Audit log
Every meaningful action in Mnemos is recorded with actor, target, context, and provenance.
The audit log is append-only and tenant-scoped. It is the system of record for compliance — security questionnaires, SOC 2 evidence, and forensic investigations all draw from it.
Event structure
Each event is a flat JSON object. Fields:
id— ULID, monotonically increasing.type— dotted event name (see catalog below).at— RFC 3339 timestamp with nanosecond precision.actor— who initiated the event; user, service, or system.target— the resource affected, by type and id.context— IP, user-agent, request id, source key id.diff— structured before/after for mutating events.
{
"id": "01HZX4QV4M7AAB...",
"type": "sop.approved",
"at": "2026-05-18T14:22:01.482Z",
"actor": { "type": "user", "id": "usr_01H...", "email": "priya@acme.com" },
"target": { "type": "sop", "id": "sop_01H..." },
"context": {
"ip": "203.0.113.42",
"ua": "Mozilla/5.0",
"request_id": "req_01H...",
"api_key_id": null
},
"diff": { "status": { "from": "review", "to": "approved" } }
}Event taxonomy
| Type | Note |
|---|---|
| auth.session.created | A user signed in. |
| auth.session.revoked | A session was terminated. |
| auth.mfa.challenged | A step-up was issued. |
| members.invited | A member invite was sent. |
| members.role_changed | A member's role changed. |
| members.removed | A member was removed from the workspace. |
| sso.config.updated | SSO configuration changed. |
| scim.user.provisioned | SCIM created or updated a user. |
| session.started | An interview session began. |
| session.completed | An interview session ended. |
| sop.approved | An SOP moved to approved state. |
| sop.archived | An SOP was archived. |
| graph.entity.updated | A graph entity was created or edited. |
| chat.query.answered | An AI search produced an answer. |
| chat.query.redacted | An AI search filtered content for permissions. |
| api_key.created | A new API key was issued. |
| api_key.revoked | An API key was revoked or expired. |
| webhook.delivered | A webhook was delivered successfully. |
| webhook.failed | A webhook delivery failed after retries. |
| export.initiated | A data export was started. |
Export
Owners can export the audit log on demand or stream it continuously to Splunk, Datadog, S3, or any HTTPS endpoint. Streams are signed with HMAC-SHA256 and include a sequence header that lets you detect gaps.
curl -X POST https://api.mnemos.ai/v1/audit/exports \
-H "Authorization: Bearer $MNEMOS_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"from": "2026-04-01T00:00:00Z",
"to": "2026-05-01T00:00:00Z",
"format": "ndjson",
"destination": { "type": "s3", "bucket": "acme-audit", "prefix": "mnemos/" }
}'Retention
Default retention is 7 years on Business and Enterprise plans, 1 year on Starter. Retention is configurable up to 10 years per organization. Beyond that, you can self-host the export stream and retain indefinitely under your own controls.