Security & Privacy

Audit & Monitoring

Audit logs, sign-in logs, unknown-login alerts, and log retention in BookYourPTO — what's recorded, who can see it, and how long it's kept.

Audit & Monitoring

BookYourPTO keeps a detailed, tamper-evident trail of who did what, when, and from where. This is the system of record for compliance reviews, incident response, and answering "who changed this?" Most of this section is Executive-only — see Roles & Permissions.

Audit logs

Every meaningful action writes an audit entry. Each row captures:

FieldDetail
ActionCreate, Update, Delete, Approve, Reject, Cancel, Sign, View, Download, Export, Login, Logout, Password change, Settings change, Submit, Mark paid, QuickBooks connect/disconnect, Offboard, Reactivate, Data deletion.
Entity type & idWhat was acted on (e.g. a leave request, a user).
ChangesA before/after JSON snapshot of what changed.
ActorThe user who performed the action.
OrganizationThe org the action belongs to.
ContextIP address, user agent, and timestamp.
Available on every plan, including Free. Audit logs used to be a Business-only feature — they're now included on all plans. See Plans.

Where to find them

Settings → Security, which has sub-tabs:

  • Audit Logs — the full action trail above.
  • Sign-in Logs — every login attempt (see below).
  • Leave Transactions — balance and leave changes.
  • Time Tracking — clock and entry changes.
  • Security Violations — tripped guards and rejected attempts.

Access is Executive only — any other role receives a 403.

Exporting

Audit data exports to CSV or JSON, up to 10,000 rows per export.

Sign-in logs

Separately from audit logs, every login attempt — successful or failed — is recorded with:

FieldDetail
EmailThe address used to attempt login.
SuccessWhether it succeeded.
ReasonWhy it failed, if it did.
IP & user agentThe raw request origin.
Device / browser / OSParsed from the user agent.
City / countryApproximate location from the IP.

Sign-in logs are viewable by Executive only, at Settings → Security → Sign-in Logs.

Unknown-login alerts

On a successful login from an IP not seen recently — and that isn't the account's very first login — an "unknown login" email alert is sent to the account owner. The email includes the time, IP, browser/OS, and approximate location.

If you get an unknown-login email you don't recognize, change your password immediately (this signs you out everywhere) and review your trusted devices. Enable two-factor if you haven't.

Retention

Logs are purged automatically after the organization's retention window.

Log typeDefault retention
Audit logs84 months (7 years) — configurable
Sign-in logsSame window
Token lifecycle logsSame window
Notification logsSame window
PHI logsSame window

When a user is GDPR-anonymized, their audit rows are kept for reporting integrity, but the actor is shown as "Deleted User" rather than their name. See Account Deletion & Privacy.

Troubleshooting

ErrorCauseFix
403 opening Settings → SecurityYou aren't an Executive.Audit and sign-in logs are Executive-only; ask an executive to pull what you need.
Export looks truncatedExports cap at 10,000 rows.Narrow the date range or filters and export in batches.
An old action isn't in the logsIt fell outside the retention window.Older entries are auto-purged after the org's retention setting (default 7 years).
Actor shows "Deleted User"That user was GDPR-anonymized.Expected — the audit row is preserved but the actor identity is removed.