8. Audit Records
8.1 Requirements
Every verification event must produce an audit record. Audit records must be:
- Generated at the time of the decision, not retrospectively
- Tamper-evident, using a SHA-256 hash of the full record payload
- Retained for a minimum period consistent with applicable regulatory requirements (suggested minimum: 7 years for data subject to GDPR or HIPAA)
- Structured in a format that can be exported and presented to a regulator or auditor without specialist tooling
8.2 Audit record schema
| Field | Type | Required | Description |
|---|---|---|---|
audit_id | string (UUID v4) | REQUIRED | Unique identifier for this audit record. |
request_id | string (UUID v4) | REQUIRED | The request_id from the originating verification request. |
pct_id | string (UUID v4) | REQUIRED | The pct_id of the PCT evaluated. |
issuer | string (URI) | REQUIRED | The issuer of the PCT evaluated. |
requestor_id | string | REQUIRED | The system that made the verification request. |
requested_action | enum | REQUIRED | The action that was requested. |
requested_purpose | string | REQUIRED | The purpose stated in the verification request. |
processing_region | string | REQUIRED | The region in which the action was to be performed. |
decision | enum | REQUIRED | The enforcement decision: ALLOW, BLOCK, or TRANSFORM. |
checks_performed | array of object | REQUIRED | The ordered list of checks performed, each including check_name, result (pass/fail), and reason. |
decision_timestamp | integer (Unix epoch) | REQUIRED | Timestamp at which the decision was made. |
record_hash | string (hex) | REQUIRED | SHA-256 hash of the JSON-serialised audit record (excluding the record_hash field itself). Enables tamper detection. |