SOC 2, HIPAA, GDPR: What Each Framework Actually Requires From Your Audit Logs

If you’re preparing for your first compliance audit, the requirements around audit logging can feel vague. Frameworks like SOC 2, HIPAA, and GDPR all mention logging — but what do they actually require? And where do they differ?

Here’s a practical breakdown for engineering teams building (or buying) audit log infrastructure.

SOC 2: The One You’ll Hit First

SOC 2 is the most common compliance framework for B2B SaaS companies. It doesn’t prescribe specific technologies, but auditors evaluate your controls across five Trust Service Criteria. Audit logs fall under Common Criteria 7 (CC7): System Operations and CC6: Logical and Physical Access Controls.

What auditors look for:

• Completeness. Are you logging all significant system events? This includes authentication, authorization changes, data access, and administrative actions. Gaps in coverage are the most common finding.
• Immutability. Can logged events be modified or deleted? Auditors want evidence that your logs are tamper-proof. A standard database table with UPDATE and DELETE permissions doesn’t cut it.
• Retention. How long are logs kept? SOC 2 doesn’t specify a minimum, but auditors expect at least the audit period (typically 12 months). You need to demonstrate a defined retention policy.
• Access controls. Who can view audit logs? Access should be restricted and itself logged. If every developer can query the audit table directly, that’s a finding.
• Alerting. Do you monitor logs for anomalous activity? SOC 2 increasingly expects proactive monitoring, not just passive storage.

HIPAA: When Healthcare Data Is Involved

If your SaaS product handles Protected Health Information (PHI), HIPAA’s Security Rule applies. The audit log requirements are more prescriptive than SOC 2.

Key requirements under the Technical Safeguards (§164.312):

• Audit controls (§164.312(b)). You must implement mechanisms that record and examine activity in systems containing PHI. This is not optional — it’s a required specification, not addressable.
• What to log. HIPAA expects logs of access to PHI, login attempts (successful and failed), changes to access rights, and any modifications to PHI itself. The “who, what, when, where” of every interaction.
• Retention. HIPAA requires documentation retention of 6 years. While this technically applies to policies rather than individual log entries, most compliance officers interpret it to include audit logs that evidence policy enforcement.
• Integrity. Logs must be protected from alteration. If a bad actor can cover their tracks by editing log entries, the entire audit trail is compromised.
• Review. You’re expected to regularly review audit logs — not just store them. Anomaly detection and periodic manual review both satisfy this requirement.

GDPR: The Right to Know

GDPR doesn’t explicitly mandate audit logs, but several articles create implicit requirements that are difficult to satisfy without them:

• Article 5(2) — Accountability. You must be able to demonstrate compliance with data processing principles. Audit logs are the most practical way to evidence that you’re processing personal data lawfully.
• Article 15 — Right of Access. Data subjects can request a record of how their data has been processed. Without audit logs, fulfilling these requests is manual and error-prone.
• Article 33 — Breach Notification. You must notify authorities within 72 hours of discovering a breach, including the nature and scope of the incident. Audit logs are how you determine scope.
• Article 30 — Records of Processing. You must maintain records of processing activities. Audit logs provide the granular evidence behind those records.

For GDPR, the key differentiator is that logs must be exportable and potentially shareable with regulators or data subjects. A locked-down internal system isn’t sufficient if you can’t produce the records when asked.

The Common Thread

Across all three frameworks, the pattern is consistent:

1. Log everything significant — authentication, authorization, data access, administrative changes.
2. Make it immutable — append-only storage with cryptographic verification.
3. Retain it long enough — 12 months minimum, 6 years for HIPAA.
4. Control access — restrict who can read logs, and log that access too.
5. Monitor actively — don’t just store logs, analyze them for anomalies.

Building all of this from scratch means designing event schemas, implementing tamper-proof storage, building search and export capabilities, and setting up retention policies — before you even get to the embeddable UI your enterprise customers expect to see.

EverScribe handles all of this out of the box. Immutable storage, configurable retention, AI-powered anomaly detection, and a compliance-ready export system — deployed in under 30 minutes.

Your next audit doesn’t have to be a scramble.