Skip to main content

UC-028: Record Audit Trail

Reference Flow

Corresponds to Flow 7 — Traceability and Audit.

Functional Specification

This use case defines intended behavior. The audit trail system is not yet implemented.

Description

Every relevant operation in the platform generates an audit record on the blockchain following the pattern: hash on-chain, data off-chain. The blockchain record contains the operation hash, event type, participating DIDs, timestamp, and a reference to off-chain detail. No personal data is ever stored on-chain. This ensures full traceability while maintaining privacy and GDPR compliance.

Actors

  • System: Automatically records audit events for every relevant operation
  • Blockchain: Distributed network where hashes and metadata are stored
  • Storage Node: Off-chain storage for detailed audit data (encrypted if containing personal data)

Preconditions

  • The blockchain is operational
  • A relevant operation has been performed (see tracked events below)

Tracked Events

The following operations generate audit records on the blockchain:

  • DID registration (UC-001, UC-003)
  • Credential issuance (UC-012)
  • Credential revocation (UC-016)
  • Information requests (UC-014)
  • Consent granted (UC-013)
  • Verifiable presentations generated (UC-013)
  • Verification results (UC-015)
  • Trust framework registrations and revocations (UC-025, UC-027)
  • Key rotation (UC-024)
  • DID Document updates

Main Flow

  1. A relevant operation is performed in the platform
  2. The system generates an audit record containing:
    • Hash of the operation
    • Event type (issuance, revocation, presentation, consent, trust framework change, etc.)
    • DIDs of the participants
    • Timestamp
    • Reference to off-chain detail (in encrypted storage or private logs)
  3. The audit record is registered on the blockchain
  4. Detailed operation data is stored off-chain (encrypted if containing personal data)

Alternative Flows

AF-1: Blockchain unavailable

  • At step 3, the blockchain is not accessible
  • The audit record is queued and retried when the blockchain becomes available
  • The operation itself is not blocked by audit recording failure

Postconditions

  • The operation hash is recorded on the blockchain as immutable evidence
  • The off-chain detail is stored securely for authorized consultation
  • No personal data exists on the blockchain

Modules Involved

ModuleRole
backendAudit event generation, hash computation, off-chain storage
blockchainImmutable audit record storage, hash registration
storageOff-chain detail persistence (encrypted)

Technical Notes

  • Pattern: Hash on-chain, data off-chain — the blockchain stores only hashes and metadata, never personal data
  • GDPR compliance: Personal data is always off-chain and can be deleted (right to erasure). Hashes on blockchain are irreversible and do not constitute personal data by themselves
  • Off-chain retention: Off-chain logs with personal data are subject to retention policies and can be deleted when necessary
  • Immutability: On-chain records are immutable — they serve as tamper-proof evidence of operations
  • Standards: GDPR (data protection), eIDAS 2.0 (audit requirements)