VaultAudit

VaultAudit

VaultAudit is the cross-product audit intelligence layer of REFRACT Platform. Every lifecycle event across VaultPDF, VaultESign, VaultDelivery, VaultWorkflow, and VaultRedact is recorded in an immutable, tamper-evident timeline that answers compliance and governance questions in a single view.

VaultAudit is the audit intelligence layer that runs beneath every REFRACT Platform product. As documents move through generation, signing, delivery, and archival, VaultAudit captures each meaningful lifecycle event, classifies it by severity, and writes it to an immutable JSONL audit log. The result is a tamper-evident, cross-product timeline that compliance officers, auditors, and security teams can read without needing access to individual product APIs.

Cross-product by design

VaultAudit is not a standalone product - it is the shared audit layer for the entire REFRACT Platform family. VaultPDF, VaultESign, VaultDelivery, VaultWorkflow, and VaultRedact all emit events that VaultAudit classifies, stores, and surfaces in the Lifecycle Workspace timeline.


What VaultAudit Does

Immutable Audit Timeline

Every business and compliance event is written to a tamper-evident JSONL log per document. Events are append-only and cannot be modified after write.

Severity-Based Filtering

Events are classified as information, compliance, security, governance, or failure. The Lifecycle Workspace surfaces Executive, Compliance, Security, and Full timeline views from this classification without any schema changes.

Level 2 Sub-Event Trails

Operational detail events - signer invitation, OTP challenge, delivery link opened - are grouped as sub-events beneath their Level 1 parent, keeping the compliance timeline clean while preserving full auditability.

Integrity Verification

On-demand SHA-256 hash verification confirms whether a document has been tampered with since generation. The result is appended to the audit log and surfaced in the timeline.

Verify & Reproduce

Documents can be reproduced from the immutable .vpdf archive and their output hash compared to the original - providing cryptographic proof that the same inputs produce the same output.

Certificate of Verification

A downloadable evidence certificate summarising the document's audit trail, integrity status, signer identities, and archival record - suitable for external auditors and legal disclosure.


Business Questions VaultAudit Answers

VaultAudit is built around the questions compliance officers, auditors, and security teams actually ask - not around technical operations. Every Level 1 event maps to at least one answerable question.

Business QuestionVaultAudit EventSeverity
Was this document generated by our controlled system, and when?Document Generatedinformation
Was the document's integrity verified at the point of creation?Integrity Verifiedcompliance
Did the document go through an approval workflow before it was signed?Document Sealedcompliance
Who approved it, and were any changes requested before approval?Workflow Approved / Changes Requestedgovernance
Was the signer's identity verified before they applied their signature?Identity Verifiedsecurity
Did all required parties sign the document?Document Signed (per signer)compliance
Was the signed document delivered to the intended recipient?Document Deliveredinformation
Has the archived document been altered since it was generated?Integrity Re-verifiedcompliance
Can we reproduce the document byte-for-byte from the archive?Document Reproducedcompliance
Has a complete evidence bundle been exported for legal or regulatory use?Evidence Exportedcompliance
Is the document safely archived in immutable, write-locked storage?Archived to Immutable Storagecompliance

The Complete Document Timeline

For a fully signed, delivered, and archived document, the VaultAudit timeline reads as a chronological story of governance - not a log of system operations. The example below shows a vendor contract that passed through a VaultWorkflow approval, was countersigned by two parties in sequence, delivered to the recipient, and written to immutable storage.

Illustrative Example

The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.

Document: Vendor Contract - ACME Supplier Agreement
CorrelationId: vc-2026-0601-acme

Level 1 Timeline - what compliance officers and auditors see:

  [08:12:33]  Document Generated               VaultPDF        information
  [08:12:34]  Integrity Verified               VaultAudit      compliance
  [08:14:01]  Submitted for Review             VaultWorkflow   governance
  [08:14:02]  Sent for Approval                VaultWorkflow   governance
  [08:45:18]  Workflow Approved                 VaultWorkflow   governance
  [08:45:19]  Document Sealed                  VaultWorkflow   compliance
  [09:02:44]  Sent for Signature               VaultESign      information
  [09:10:12]  Identity Verified - J. Smith     VaultESign      security
  [09:14:22]  Document Signed - J. Smith       VaultESign      compliance
  [09:15:08]  Identity Verified - M. Johnson   VaultESign      security
  [09:16:44]  Document Signed - M. Johnson     VaultESign      compliance
  [09:17:01]  Document Delivered               VaultDelivery   information
  [09:17:02]  Archived to Immutable Storage    VaultAudit      compliance

Level 2 Sub-Event Trails - visible in the Full view and expanded on demand:

Document Signed - J. Smith (Slot 0, vendor, sequential)
  ├─ 09:02:44  Session Created            VaultESign session initialised
  ├─ 09:02:45  Invitation Sent            Signing invitation dispatched to j.smith@acme.com
  ├─ 09:09:33  Signer Opened Portal       J. Smith accessed the signing portal via unique link
  ├─ 09:09:34  OTP Challenge Issued       One-time passcode generated and dispatched
  ├─ 09:10:12  OTP Verified               J. Smith passed identity verification (email OTP)
  ├─ 09:14:22  Document Signed            All manifest fields completed; signature submitted
  ├─ 09:14:23  Evidence Package Generated Tamper-evident evidence assembled and stored
  └─ 09:14:24  Session Closed             Slot 0 sealed; slot 1 invitation queued

Document Signed - M. Johnson (Slot 1, manager, sequential)
  ├─ 09:14:25  Invitation Sent            Next-signer invitation dispatched (sequential activation)
  ├─ 09:14:55  Signer Opened Portal       M. Johnson accessed the signing portal
  ├─ 09:14:56  OTP Challenge Issued       One-time passcode generated and dispatched
  ├─ 09:15:08  OTP Verified               M. Johnson passed identity verification (email OTP)
  ├─ 09:16:44  Document Signed            Signature submitted; final seal queued
  ├─ 09:16:45  Evidence Package Generated
  └─ 09:16:46  Session Closed             All required slots complete; PDF sealed

Document Delivered (recipient: procurement@contoso.com)
  ├─ 09:17:01  Session Created            Delivery session initialised
  ├─ 09:17:02  Notification Sent          Delivery notification dispatched to recipient
  ├─ 09:32:14  Delivery Link Opened       Recipient accessed the secure delivery portal
  ├─ 09:32:15  Identity Verified          Recipient passed the delivery access challenge
  ├─ 09:33:01  Document Downloaded        Recipient retrieved the document
  └─ 09:33:02  Session Completed          Delivery session closed

Seal before signature - the key governance proof

The Document Sealed timestamp [08:45:19] precedes the first signing session [09:02:44] by 17 minutes. This ordering is the cryptographic proof that the document was reviewed, approved, and sealed before any signer ever saw it. The compliance timeline answers this question without any query into the workflow system.


Event Levels

VaultAudit uses a two-level structure to balance readability with completeness.

Level 1 - Timeline Events

Level 1 events represent meaningful business or compliance milestones. They are always written to the audit log and shown in the Lifecycle Workspace timeline. These are the events that regulators, compliance officers, and managers read.

Examples: Document Generated, Integrity Verified, Document Signed, Archived to Immutable Storage.

Level 2 - Sub-Event Trails

Level 2 sub-events are the operational steps that make up a Level 1 milestone. They are grouped beneath their parent and expanded on demand. They are always written to the audit log but do not appear in filtered compliance views.

eSign trail (sub-events of Document Signed):

  1. Session Created
  2. Invitation Sent
  3. Signer Opened Portal
  4. OTP Challenge Issued
  5. OTP Verified
  6. Document Signed
  7. Evidence Package Generated
  8. Session Closed

Delivery trail (sub-events of Document Delivered):

  1. Session Created
  2. Notification Sent
  3. Delivery Link Opened
  4. Identity Verified
  5. Document Downloaded
  6. Session Completed

Workflow detail (sub-events of workflow milestones):

Step Submitted, Step Advanced, Approver Opened Task, and Seal Initiated appear as sub-events of the preceding workflow timeline milestone rather than standalone Level 1 entries.


Severity Classification

Every Level 1 event carries a severity that controls which timeline view it appears in.

SeverityDescriptionRepresentative Events
informationHigh-level lifecycle progressDocument Generated, Sent for Signature, Document Delivered, Submitted for Review
complianceEvents regulators and auditors must seeIntegrity Verified, Accessibility Verified, Document Signed, Document Sealed, Document Protected, Archived to Immutable Storage, Evidence Exported, Integrity Re-verified, Document Reproduced
securityIdentity and access eventsIdentity Verified (OTP), Access Revoked
governanceWorkflow state transitionsSent for Approval, Changes Requested, Resubmitted, Workflow Approved, Workflow Cancelled
failureError and rejection eventsRender Failed, Workflow Rejected

Timeline Views

ViewSeverities ShownAudience
Executiveinformation, complianceSenior leadership, document owners
Compliancecompliance, securityCompliance officers, auditors
Securitysecurity, failureSecurity teams, risk reviewers
FullAll severitiesAdministrators, support

Immutable Storage

Audit events are written to an append-only Azure Blob (audit-logs container) using an AppendBlob. Once written, events cannot be modified or deleted. The blob is scoped per document:

audit-logs/{correlationId}/audit.jsonl

Each line is a self-contained JSON event. The file grows only by appending - no record is ever overwritten. For compliance deployments requiring guaranteed delivery, the Enterprise audit tier routes events through Azure Service Bus before writing to blob, providing dead-letter monitoring for any failed writes. See Audit Logs configuration for tier setup.


Verify & Reproduce

VaultAudit provides two flagship verification operations accessible from the VaultLifecycle workspace.

Verify Integrity

Triggers an on-demand SHA-256 re-verification of the stored document against the hash recorded at generation time. The result - trusted, verified, or tampered - is appended to the audit log as an integrity-validated event and shown in the timeline under Integrity Re-verified.

Reproduce

Re-renders the document from the immutable .vpdf archive using the original template and original payload, then compares the output hash to the generation-time hash. A matching hash proves the archive is complete and the render engine is deterministic - the document can be reproduced byte-for-byte from its original inputs.

The reproduction result is appended to the audit log as a reproduced event and shown in the timeline as Document Reproduced, with the comparison outcome and any hash delta.

Certificate of Verification

After a successful Verify or Reproduce operation, a Certificate of Verification can be generated from the VaultLifecycle workspace. The certificate includes:

  • Document identity (CorrelationId, DocumentId, DocType)
  • Generation timestamp and engine version
  • Template and payload paths
  • Original SHA-256 hash and verification result
  • Signer identities and OTP verification status (if signed)
  • Archival status and audit log reference
  • Verification timestamp and operator identity

The certificate is a signed PDF suitable for attachment to regulatory submissions, contract archives, or legal disclosures.


Scenarios

Scenario 1 - Annual Audit: Prove the Governance Chain for a Vendor Contract

Illustrative Example

The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.

Business context: Finance controller needs to demonstrate proper controls to external
auditors. A vendor contract went through VaultWorkflow for approval, VaultESign for
counter-signature (2 signers), and VaultDelivery for recipient delivery.

Document: Vendor Contract VC-2026-0601 (Acme Corp)
Executive view (information + compliance severities):

  2026-06-01 08:00 UTC  [information]  VaultPDF       Document Generated
  2026-06-01 08:00 UTC  [compliance]   VaultAudit     Integrity Verified
  2026-06-01 10:22 UTC  [compliance]   VaultWorkflow  Document Sealed
  2026-06-01 11:05 UTC  [compliance]   VaultESign     Document Signed    - slot 0: vendor@acme.com
  2026-06-01 11:29 UTC  [compliance]   VaultESign     Document Signed    - slot 1: director@contoso.com
  2026-06-01 11:30 UTC  [information]  VaultDelivery  Document Delivered
  2026-06-01 11:30 UTC  [compliance]   VaultAudit     Archived to Immutable Storage

Auditor questions this trail answers:
  ✓ Was the document generated by our controlled system?        → Document Generated (08:00 UTC)
  ✓ Was document integrity verified at generation time?         → Integrity Verified (08:00 UTC)
  ✓ Did it go through a governed approval workflow?             → Document Sealed (10:22 UTC)
  ✓ Was each signer's identity verified before signing?         → Security view: Identity Verified × 2
  ✓ Did both required parties sign?                             → Document Signed × 2
  ✓ Was the signed document delivered to the counterparty?      → Document Delivered (11:30 UTC)
  ✓ Is the document in tamper-proof immutable storage?          → Archived to Immutable Storage (11:30 UTC)

For deeper investigation (Full view, Level 2 expanded):
  Each Document Signed event carries an 8-step eSign trail showing portal
  access time, OTP challenge, OTP verification, signing timestamp, and
  evidence package generation - one trail per signer slot.

Illustrative Example

The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.

Business context: A service agreement is under dispute. Legal counsel needs to
produce a complete evidence package showing the document's chain of custody -
who created it, who signed it under verified identity, and that it has not
been altered since signing.

Actions taken in VaultLifecycle Workspace:
  1. Run Verify Integrity  →  SHA-256 re-verification against generation-time hash
  2. Download Certificate of Verification (signed PDF)
  3. Export Evidence Bundle (full JSONL audit log + certificate)

Audit trail after these actions:
  [compliance]  2026-06-10 14:33 UTC  VaultAudit  Integrity Re-verified  - result: trusted
  [compliance]  2026-06-10 15:00 UTC  VaultAudit  Evidence Exported      - format: JSONL + certificate

Questions the evidence package answers for legal or arbitration proceedings:
  ✓ When was the document created, and by which system?      → generated (timestamp + engine version)
  ✓ Was it modified before the parties signed?               → integrity-validated hash matches document-signed hash
  ✓ Did both parties access the signing portal?              → Level 2: Signer Opened Portal (timestamped, per slot)
  ✓ Was each signer's identity verified?                     → Identity Verified (OTP method + slot index)
  ✓ Did each signer give informed consent to e-signing?      → evidence certificate: verbatim consent text + timestamp
  ✓ Has the document been altered since sealing?             → Integrity Re-verified: trusted
  ✓ Who ran the verification and exported the evidence?      → actorName + actorEmail on Integrity Re-verified and Evidence Exported events

Scenario 3 - Security Review: Spot-Check Archived Financial Documents

Illustrative Example

The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.

Business context: CISO requests annual verification that archived AP invoices match
their original generation-time hashes. VaultAudit's Reproduce operation re-renders
each document from the .vpdf archive and compares the output hash to the original,
proving the archive is complete and the render is deterministic.

Action: Reproduce operation run on AP Invoice INV-2026-8821

  Archive retrieved:        payloads/2026/inv-2026-8821.vpdf
  Re-render output hash:    sha256:b3d4e5f6a1b2c3d4...
  Generation-time hash:     sha256:b3d4e5f6a1b2c3d4...
  Result: MATCHED - document reproduced byte-for-byte from the archive

Audit trail appended:
  [compliance]  2026-06-12 09:15 UTC  VaultAudit  Document Reproduced  - result: matched

Security questions this answers:
  ✓ Is the archive complete and uncorrupted?              → reproduced: matched
  ✓ Is the render engine still deterministic?             → same inputs produce the same SHA-256 output
  ✓ Could an adversary have replaced the stored PDF?      → hash mismatch produces reproduced: mismatch
  ✓ Is there a permanent record that this check was run?  → Document Reproduced event appended to audit JSONL

VaultAudit Event Reference

Full reference for every Level 1 audit event - type, severity, product source, display title, and the Level 2 sub-event trails each carries.

Immutable Archive - Retention Policy

Retention period, write-lock behaviour, applicable compliance standards (SOX, IRS, EU Directive 2013/34), and GDPR Article 17 considerations for archived documents.

On this page