Event Reference
Complete reference for every VaultAudit Level 1 timeline event — event type, severity, product source, display title, and the Level 2 sub-event trails each carries.
This page documents every Level 1 event that appears in the VaultAudit timeline, the severity it carries, and the Level 2 sub-events that expand beneath it.
Render Events
Events emitted by VaultPDF during document generation.
| Event Type | Display Title | Severity |
|---|---|---|
generated | Document Generated | information |
failed | Render Failed | failure |
generated — Initial PDF render completed. Extended details include engine version, template path, payload path, output file size, and render duration in milliseconds.
failed — PDF generation or upload failed. Extended details include the error message and the failing pipeline stage.
VaultAudit Events
Events emitted directly by VaultAudit — integrity checks, archival, verification operations, and access control.
| Event Type | Display Title | Severity |
|---|---|---|
integrity-validated | Integrity Verified | compliance |
accessibility-checked | Accessibility Verified | compliance |
archived | Archived to Immutable Storage | compliance |
verified | Integrity Re-verified | compliance |
reproduced | Document Reproduced | compliance |
evidence-exported | Evidence Exported | compliance |
revoked | Access Revoked | security |
integrity-validated — SHA-256 hash computed and stored at generation time. This event is the baseline for all future verification. Always emitted immediately after generated.
accessibility-checked — Section 508 accessibility trace generated and stored. Only emitted when the section508 feature flag is enabled on the template.
archived — Document marked as archived. Appends an immutable audit entry; the document enters a read-only compliance state.
verified — On-demand SHA-256 re-verification triggered from the VaultLifecycle workspace. Extended details include the verification result (trusted, verified, or tampered) and the comparing hash values.
reproduced — Document re-rendered from the .vpdf archive and output hash compared to the original. Extended details include the reproduction result (matched or mismatch) and any hash delta.
evidence-exported — Full audit JSONL event stream exported as a downloadable evidence bundle. Extended details include the export format and operator identity.
revoked — A VaultESign signing session or VaultDelivery delivery session was revoked. Extended details include the session ID and revoking operator.
Workflow Events
Events emitted by VaultWorkflow and classified by VaultAudit in the timeline.
| Event Type | Display Title | Severity |
|---|---|---|
workflow-initiated | Submitted for Review | governance |
workflow-approval-requested | Sent for Approval | governance |
workflow-changes-requested | Changes Requested | governance |
workflow-resubmitted | Resubmitted | governance |
workflow-approved | Approved | governance |
workflow-rejected | Workflow Rejected | failure |
workflow-cancelled | Workflow Cancelled | governance |
workflow-sealed | Document Sealed | compliance |
workflow-initiated — VaultWorkflow session created and participant forms distributed. Extended details include the workflow title and initiator identity.
workflow-approval-requested — Completed submission forwarded to the approver queue. Extended details include the approver role.
workflow-changes-requested — Approver returned the submission with correction instructions.
workflow-resubmitted — Participant addressed change requests and resubmitted.
workflow-approved — Approver accepted the submission.
workflow-rejected — Approver rejected the submission. Shown as a failure-severity event in all timeline views.
workflow-cancelled — Workflow cancelled by the initiator or an administrator.
workflow-sealed — Final PDF sealed and stored after workflow completion. This is the compliance milestone for governed documents and is the only workflow event shown in the Compliance and Executive views.
Workflow sub-events
Operational workflow steps — Step Submitted, Step Advanced, Approver Opened Task, and Seal Initiated — are recorded as Level 2 sub-events beneath their preceding timeline milestone rather than standalone Level 1 entries. They appear in the Full view and in expanded sub-event trails, but not in Executive or Compliance views.
Signing Events
Events emitted by VaultESign and classified by VaultAudit in the timeline.
| Event Type | Display Title | Severity |
|---|---|---|
sent-for-signature | Sent for Signature | information |
otp-verified | Identity Verified | security |
document-signed | Document Signed | compliance |
sent-for-signature — VaultESign session created. Extended details include signing mode (single, sequential, or parallel) and slot count.
otp-verified — A signer completed the OTP challenge. Extended details include slot index, role, and hashed IP address. Emitted once per signer who passes OTP; shown in the Security and Full views.
document-signed — A signer completed their signature slot. Extended details include slot index, role, and completion timestamp. This is the compliance milestone for signed documents.
eSign Level 2 Trail
The document-signed event carries a complete sub-event trail capturing every step of the signing session for that slot:
| Step | Sub-Event | Description |
|---|---|---|
| 1 | Session Created | VaultESign session initialised; invitation emails queued. |
| 2 | Invitation Sent | Signing invitation email dispatched to the signer. |
| 3 | Signer Opened Portal | Signer accessed the signing portal via their unique link. |
| 4 | OTP Challenge Issued | One-time passcode generated and sent to the signer. |
| 5 | OTP Verified | Signer entered the correct OTP and passed identity verification. |
| 6 | Document Signed | Signer completed all manifest fields and submitted their signature. |
| 7 | Evidence Package Generated | Tamper-evident evidence package assembled and stored. |
| 8 | Session Closed | Signing session finalised and sealed. |
Delivery Events
Events emitted by VaultDelivery and classified by VaultAudit in the timeline.
| Event Type | Display Title | Severity |
|---|---|---|
delivery-created | Document Delivered | information |
delivery-created — VaultDelivery session created. Extended details include recipient count and delivery mode (secure-email, sharepoint, or both).
Delivery Level 2 Trail
The delivery-created event carries a complete sub-event trail capturing recipient interaction with the delivery session:
| Step | Sub-Event | Description |
|---|---|---|
| 1 | Session Created | Delivery session initialised; notification queued. |
| 2 | Notification Sent | Delivery notification email dispatched to the recipient. |
| 3 | Delivery Link Opened | Recipient accessed the secure delivery portal. |
| 4 | Identity Verified | Recipient passed the delivery access challenge. |
| 5 | Document Downloaded | Recipient downloaded the document. |
| 6 | Session Completed | Delivery session marked as complete. |
Redact Events
Events emitted by VaultRedact and classified by VaultAudit in the timeline.
| Event Type | Display Title | Severity |
|---|---|---|
document-protected | Document Protected | compliance |
document-protected — Sensitive content redacted or access controls applied by VaultRedact. Extended details include the protection type and the operator identity.
Event Schema
Every Level 1 audit event in the JSONL log has the following structure:
{
"correlationId": "d8cb1510-8290-40f8-8592-702eaa9838a6",
"eventType": "document-signed",
"severity": "compliance",
"title": "Document Signed",
"product": "VaultESign",
"timestamp": "2026-06-12T09:14:22.451Z",
"actorName": "Jane Smith",
"actorEmail": "[email protected]",
"extendedDetails": {
"slotIndex": 0,
"role": "vendor",
"mode": "sequential"
},
"subEvents": [
{
"timestamp": "2026-06-12T09:05:10.000Z",
"title": "Session Created",
"detail": "VaultESign session initialised"
},
{
"timestamp": "2026-06-12T09:05:12.000Z",
"title": "Invitation Sent",
"detail": "Signing invitation dispatched to slot 0"
}
]
}| Field | Type | Description |
|---|---|---|
correlationId | string | Unique document correlation ID. Links all events for a document. |
eventType | AuditEventType | Machine-readable event identifier (see tables above). |
severity | AuditEventSeverity | information | compliance | security | governance | failure |
title | string | Human-readable event title shown in the timeline. |
product | string | Originating Vault Platform product (e.g. VaultESign, VaultWorkflow). |
timestamp | string | ISO 8601 UTC timestamp of the event. |
actorName | string | null | Display name of the user or service that triggered the event. |
actorEmail | string | null | Email address of the actor (Entra UPN). |
extendedDetails | object | null | Event-specific key-value metadata shown in the expanded detail panel in the Lifecycle Workspace. |
subEvents | SubEvent[] | null | Level 2 trail entries. Present on document-signed and delivery-created; null on all other event types. |
Back to VaultAudit Overview
Learn about severity classification, timeline views, Verify & Reproduce, and the Certificate of Verification.
VaultAudit
VaultAudit is the cross-product audit intelligence layer of Vault Platform. Every lifecycle event across VaultPDF, VaultESign, VaultDelivery, VaultWorkflow, and VaultRedact is recorded in an immutable, tamper-evident timeline that answers compliance and governance questions in a single view.
Immutable Archive — Retention Policy
Retention period, write-lock behaviour, compliance standards satisfied, and GDPR considerations for the VaultAudit immutable archive.