How to monitor team activity with SimplePDF audit logs

Benjamin André-Micolon

Regulated workflows need a record of what changed. The SimplePDF audit log records who did what, when, from which IP address, and on which document, across your entire account. It is the surface auditors, compliance officers, and internal investigators look at when they need to reconstruct what happened.

Audit logs are available with the Premium plan

Why teams turn on audit logs

The audit log answers the questions an internal audit, a customer security review, or a compliance program (HIPAA, GDPR, and similar frameworks) will ask:

Who did what? Every dashboard sign-in, every configuration change, every document or submission mutation, and every member, webhook, storage, and API key change is attributed to a specific user, API key, or system actor.
What changed and when? Configuration changes, role changes, storage updates, webhook updates, and document edits each carry an exact timestamp and a structured diff of the values before and after.
From where? Every event records the IP address and user agent of the actor, so unusual locations or unfamiliar clients stand out at a glance.
Can I export it? The log is server-side and exportable as CSV for archival or compliance review.

What ends up in each row

Each entry carries five pieces of forensic detail:

When: the timestamp captured at the moment the action happens, so background processing lag never drifts the recorded time.
Who: the actor that performed the action. One of four types:
- Member: a team member on this company. The display name resolves at read time, so a rename propagates through historical rows; the email stays as the stable fallback if the member is later removed.
- API key: a REST API key, recorded by its key id.
- External party: someone outside your team. Anonymous form submitters and pre-authentication actions (like requesting a sign-in code) fall into this bucket. The IP and user agent live in the row's metadata. The actor filter offers "External parties" as a single category — to drill into a specific submitter, sort or search the IP column in the CSV export.
- System: SimplePDF itself, for actions that have no human actor (for example, a plan transition emitted by the Stripe webhook).
Action: the canonical action name (document.deleted, company_user.updated, etc.).
Target: the resource the action was performed on (document, submission, member, webhook, storage configuration, API key, session, invitation, or company).
Changes (when relevant): a structured before / after diff for actions that mutate state. Heavy payloads like full page snapshots or full form-field arrays are recorded as a change flag rather than serialized in full, so audit rows stay compact.
Request context: IP address and user agent of the request that triggered the event.

Every event SimplePDF records

The audit log captures the full set of mutating actions across your account, grouped by surface. Each event below is recorded with its actor, timestamp, target, IP, and user agent. Mutating actions performed through the REST API are recorded with an API key actor and appear alongside dashboard activity.

Audit event	Dashboard label	What it records
`session.created`	Logged in	A team member signs into the dashboard.
`session.deleted`	Logged out	A team member signs out, or their session is invalidated.
`otp.created`	Requested a sign-in code	A one-time sign-in code is issued for a user's email address.
`invitation.created`	Invited a member	An admin invites a new member by email. The invitee's email is the target; the invitation has no user id yet because the invitee has not accepted.
`company_user.created`	Joined the team	An invitee accepts the invitation and becomes a team member.
`company_user.updated`	Updated a member	A member's role or display name changes. The row carries a before / after diff for each field that actually changed.
`company_user.deleted`	Removed a member	A member is removed from the team. The row records the role the member held at the moment of removal, so a later review can answer "what access did this person have when they left?".
`company.updated`	Updated company settings	A change to the company name, identifier, logo, loading screen, or billing plan. Plan transitions emitted by the Stripe webhook are folded into this event with a `system` actor, so upgrades and downgrades show up in the same audit stream as the rest of your configuration history.
`byos.created`	Configured storage	S3, Scaleway Object Storage, Azure Blob Storage, or SharePoint is connected as the destination for documents and submissions.
`byos.updated`	Updated storage	The storage configuration changes (bucket switched, region changed, credentials rotated, container or library moved).
`byos.deleted`	Removed storage	The bring-your-own-storage configuration is removed and submissions revert to default SimplePDF storage.
`api_key.created`	Created an API key	A new REST API key is generated.
`api_key.deleted`	Revoked an API key	A REST API key is revoked.
`webhook.created`	Created a webhook	A new webhook endpoint is added for submission events.
`webhook.updated`	Updated the webhook	The webhook destination URL changes.
`webhook.deleted`	Deleted the webhook	The webhook endpoint is removed.
`document.created`	Created a document	A document is uploaded or created in the dashboard or via the API.
`document.updated`	Updated a document	A document's name, type, pages, or fields change. Renames and type changes carry a before / after diff; page and field changes are recorded as a presence flag so audit rows stay compact under heavy editing.
`document.deleted`	Deleted a document	A document is deleted from the dashboard or via the API.
`submission.created`	Submitted a filled document	A submitter finishes filling a PDF and the completed submission lands in your dashboard. When the submitter is a team member of this company (signed in to the dashboard), the actor is `member`; otherwise the actor is `external_party`. The submitter's IP address and user agent are always recorded in the row's metadata for forensic detail.
`submission.deleted`	Deleted a submission	A submitted PDF is deleted.

A few details worth knowing about what ends up in the row:

Storage configuration snapshots capture the storage type and the non-secret fields (S3 bucket and region, Azure container, SharePoint site and document library). Secrets like access keys, client secrets, and tokens are never written to the audit log.
Webhook URLs are recorded with the row, with any credentials embedded in the URL stripped before storage.
Plan changes are recorded as a company.updated event with a system actor, so upgrades and downgrades show up in the audit stream.

Review and filter activity

The audit log lives at /account/audit-logs and is visible to admins on the Premium plan.

Date range: pick a preset (last 24 hours, last 7 / 14 / 30 / 60 / 90 days). The last-24-hour window auto-refreshes every 30 seconds so the listing feels live during an active investigation.
Actor: filter by a specific user, an API key, or system actions.
Action: filter by one or more event types. For example, just document.deleted and submission.deleted when you are reviewing data-removal activity.

Filters are URL-encoded, so links to a filtered view are shareable across your team. Refreshing the page or opening the link from a ticket lands on the same filtered slice.

Export for compliance reviews

Click Export selection to download the current filter as a CSV. The CSV carries one column per forensic field: timestamp, actor type / id / email / name, action, target type / id / email / name, structured changes payload, IP address, and user agent. It is ready for ingestion into your compliance archive.

A slice of what an export looks like:

audit-events.csv

One user session: a sign-in, document edits, a teammate invitation, and a company rename

timestamp,actor_type,actor_id,actor_email,actor_name,action,target_type,target_id,target_email,target_name,changes,ip_address,user_agent
2026-05-13T16:05:51.300Z,company_user,c5be85d7-1958-413f-bd1d-27d776655d84,bob@simplepdf.com,Bob,invitation.created,invitation,,john@simplepdf.com,,,192.0.2.42,Mozilla/5.0
2026-05-13T16:05:27.508Z,company_user,c5be85d7-1958-413f-bd1d-27d776655d84,bob@simplepdf.com,Bob,document.created,document,23f64565-0ab3-47f6-803b-1c0ea43b6125,,Weir_Egg.pdf,,192.0.2.42,Mozilla/5.0
2026-05-13T16:04:53.092Z,company_user,c5be85d7-1958-413f-bd1d-27d776655d84,bob@simplepdf.com,Bob,document.updated,document,1b38331b-4136-48b3-b752-ad2472e6a40d,,acme-meeting-minutes.pdf,"{""name"":{""to"":""acme-meeting-minutes.pdf"",""from"":""meeting-minutes.pdf""}}",192.0.2.42,Mozilla/5.0
2026-05-13T16:03:57.857Z,company_user,c5be85d7-1958-413f-bd1d-27d776655d84,bob@simplepdf.com,Bob,company.updated,company,1a2a7f1d-285a-4335-a283-a768800b3f7e,,Acme Corp,"{""name"":{""to"":""Acme Corp"",""from"":""Acme""}}",192.0.2.42,Mozilla/5.0
2026-05-13T16:01:33.003Z,company_user,c5be85d7-1958-413f-bd1d-27d776655d84,bob@simplepdf.com,Bob,session.created,session,b30eb244-77fc-4f51-9f90-b518b053a48c,,,,192.0.2.42,Mozilla/5.0
2026-05-13T16:01:24.424Z,external_party,,,,otp.created,company_user,c5be85d7-1958-413f-bd1d-27d776655d84,bob@simplepdf.com,,,192.0.2.42,Mozilla/5.0

Retention

Audit rows are retained for 365 days from the event timestamp. If your compliance program requires longer retention, contact us and we will work out a retention window that fits your policy.

How to access your audit log

Sign in to your SimplePDF account with an admin user on the Premium plan.
Open the account menu and click Audit logs, or navigate directly to /account/audit-logs.
Use the date range, actor, and action filters in the toolbar to narrow the view.
Click Export selection to download a CSV of the filtered events.

If your team is on the Free, Basic, or Pro plan and you want to enable the audit log, see the Premium plan overview or schedule a demo to talk through your compliance setup.

That's it! Every significant action across your SimplePDF account is now recorded, filterable, and exportable for compliance review.

If you have any questions, feel free to reach out to support@simplepdf.com