VaultAudit
VaultAudit is the cross-product audit intelligence layer of Vault Platform. Every lifecycle event across VaultPDF, VaultESign, VaultDelivery, VaultWorkflow, and VaultRedact is recorded in an immutable, tamper-evident timeline that answers compliance and governance questions in a single view.
VaultAudit is the audit intelligence layer that runs beneath every Vault Platform product. As documents move through generation, signing, delivery, and archival, VaultAudit captures each meaningful lifecycle event, classifies it by severity, and writes it to an immutable JSONL audit log. The result is a tamper-evident, cross-product timeline that compliance officers, auditors, and security teams can read without needing access to individual product APIs.
Cross-product by design
VaultAudit is not a standalone product — it is the shared audit layer for the entire Vault Platform family. VaultPDF, VaultESign, VaultDelivery, VaultWorkflow, and VaultRedact all emit events that VaultAudit classifies, stores, and surfaces in the Lifecycle Workspace timeline.
What VaultAudit Does
Immutable Audit Timeline
Every business and compliance event is written to a tamper-evident JSONL log per document. Events are append-only and cannot be modified after write.
Severity-Based Filtering
Events are classified as information, compliance, security, governance, or failure. The Lifecycle Workspace surfaces Executive, Compliance, Security, and Full timeline views from this classification without any schema changes.
Level 2 Sub-Event Trails
Operational detail events — signer invitation, OTP challenge, delivery link opened — are grouped as sub-events beneath their Level 1 parent, keeping the compliance timeline clean while preserving full auditability.
Integrity Verification
On-demand SHA-256 hash verification confirms whether a document has been tampered with since generation. The result is appended to the audit log and surfaced in the timeline.
Verify & Reproduce
Documents can be reproduced from the immutable .vpdf archive and their output hash compared to the original — providing cryptographic proof that the same inputs produce the same output.
Certificate of Verification
A downloadable evidence certificate summarising the document's audit trail, integrity status, signer identities, and archival record — suitable for external auditors and legal disclosure.
The Complete Document Timeline
For a fully signed, delivered, and archived document, the VaultAudit timeline reads as follows. Each event is tagged with the originating product and a severity that controls which filtered view it appears in.
| Product | Event | Severity | Condition |
|---|---|---|---|
| VaultPDF | Document Generated | information | Always |
| VaultAudit | Integrity Verified | compliance | Always |
| VaultAudit | Accessibility Verified | compliance | Section 508 enabled |
| VaultWorkflow | Submitted for Review | governance | Workflow used |
| VaultWorkflow | Sent for Approval | governance | Workflow used |
| VaultWorkflow | Document Sealed | compliance | Workflow used |
| VaultESign | Sent for Signature | information | Signing used |
| VaultESign | Identity Verified | security | Signing used |
| VaultESign | Document Signed | compliance | Signing used |
| VaultDelivery | Document Delivered | information | Delivery used |
| VaultAudit | Archived to Immutable Storage | compliance | Always |
Governing principle
Every event shown in the timeline answers a business or compliance question. Operational detail — signer portal opened, delivery link clicked, workflow step advanced — lives in Level 2 sub-events beneath its parent. It is fully auditable but does not appear in Executive or Compliance views.
Event Levels
VaultAudit uses a two-level structure to balance readability with completeness.
Level 1 — Timeline Events
Level 1 events represent meaningful business or compliance milestones. They are always written to the audit log and shown in the Lifecycle Workspace timeline. These are the events that regulators, compliance officers, and managers read.
Examples: Document Generated, Integrity Verified, Document Signed, Archived to Immutable Storage.
Level 2 — Sub-Event Trails
Level 2 sub-events are the operational steps that make up a Level 1 milestone. They are grouped beneath their parent and expanded on demand. They are always written to the audit log but do not appear in filtered compliance views.
eSign trail (sub-events of Document Signed):
- Session Created
- Invitation Sent
- Signer Opened Portal
- OTP Challenge Issued
- OTP Verified
- Document Signed
- Evidence Package Generated
- Session Closed
Delivery trail (sub-events of Document Delivered):
- Session Created
- Notification Sent
- Delivery Link Opened
- Identity Verified
- Document Downloaded
- Session Completed
Workflow detail (sub-events of workflow milestones):
Step Submitted, Step Advanced, Approver Opened Task, and Seal Initiated appear as sub-events of the preceding workflow timeline milestone rather than standalone Level 1 entries.
Severity Classification
Every Level 1 event carries a severity that controls which timeline view it appears in.
| Severity | Description | Representative Events |
|---|---|---|
information | High-level lifecycle progress | Document Generated, Sent for Signature, Document Delivered, Submitted for Review |
compliance | Events regulators and auditors must see | Integrity Verified, Accessibility Verified, Document Signed, Document Sealed, Document Protected, Archived to Immutable Storage, Evidence Exported, Integrity Re-verified, Document Reproduced |
security | Identity and access events | Identity Verified (OTP), Access Revoked |
governance | Workflow state transitions | Sent for Approval, Changes Requested, Resubmitted, Approved, Cancelled |
failure | Error and rejection events | Render Failed, Workflow Rejected |
Timeline Views
| View | Severities Shown | Audience |
|---|---|---|
| Executive | information, compliance | Senior leadership, document owners |
| Compliance | compliance, security | Compliance officers, auditors |
| Security | security, failure | Security teams, risk reviewers |
| Full | All severities | Administrators, support |
Immutable Storage
Audit events are written to an append-only Azure Blob (audit-logs container) using an AppendBlob. Once written, events cannot be modified or deleted. The blob is scoped per document:
audit-logs/{correlationId}/audit.jsonlEach line is a self-contained JSON event. The file grows only by appending — no record is ever overwritten. For compliance deployments requiring guaranteed delivery, the Enterprise audit tier routes events through Azure Service Bus before writing to blob, providing dead-letter monitoring for any failed writes. See Audit Logs configuration for tier setup.
Verify & Reproduce
VaultAudit provides two flagship verification operations accessible from the VaultLifecycle workspace.
Verify Integrity
Triggers an on-demand SHA-256 re-verification of the stored document against the hash recorded at generation time. The result — trusted, verified, or tampered — is appended to the audit log as an integrity-validated event and shown in the timeline under Integrity Re-verified.
Reproduce
Re-renders the document from the immutable .vpdf archive using the original template and original payload, then compares the output hash to the generation-time hash. A matching hash proves the archive is complete and the render engine is deterministic — the document can be reproduced byte-for-byte from its original inputs.
The reproduction result is appended to the audit log as a reproduced event and shown in the timeline as Document Reproduced, with the comparison outcome and any hash delta.
Certificate of Verification
After a successful Verify or Reproduce operation, a Certificate of Verification can be generated from the VaultLifecycle workspace. The certificate includes:
- Document identity (CorrelationId, DocumentId, DocType)
- Generation timestamp and engine version
- Template and payload paths
- Original SHA-256 hash and verification result
- Signer identities and OTP verification status (if signed)
- Archival status and audit log reference
- Verification timestamp and operator identity
The certificate is a signed PDF suitable for attachment to regulatory submissions, contract archives, or legal disclosures.
VaultAudit Event Reference
Full reference for every Level 1 audit event — type, severity, product source, display title, and the Level 2 sub-event trails each carries.
Immutable Archive — Retention Policy
Retention period, write-lock behaviour, applicable compliance standards (SOX, IRS, EU Directive 2013/34), and GDPR Article 17 considerations for archived documents.
Workspace Tabs Reference
Detailed reference for every tab in the VaultLifecycle workspace: search and filters, Timeline, Signing, Delivery, Workflow, and Configuration.
Event Reference
Complete reference for every VaultAudit Level 1 timeline event — event type, severity, product source, display title, and the Level 2 sub-event trails each carries.