Audit & Monitoring
Audit & Monitoring
BookYourPTO keeps a detailed, tamper-evident trail of who did what, when, and from where. This is the system of record for compliance reviews, incident response, and answering "who changed this?" Most of this section is Executive-only — see Roles & Permissions.
Audit logs
Every meaningful action writes an audit entry. Each row captures:
| Field | Detail |
|---|---|
| Action | Create, Update, Delete, Approve, Reject, Cancel, Sign, View, Download, Export, Login, Logout, Password change, Settings change, Submit, Mark paid, QuickBooks connect/disconnect, Offboard, Reactivate, Data deletion. |
| Entity type & id | What was acted on (e.g. a leave request, a user). |
| Changes | A before/after JSON snapshot of what changed. |
| Actor | The user who performed the action. |
| Organization | The org the action belongs to. |
| Context | IP address, user agent, and timestamp. |
Where to find them
Settings → Security, which has sub-tabs:
- Audit Logs — the full action trail above.
- Sign-in Logs — every login attempt (see below).
- Leave Transactions — balance and leave changes.
- Time Tracking — clock and entry changes.
- Security Violations — tripped guards and rejected attempts.
Access is Executive only — any other role receives a 403.
Exporting
Audit data exports to CSV or JSON, up to 10,000 rows per export.
Sign-in logs
Separately from audit logs, every login attempt — successful or failed — is recorded with:
| Field | Detail |
|---|---|
| The address used to attempt login. | |
| Success | Whether it succeeded. |
| Reason | Why it failed, if it did. |
| IP & user agent | The raw request origin. |
| Device / browser / OS | Parsed from the user agent. |
| City / country | Approximate location from the IP. |
Sign-in logs are viewable by Executive only, at Settings → Security → Sign-in Logs.
Unknown-login alerts
On a successful login from an IP not seen recently — and that isn't the account's very first login — an "unknown login" email alert is sent to the account owner. The email includes the time, IP, browser/OS, and approximate location.
Retention
Logs are purged automatically after the organization's retention window.
| Log type | Default retention |
|---|---|
| Audit logs | 84 months (7 years) — configurable |
| Sign-in logs | Same window |
| Token lifecycle logs | Same window |
| Notification logs | Same window |
| PHI logs | Same window |
When a user is GDPR-anonymized, their audit rows are kept for reporting integrity, but the actor is shown as "Deleted User" rather than their name. See Account Deletion & Privacy.
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
403 opening Settings → Security | You aren't an Executive. | Audit and sign-in logs are Executive-only; ask an executive to pull what you need. |
| Export looks truncated | Exports cap at 10,000 rows. | Narrow the date range or filters and export in batches. |
| An old action isn't in the logs | It fell outside the retention window. | Older entries are auto-purged after the org's retention setting (default 7 years). |
| Actor shows "Deleted User" | That user was GDPR-anonymized. | Expected — the audit row is preserved but the actor identity is removed. |
Two-Factor & Devices
Set up TOTP two-factor authentication, save backup codes, verify at login, and manage trusted devices in BookYourPTO.
Account Deletion & Privacy
GDPR/CCPA controls in BookYourPTO — delete your account or organization with an emailed code, export your data, opt out of third-party syncs, and understand anonymization.