Audit Log
How the Recomly audit log works — what is recorded, who can see it, how long events are retained, and how to search your organization's activity history.
The audit log gives org admins a complete, tamper-proof record of security-relevant activity inside their Recomly organization. It is designed to help you answer questions like:
- Who invited this user, and when?
- Which admin changed our SSO configuration yesterday?
- When was our API key created, and by whom?
Accessing the audit log
The audit log is available under Security → Audit Log in the left navigation of the app. Only org admins can view it — team members without the admin role will see an access-restricted message.
What is recorded
Every security-relevant action taken by any member of your organization is recorded automatically. You do not need to configure anything — logging is always on.
The following event types are captured:
| Category | Events |
|---|---|
| Authentication | Login |
| Users | User invited, user updated (role changes), user removed |
| SSO | SSO provider created, updated, deleted |
| API Keys | API key created, API key revoked |
| Billing | Subscription started, plan changed, subscription cancelled / resumed, payment failed, payment method updated |
| Account | Business name or account settings updated |
| Referrals | Campaign created, updated, deleted (when available) |
System-initiated events (such as billing events processed by our payment processor) are shown with a System badge rather than an individual user's email.
How to search
The audit log requires you to set a date range before results are returned. No full-scan queries are performed.
Filters available:
- From / To — the date range to search (both inclusive). Defaults to the last 7 days.
- Actor email — optionally narrow results to events performed by a specific user.
Click Search to load matching events. Use the Load more button at the bottom to fetch the next page of results if there are more than 100 events in the selected range.
The Export CSV button exports only the events currently loaded on screen. If you need all events for a date range that spans multiple pages, click Load more until no further pages remain before exporting.
Event details
Each event row shows:
| Column | Description |
|---|---|
| Timestamp | The date and time the event occurred (your local timezone) |
| Actor | The email address of the user who performed the action, plus a type badge |
| Action | A human-readable description of what happened |
| Resource | The specific item affected, shown as a color-coded type badge and an identifier. For example, an "Invited user" event shows a green User badge next to the invited email address; a "Plan changed" event shows a gray Account badge. Possible types: User, Account, SSO, API Key. |
Actor type badges
| Badge | Meaning |
|---|---|
| User | A human team member who signed in with email/password or SSO |
| API Key | An automated integration using a Recomly API key |
| System | An automated background process with no human initiator (e.g. a billing renewal or trial expiry) |
| Admin | A Recomly platform administrator performing a support action |
Event retention
Audit log access and retention window vary by plan:
| Plan | Audit log | Retention |
|---|---|---|
| Trial | ✓ | 14 days |
| Starter | — | Not included |
| Growth | ✓ | 90 days |
| Pro | ✓ | 365 days |
| Enterprise | ✓ | Custom — contact us |
The retention window applies per organization and is enforced at write time via a DynamoDB TTL attribute. Recomly does not provide a way to manually delete audit events before the TTL expires; this is intentional to ensure the log is non-repudiable.
Platform admins can override the retention period for any organization through the admin panel.
Immutability
Audit events are append-only. Once an event is written it cannot be modified or deleted through the API or the dashboard. The underlying DynamoDB table does not grant UpdateItem or DeleteItem to any service — only PutItem and Query. This design ensures the log is suitable for compliance purposes.
Notes for enterprise and compliance use
- Events triggered via API key are labeled with the key owner's email and an
API Keybadge so automated actions are distinguishable from human actions. - For SOC 2, HIPAA, or similar compliance requirements, contact support@recomly.com to discuss extended retention, log export, or SIEM integration options.