BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
SOC 2

Access to Audit Trails

Effective: March 17, 2026 · DCF-429

1. Purpose

This document defines the access controls, tamper protection mechanisms, and monitoring procedures governing H33.ai's audit trails. Audit logs are critical evidence for security investigations, compliance audits, and operational troubleshooting. Unauthorized access, modification, or deletion of audit records undermines the integrity of these processes and is strictly prohibited.

2. Audit Log Sources

H33.ai collects and retains audit logs from the following sources across its production infrastructure:

AWS CloudTrailRecords all AWS API calls across all services, including who made the call, the source IP, the timestamp, and the request/response parameters. Covers EC2, RDS, S3, Secrets Manager, IAM, and all other AWS services in use.
CloudWatch LogsApplication-level logs from EC2 instances, Elastic Beanstalk environments (Auth1), and Lambda functions. Includes authentication events, error logs, and performance metrics.
DataDogInfrastructure metrics, application performance monitoring (APM) traces, and custom alerts. Provides real-time visibility into system health and anomaly detection.
GitLab Audit LogsSource control activity including merge requests, branch protections, permission changes, CI/CD pipeline executions, and repository access events.
Auth1 LogsAuthentication events for all tenants: login attempts (successful and failed), OTP delivery, token issuance, password changes, and account lockouts.
Microsoft 365 Audit LogsEmail activity, administrative changes, file access in SharePoint/OneDrive, and security events from Microsoft Defender for Endpoint.
Drata Activity LogsCompliance monitoring events, evidence collection activities, control test results, and policy acknowledgment records.

3. Access Restrictions

Audit logs are treated as append-only, immutable records. The following access restrictions are enforced:

  • Read-only access: No user, including administrators, has the ability to modify, overwrite, or delete audit records during the defined retention period.
  • Principle of least privilege: Access to audit logs is restricted to personnel with a documented business need.
  • No shared credentials: All audit log access is tied to individual, named accounts with multi-factor authentication (MFA) required.
  • Separation of duties: Personnel who are the subjects of audit logging do not have administrative access to modify log configurations or retention settings.

Access Control Matrix

Eric Beans (CEO/CISO)Full read access to all audit log sources. Cannot modify or delete log records. Responsible for quarterly review of audit trail integrity and access patterns.
Drata (Automated)Read-only API access to designated log sources for automated compliance evidence collection. Service account with scoped IAM permissions. No interactive access.
DataDog (Automated)Read access to CloudWatch Logs and custom metrics endpoints for monitoring and alerting. Configured via IAM role with read-only policy. No access to CloudTrail or Secrets Manager logs.
External AuditorsTime-limited read access granted during audit engagements via temporary IAM credentials. Access revoked immediately upon audit completion.

4. Tamper Protection

H33.ai implements multiple layers of tamper protection to ensure the integrity and authenticity of all audit records:

  • CloudTrail log file validation: Enabled on all trails. AWS generates a digitally signed digest file every hour, enabling detection of any log file modification, deletion, or forgery after delivery to S3.
  • S3 bucket versioning: Enabled on all log storage buckets. Every version of every log file is preserved, preventing silent overwrites.
  • MFA delete protection: Enabled on log storage S3 buckets. Deletion of any object version requires MFA authentication from the root account, providing a hardware-backed safeguard against unauthorized deletion.
  • S3 Object Lock (Compliance mode): Applied to CloudTrail log files. Objects cannot be deleted or overwritten by any user, including the root account, until the retention period expires.
  • CloudWatch Logs retention lock: Log groups have defined retention periods. Logs are immutable during the retention window and cannot be manually deleted.
  • Encryption at rest: All log storage buckets use server-side encryption (SSE-S3 with AES-256). CloudWatch Logs are encrypted with AWS-managed keys.

5. Monitoring and Alerting

The following monitoring controls detect and alert on unauthorized or anomalous access to audit log infrastructure:

  • CloudTrail alerts: CloudWatch alarms trigger on any API call that attempts to delete or modify CloudTrail configurations, S3 bucket policies on log storage, or log group settings.
  • Unauthorized access attempts: Failed access attempts to log storage S3 buckets and CloudWatch log groups generate alerts via DataDog integration.
  • IAM policy changes: Any modification to IAM policies that govern log access triggers an immediate alert to the CISO.
  • Digest file validation: CloudTrail digest files are periodically validated using the AWS CLI validate-logs command to confirm no tampering has occurred.

6. Review Schedule

  • Quarterly: CISO reviews audit trail access logs, validates that access permissions remain appropriate, and confirms tamper protection mechanisms are functioning correctly.
  • On personnel change: Audit log access permissions are reviewed and updated within 24 hours of any personnel change (hire, termination, role change).
  • Annual: Comprehensive audit trail access review as part of SOC 2 audit cycle, including validation of all tamper protection controls.

Questions?

Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.

H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945