Which actions are recorded and for how long.
An overview of the append-only audit records that LDPS Africa keeps to support customer investigations, dispute resolution and internal review.
This document is app-owned editable content, not a third-party attestation or certification. It describes controls and practices as they exist at the review date.
What we record
- Authentication events — sign-in, sign-out, password reset, MFA enrolment.
- Role changes — every grant and revoke on
user_roles, with actor, target and previous value. - Subscription lifecycle — trial start, grace transitions, expiry, admin overrides.
- Payment outcomes — successful captures and failures for Paddle and M-Pesa, with provider reference IDs.
- KPI snapshots and audit runs — created, updated and deleted records with actor and timestamp.
- Security-sensitive reads — access to the suppression list, restore of a backup, and edits to compliance milestones.
Where records live
Records are written to append-only tables (audit_log, operational_events, sla_incidents, payment_failures) with RLS restricting reads to super-admins. Client-side and server-side errors are captured to error_log with a request ID for cross-referencing.
Retention
Authentication and role-change events are retained for 3 years. Financial and payment events are retained for 7 years to support statutory reporting. Error logs are retained for 90 days.
Access and export
Customers can request an audit-trail export for their own account by writing to privacy@ldpsafrica.com. Verified requests are fulfilled within 30 days.
Integrity
Audit tables have INSERT, UPDATE and DELETE revoked from all client-facing roles. Writes are performed by verified server-side functions only. Modifications outside that path are not possible through the public API.
Email security@ldpsafrica.com for the security team or info@ldpsafrica.com for general enquiries.