Architecture Principle · 04 of 9
Audit Everywhere
Audit isn't a feature you turn on. It's the default state. Every create, update, delete, and sensitive read operation produces an immutable audit entry with user, timestamp, IP, before/after values, and reason.
What this means
In practice.
Tamper-proof log of every CRUD operation across every module
Sensitive reads logged separately (Aadhaar, PAN, salary, contracts)
Audit log immutable — cannot be edited, only appended
Compliance-ready exports for SOC 2, ISO 27001, GDPR, Aadhaar Act audits
How it works
Under the hood.
Centralized middleware
Audit logging implemented in platform middleware. Modules can't bypass; new modules inherit automatically.
Append-only
Audit log uses append-only PostgreSQL tablespace. No UPDATE or DELETE allowed at DB level.
Structured payload
Each entry includes user, IP, action, entity type, entity ID, before JSON, after JSON, reason, request ID.
Retention + indexing
Configurable retention per category. Indexed for fast search by user, entity, date range.
Visual
Real-World Example
Real-world: GST audit query in 30 seconds
Before
Auditor asked who modified a specific invoice 8 months ago. IT team spent 2 days digging through logs and database backups.
After
Filter audit log by entity_id. 30 seconds to find user, timestamp, and exact field-level changes. Auditor signed off the same day.
Ready to modernize your mill?
See Papyrus BPApp
in your mill.
Book a personalized demo. We'll walk through every module relevant to your operation — from Deckle optimization to GSTR-3B compliance.