Logging and Monitoring Policy (A.8.15, A.8.16)

Document ID: logging-monitoring-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual

Purpose

Define what events are logged, how logs are protected, and how anomalous behaviour is detected and alerted.

Event category	System	Log destination
Authentication attempts (success + failure)	sigmashake-sso	Workers Logpush + D1 audit_events
API key usage	Cloudflare API Gateway	Cloudflare audit log
Evidence collection outcomes	sigmashake-compliance	D1 evidence_runs + R2
Compliance gaps opened/closed	sigmashake-compliance	D1 gaps
Deployment events	Cloudflare Workers	Wrangler deploy audit + deployments collector
Staff portal access	sigmashake-compliance	D1 audit trail
Webhook events (Stripe, GitHub)	sigmashake-compliance	evidence_runs

Log type	Retention	Storage
Evidence objects	90 days immutable (Object Lock) + indefinite in practice	R2 EVIDENCE
Audit packages	3 years	R2 AUDIT_PACKAGES
D1 evidence_runs	Indefinite (D1 is durable)	D1
Cloudflare analytics	30 days (free plan) / longer with paid	Cloudflare
SSO audit events	90 days	D1 audit_events

Evidence blobs are signed (Ed25519) and stored in R2 with Object Lock in Compliance mode
Daily Merkle roots make log tampering cryptographically detectable
D1 evidence_runs is append-only by design; no DELETE or UPDATE operations on evidence rows

What	How	Cadence
Collector staleness	`cron-health` opens gap if collector > 1.5× cadence	Daily
Anomalous SSO activity	`sso-audit-sync` processes Okta/SSO audit events	Daily
Worker tail consumers	`tail-consumer-coverage` verifies log tail is active	Weekly
WAF rule state	`waf-state` verifies WAF is active and rules unchanged	Weekly

Discord webhook (COMPLIANCE_DISCORD_WEBHOOK) receives: