# Audit log access Every meaningful action is recorded in the audit log. The audit log is append-only — entries are never edited or deleted. This protects both you and us. ## What's in the audit log Each entry has: * A UTC timestamp. * The **actor** (`system`, `ai_agent`, `creditor`, `debtor`). * An **event type** (e.g. `dispute_filed`, `payment_intent_created`, `notification.settings_updated`, `creditor.api_key_issued`). * The **target** the event was about — usually a placement, sometimes a creditor. * A JSON **payload** with relevant context (with secrets and PII scrubbed). Typical events include: placement creation, compliance decisions, calls placed, emails sent and bounced, payment intents created, disputes filed, plan commits, settings changes, and webhook deliveries. ## How creditor partners view the audit log There is no top-level "Audit log" page in the dashboard today. Audit access is **per placement**: 1. Open a placement detail page in the dashboard. 2. The timeline on that page is built from the placement's audit events. If you have an API key, you can also pull events programmatically: ``` GET /v1/placements/{placement_id}/audit ``` Supported filters: `event_type` (CSV), `actor` (`system` | `ai_agent` | `creditor` | `debtor`), `since` / `until` (ISO timestamps), `limit` (up to 500), and a keyset `cursor` for paging. Tenant isolation is enforced both by the API (we look up the placement under your `creditor_id`) and by Postgres row-level security on the audit table, so you can only see events for your own placements. ## What debtors can see Debtors don't have a dedicated audit-log page. Inside the portal they can: * See payment attempts and their status. * See messages they've exchanged. * See open disputes and their state. If a debtor wants the underlying record for a data-subject access request, they can submit a DSAR through the public portal endpoint and we respond per the CPRA / state-law timeline. See [Data and privacy](/for-debtors/compliance-and-rights/data-and-privacy.md). ## Cross-tenant audit (admin only) A cross-tenant audit view exists for our internal staff (`GET /v1/admin/audit`), gated by Clerk admin authentication. It is **not** available to creditor partners or debtors. ## Exporting There is no built-in "Export audit log to CSV / JSON / PDF" button in the dashboard today. Programmatic access via the per-placement audit endpoint above is the supported path for now. Bulk export is on the roadmap. ## What you can't do * **Delete** an entry — not for any reason. * **Edit** an entry — same. * **Hide** an entry from someone who has legitimate access. ## Retention Audit events are retained as long as the related placement / creditor record is retained. Some attached content (call recordings, email bodies) may have shorter retention; the audit event itself remains even if the attached content is purged. ## TODO * Screenshot: placement timeline showing audit events. * Document bulk export once it ships. *** Last reviewed: 2026-05-24 by Customer Success. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.moderncollections.io/account-and-settings/audit-log-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.