Skip to content
Thav Global Solutions
All insights
Security17 June 20266 min read

The audit log that cannot be quietly edited

Who read this record, who changed it, and when. A system that holds sensitive data has to answer that honestly, which means the people with the most access need the least ability to rewrite the answer.

Security Practice

Every system that holds sensitive records eventually faces a simple question with serious consequences: who looked at this, who changed it, and when. Answering it credibly is harder than it sounds, because the people best placed to alter the record are usually the people with the most access. An audit trail is only worth anything if it survives them.

Append-only, by construction

Every read of personal data, every write, and every administrative action is recorded to a log that can be added to and never edited or deleted in place. This is the write-once, read-many property: the application that produces the events has no path to revise them afterward, and neither does an operator with elevated rights. Correcting the world means writing a new event, not reaching back to change an old one.

Tamper-evident, not just access-controlled

Permissions keep honest people honest. They do not, on their own, prove that nothing was altered. So the log is built to make tampering detectable rather than merely forbidden: entries are chained so that changing one breaks the rest, and the store that holds them is kept apart from the systems and the staff that operate the application day to day.

  • Entries are hash-chained, so a silent edit to one record invalidates every record after it.
  • The audit store sits behind its own credentials, so a compromise of the application is not a compromise of its history.
  • Retention and legal hold are enforced by the store, not left to an operator to remember to honor.
  • Access to the audit trail is itself audited, with no special exemption for administrators.

An audit log that an administrator can edit is not an audit log. It is a draft.

Built for the day someone asks

The value of this discipline shows up under pressure: a regulator's inquiry, an internal investigation, a subject access request, a dispute about what happened. A tamper-evident, append-only trail lets the institution answer with evidence rather than assurances. The point of the log is not to slow anyone down on an ordinary day. It is to be unarguable on the day that matters.

More insights

Delivery7 min read

The system advises, the officer decides

Software can sort, surface, and flag faster than any person. What it should not do is make the final call on a human being. Keeping a trained official in the decision is both an ethical line and an engineering one.

10 June 2026
Engineering6 min read

Giving the browser less to give away

Security-relevant logic never ships to the client, but the client is still worth hardening. Stripping a production build and locking down the page does not keep secrets. It raises the cost of every other attack.

2 June 2026
Data Governance6 min read

Biometrics you are relieved to have deleted

A face or a fingerprint is the one credential a person can never reissue. The responsible way to handle it is to hold it for the shortest possible moment, never in its raw form, and to make deletion automatic.

26 May 2026

Planning a new system, or need an independent assessment?

Whether you are modernizing a legacy platform or testing the one you already run, we will tell you plainly what it takes and where the risk is.

Start a conversation