deadline passed without resolution |
BULK_OPERATION | INFO | Bulk action performed on multiple records |
AI_ANALYSIS | INFO | AI research or analysis completed |
Querying the audit trail
Get audit logs for a case
curl -X GET "https://api.zenoo.com/v1/cases/cas_xyz789/audit-logs?limit=50" \
-H "Authorization: Bearer your-api-key"
Filter by event type
curl -X GET "https://api.zenoo.com/v1/audit-logs?event_type=CASE_ESCALATION&limit=25" \
-H "Authorization: Bearer your-api-key"
Filter by date range
curl -X GET "https://api.zenoo.com/v1/audit-logs?from=2026-01-01T00:00:00Z&to=2026-02-01T00:00:00Z" \
-H "Authorization: Bearer your-api-key"
{
"data": [
{
"id": "log_001",
"event_type": "ALERT_RESOLVED",
"severity": "INFO",
"description": "Alert resolved: Approve",
"old_value": "Open",
"new_value": "Resolved",
"reason": "False positive confirmed by AI research.",
"case_token": "cas_xyz789",
"alert_token": "alt_001",
"actor": {
"id": "user_analyst01",
"name": "Sarah Johnson",
"email": "sarah@example.com"
},
"created_at": "2026-02-16T11:30:00Z"
}
],
"meta": {
"total": 18,
"page": { "cursor": "eyJ...", "has_more": true }
}
}
Compliance export
Export the full audit trail for a case as CSV for regulatory filing:
curl -X GET "https://api.zenoo.com/v1/cases/cas_xyz789/audit-logs/export?format=csv" \
-H "Authorization: Bearer your-api-key" \
-o "audit-trail-cas_xyz789.csv"
Design principles
| Principle | Implementation |
|---|
| Immutability | Validation rule rejects all edits on existing records |
| Completeness | Every service method logs to the audit trail |
| Non-blocking | Audit failures never break parent transactions |
| Denormalization | Actor names stored at write time for historical accuracy |
| Retention | Configurable retention period (default 10 years) |
| Four-eyes | Approval actions record both maker and checker |
Next steps
