VaultAudit
VaultAudit is the cross-product audit intelligence layer of REFRACT Platform. Every lifecycle event across VaultPDF, VaultESign, VaultDelivery, VaultWorkflow, and VaultRedact is recorded in an immutable, tamper-evident timeline that answers compliance and governance questions in a single view.
VaultAudit is the audit intelligence layer that runs beneath every REFRACT Platform product. As documents move through generation, signing, delivery, and archival, VaultAudit captures each meaningful lifecycle event, classifies it by severity, and writes it to an immutable JSONL audit log. The result is a tamper-evident, cross-product timeline that compliance officers, auditors, and security teams can read without needing access to individual product APIs.
Cross-product by design
VaultAudit is not a standalone product - it is the shared audit layer for the entire REFRACT Platform family. VaultPDF, VaultESign, VaultDelivery, VaultWorkflow, and VaultRedact all emit events that VaultAudit classifies, stores, and surfaces in the Lifecycle Workspace timeline.
What VaultAudit Does
Immutable Audit Timeline
Every business and compliance event is written to a tamper-evident JSONL log per document. Events are append-only and cannot be modified after write.
Severity-Based Filtering
Events are classified as information, compliance, security, governance, or failure. The Lifecycle Workspace surfaces Executive, Compliance, Security, and Full timeline views from this classification without any schema changes.
Level 2 Sub-Event Trails
Operational detail events - signer invitation, OTP challenge, delivery link opened - are grouped as sub-events beneath their Level 1 parent, keeping the compliance timeline clean while preserving full auditability.
Integrity Verification
On-demand SHA-256 hash verification confirms whether a document has been tampered with since generation. The result is appended to the audit log and surfaced in the timeline.
Verify & Reproduce
Documents can be reproduced from the immutable .vpdf archive and their output hash compared to the original - providing cryptographic proof that the same inputs produce the same output.
Certificate of Verification
A downloadable evidence certificate summarising the document's audit trail, integrity status, signer identities, and archival record - suitable for external auditors and legal disclosure.
Business Questions VaultAudit Answers
VaultAudit is built around the questions compliance officers, auditors, and security teams actually ask - not around technical operations. Every Level 1 event maps to at least one answerable question.
| Business Question | VaultAudit Event | Severity |
|---|---|---|
| Was this document generated by our controlled system, and when? | Document Generated | information |
| Was the document's integrity verified at the point of creation? | Integrity Verified | compliance |
| Did the document go through an approval workflow before it was signed? | Document Sealed | compliance |
| Who approved it, and were any changes requested before approval? | Workflow Approved / Changes Requested | governance |
| Was the signer's identity verified before they applied their signature? | Identity Verified | security |
| Did all required parties sign the document? | Document Signed (per signer) | compliance |
| Was the signed document delivered to the intended recipient? | Document Delivered | information |
| Has the archived document been altered since it was generated? | Integrity Re-verified | compliance |
| Can we reproduce the document byte-for-byte from the archive? | Document Reproduced | compliance |
| Has a complete evidence bundle been exported for legal or regulatory use? | Evidence Exported | compliance |
| Is the document safely archived in immutable, write-locked storage? | Archived to Immutable Storage | compliance |
The Complete Document Timeline
For a fully signed, delivered, and archived document, the VaultAudit timeline reads as a chronological story of governance - not a log of system operations. The example below shows a vendor contract that passed through a VaultWorkflow approval, was countersigned by two parties in sequence, delivered to the recipient, and written to immutable storage.
Illustrative Example
The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.
Document: Vendor Contract - ACME Supplier Agreement
CorrelationId: vc-2026-0601-acme
Level 1 Timeline - what compliance officers and auditors see:
[08:12:33] Document Generated VaultPDF information
[08:12:34] Integrity Verified VaultAudit compliance
[08:14:01] Submitted for Review VaultWorkflow governance
[08:14:02] Sent for Approval VaultWorkflow governance
[08:45:18] Workflow Approved VaultWorkflow governance
[08:45:19] Document Sealed VaultWorkflow compliance
[09:02:44] Sent for Signature VaultESign information
[09:10:12] Identity Verified - J. Smith VaultESign security
[09:14:22] Document Signed - J. Smith VaultESign compliance
[09:15:08] Identity Verified - M. Johnson VaultESign security
[09:16:44] Document Signed - M. Johnson VaultESign compliance
[09:17:01] Document Delivered VaultDelivery information
[09:17:02] Archived to Immutable Storage VaultAudit compliance
Level 2 Sub-Event Trails - visible in the Full view and expanded on demand:
Document Signed - J. Smith (Slot 0, vendor, sequential)
├─ 09:02:44 Session Created VaultESign session initialised
├─ 09:02:45 Invitation Sent Signing invitation dispatched to j.smith@acme.com
├─ 09:09:33 Signer Opened Portal J. Smith accessed the signing portal via unique link
├─ 09:09:34 OTP Challenge Issued One-time passcode generated and dispatched
├─ 09:10:12 OTP Verified J. Smith passed identity verification (email OTP)
├─ 09:14:22 Document Signed All manifest fields completed; signature submitted
├─ 09:14:23 Evidence Package Generated Tamper-evident evidence assembled and stored
└─ 09:14:24 Session Closed Slot 0 sealed; slot 1 invitation queued
Document Signed - M. Johnson (Slot 1, manager, sequential)
├─ 09:14:25 Invitation Sent Next-signer invitation dispatched (sequential activation)
├─ 09:14:55 Signer Opened Portal M. Johnson accessed the signing portal
├─ 09:14:56 OTP Challenge Issued One-time passcode generated and dispatched
├─ 09:15:08 OTP Verified M. Johnson passed identity verification (email OTP)
├─ 09:16:44 Document Signed Signature submitted; final seal queued
├─ 09:16:45 Evidence Package Generated
└─ 09:16:46 Session Closed All required slots complete; PDF sealed
Document Delivered (recipient: procurement@contoso.com)
├─ 09:17:01 Session Created Delivery session initialised
├─ 09:17:02 Notification Sent Delivery notification dispatched to recipient
├─ 09:32:14 Delivery Link Opened Recipient accessed the secure delivery portal
├─ 09:32:15 Identity Verified Recipient passed the delivery access challenge
├─ 09:33:01 Document Downloaded Recipient retrieved the document
└─ 09:33:02 Session Completed Delivery session closedSeal before signature - the key governance proof
The Document Sealed timestamp [08:45:19] precedes the first signing session [09:02:44] by 17 minutes. This ordering is the cryptographic proof that the document was reviewed, approved, and sealed before any signer ever saw it. The compliance timeline answers this question without any query into the workflow system.
Event Levels
VaultAudit uses a two-level structure to balance readability with completeness.
Level 1 - Timeline Events
Level 1 events represent meaningful business or compliance milestones. They are always written to the audit log and shown in the Lifecycle Workspace timeline. These are the events that regulators, compliance officers, and managers read.
Examples: Document Generated, Integrity Verified, Document Signed, Archived to Immutable Storage.
Level 2 - Sub-Event Trails
Level 2 sub-events are the operational steps that make up a Level 1 milestone. They are grouped beneath their parent and expanded on demand. They are always written to the audit log but do not appear in filtered compliance views.
eSign trail (sub-events of Document Signed):
- Session Created
- Invitation Sent
- Signer Opened Portal
- OTP Challenge Issued
- OTP Verified
- Document Signed
- Evidence Package Generated
- Session Closed
Delivery trail (sub-events of Document Delivered):
- Session Created
- Notification Sent
- Delivery Link Opened
- Identity Verified
- Document Downloaded
- Session Completed
Workflow detail (sub-events of workflow milestones):
Step Submitted, Step Advanced, Approver Opened Task, and Seal Initiated appear as sub-events of the preceding workflow timeline milestone rather than standalone Level 1 entries.
Severity Classification
Every Level 1 event carries a severity that controls which timeline view it appears in.
| Severity | Description | Representative Events |
|---|---|---|
information | High-level lifecycle progress | Document Generated, Sent for Signature, Document Delivered, Submitted for Review |
compliance | Events regulators and auditors must see | Integrity Verified, Accessibility Verified, Document Signed, Document Sealed, Document Protected, Archived to Immutable Storage, Evidence Exported, Integrity Re-verified, Document Reproduced |
security | Identity and access events | Identity Verified (OTP), Access Revoked |
governance | Workflow state transitions | Sent for Approval, Changes Requested, Resubmitted, Workflow Approved, Workflow Cancelled |
failure | Error and rejection events | Render Failed, Workflow Rejected |
Timeline Views
| View | Severities Shown | Audience |
|---|---|---|
| Executive | information, compliance | Senior leadership, document owners |
| Compliance | compliance, security | Compliance officers, auditors |
| Security | security, failure | Security teams, risk reviewers |
| Full | All severities | Administrators, support |
Immutable Storage
Audit events are written to an append-only Azure Blob (audit-logs container) using an AppendBlob. Once written, events cannot be modified or deleted. The blob is scoped per document:
audit-logs/{correlationId}/audit.jsonlEach line is a self-contained JSON event. The file grows only by appending - no record is ever overwritten. For compliance deployments requiring guaranteed delivery, the Enterprise audit tier routes events through Azure Service Bus before writing to blob, providing dead-letter monitoring for any failed writes. See Audit Logs configuration for tier setup.
Verify & Reproduce
VaultAudit provides two flagship verification operations accessible from the VaultLifecycle workspace.
Verify Integrity
Triggers an on-demand SHA-256 re-verification of the stored document against the hash recorded at generation time. The result - trusted, verified, or tampered - is appended to the audit log as an integrity-validated event and shown in the timeline under Integrity Re-verified.
Reproduce
Re-renders the document from the immutable .vpdf archive using the original template and original payload, then compares the output hash to the generation-time hash. A matching hash proves the archive is complete and the render engine is deterministic - the document can be reproduced byte-for-byte from its original inputs.
The reproduction result is appended to the audit log as a reproduced event and shown in the timeline as Document Reproduced, with the comparison outcome and any hash delta.
Certificate of Verification
After a successful Verify or Reproduce operation, a Certificate of Verification can be generated from the VaultLifecycle workspace. The certificate includes:
- Document identity (CorrelationId, DocumentId, DocType)
- Generation timestamp and engine version
- Template and payload paths
- Original SHA-256 hash and verification result
- Signer identities and OTP verification status (if signed)
- Archival status and audit log reference
- Verification timestamp and operator identity
The certificate is a signed PDF suitable for attachment to regulatory submissions, contract archives, or legal disclosures.
Scenarios
Scenario 1 - Annual Audit: Prove the Governance Chain for a Vendor Contract
Illustrative Example
The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.
Business context: Finance controller needs to demonstrate proper controls to external
auditors. A vendor contract went through VaultWorkflow for approval, VaultESign for
counter-signature (2 signers), and VaultDelivery for recipient delivery.
Document: Vendor Contract VC-2026-0601 (Acme Corp)
Executive view (information + compliance severities):
2026-06-01 08:00 UTC [information] VaultPDF Document Generated
2026-06-01 08:00 UTC [compliance] VaultAudit Integrity Verified
2026-06-01 10:22 UTC [compliance] VaultWorkflow Document Sealed
2026-06-01 11:05 UTC [compliance] VaultESign Document Signed - slot 0: vendor@acme.com
2026-06-01 11:29 UTC [compliance] VaultESign Document Signed - slot 1: director@contoso.com
2026-06-01 11:30 UTC [information] VaultDelivery Document Delivered
2026-06-01 11:30 UTC [compliance] VaultAudit Archived to Immutable Storage
Auditor questions this trail answers:
✓ Was the document generated by our controlled system? → Document Generated (08:00 UTC)
✓ Was document integrity verified at generation time? → Integrity Verified (08:00 UTC)
✓ Did it go through a governed approval workflow? → Document Sealed (10:22 UTC)
✓ Was each signer's identity verified before signing? → Security view: Identity Verified × 2
✓ Did both required parties sign? → Document Signed × 2
✓ Was the signed document delivered to the counterparty? → Document Delivered (11:30 UTC)
✓ Is the document in tamper-proof immutable storage? → Archived to Immutable Storage (11:30 UTC)
For deeper investigation (Full view, Level 2 expanded):
Each Document Signed event carries an 8-step eSign trail showing portal
access time, OTP challenge, OTP verification, signing timestamp, and
evidence package generation - one trail per signer slot.Scenario 2 - Legal Dispute: Export Evidence for a Contract Under Challenge
Illustrative Example
The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.
Business context: A service agreement is under dispute. Legal counsel needs to
produce a complete evidence package showing the document's chain of custody -
who created it, who signed it under verified identity, and that it has not
been altered since signing.
Actions taken in VaultLifecycle Workspace:
1. Run Verify Integrity → SHA-256 re-verification against generation-time hash
2. Download Certificate of Verification (signed PDF)
3. Export Evidence Bundle (full JSONL audit log + certificate)
Audit trail after these actions:
[compliance] 2026-06-10 14:33 UTC VaultAudit Integrity Re-verified - result: trusted
[compliance] 2026-06-10 15:00 UTC VaultAudit Evidence Exported - format: JSONL + certificate
Questions the evidence package answers for legal or arbitration proceedings:
✓ When was the document created, and by which system? → generated (timestamp + engine version)
✓ Was it modified before the parties signed? → integrity-validated hash matches document-signed hash
✓ Did both parties access the signing portal? → Level 2: Signer Opened Portal (timestamped, per slot)
✓ Was each signer's identity verified? → Identity Verified (OTP method + slot index)
✓ Did each signer give informed consent to e-signing? → evidence certificate: verbatim consent text + timestamp
✓ Has the document been altered since sealing? → Integrity Re-verified: trusted
✓ Who ran the verification and exported the evidence? → actorName + actorEmail on Integrity Re-verified and Evidence Exported eventsScenario 3 - Security Review: Spot-Check Archived Financial Documents
Illustrative Example
The following scenario is fictional and intended to demonstrate how lifecycle events and evidence trails may appear in a production deployment.
Business context: CISO requests annual verification that archived AP invoices match
their original generation-time hashes. VaultAudit's Reproduce operation re-renders
each document from the .vpdf archive and compares the output hash to the original,
proving the archive is complete and the render is deterministic.
Action: Reproduce operation run on AP Invoice INV-2026-8821
Archive retrieved: payloads/2026/inv-2026-8821.vpdf
Re-render output hash: sha256:b3d4e5f6a1b2c3d4...
Generation-time hash: sha256:b3d4e5f6a1b2c3d4...
Result: MATCHED - document reproduced byte-for-byte from the archive
Audit trail appended:
[compliance] 2026-06-12 09:15 UTC VaultAudit Document Reproduced - result: matched
Security questions this answers:
✓ Is the archive complete and uncorrupted? → reproduced: matched
✓ Is the render engine still deterministic? → same inputs produce the same SHA-256 output
✓ Could an adversary have replaced the stored PDF? → hash mismatch produces reproduced: mismatch
✓ Is there a permanent record that this check was run? → Document Reproduced event appended to audit JSONLVaultAudit Event Reference
Full reference for every Level 1 audit event - type, severity, product source, display title, and the Level 2 sub-event trails each carries.
Immutable Archive - Retention Policy
Retention period, write-lock behaviour, applicable compliance standards (SOX, IRS, EU Directive 2013/34), and GDPR Article 17 considerations for archived documents.
Reports & System Status
The VaultLifecycle Reports page provides operational health reports for your REFRACT Platform deployment, including the System Status Check PDF and platform update checks.
Event Reference
Complete reference for every VaultAudit Level 1 timeline event - event type, severity, product source, display title, and the Level 2 sub-event trails each carries.