Policies
Map.ca policy

Audit Logging Policy

What Map.ca logs for audit purposes, how those logs are protected, retained, and used.

Audit logs make appeals, incident review, and accountability possible. The Audit Logging Policy defines what events are logged (access, moderation actions, civic routing, AI-involved decisions, configuration changes), the log integrity posture (tamper-evident where possible), the retention period by log category, the access controls on logs, and the rules that prevent audit logs from becoming surveillance datasets.

It applies to engineering, security, moderation, and compliance functions.

Requirements

  • Log moderation actions, AI-involved decisions, access events, and configuration changes.
  • Protect log integrity with documented tamper-evident measures.

Prohibitions

  • Do not use audit logs as a surveillance dataset.
  • Do not retain audit logs past the documented retention period.

Related policies

Security PolicyHow Map.ca protects accounts, infrastructure, secrets, and operational data day to day.Access Control PolicyHow internal access to production systems, user data, and admin functions is granted, reviewed, and revoked.Incident Response PolicyHow Map.ca classifies, responds to, and communicates about security and operational incidents.