Audit log — every action, every member, every timestamp

I want to tell you about the audit log because it's the unsexy feature that quietly carries the weight in every enterprise rollout I've ever been part of. Nobody buys a SaaS product because the audit log is great. But six months in, when someone changes the wrong link 30 minutes before a launch, the audit log is the only reason you can answer 'how did this happen' in 60 seconds rather than 60 minutes.

Linkstacked logs every meaningful action across the workspace, immutably, with full before-and-after state. The log is searchable, filterable, and exportable. On Scale it's unlimited retention; on Build it's 180 days. Below Build, the audit log is summary-only.

What gets logged

• Every link create / edit / delete, with before-and-after JSON
• Every theme change, with the diff of styling properties
• Every member invite, acceptance, role change, and removal
• Every billing event — card update, plan change, refund initiated
• Every integration connect / disconnect (Stripe, Mailchimp, etc.)
• Every SSO event — successful login, failed login, role assigned via SCIM
• Every export — analytics CSV downloads, member list exports, audit log exports
• Every login (workspace-level and via per-member 2FA)

Each log entry includes: actor (the member who did it), action type, target (the link / theme / member / etc. that was affected), timestamp (to millisecond precision), IP address, user agent, before-state, after-state. So you can fully reconstruct what changed and roll back if needed.

Immutability — why it matters

Audit log entries cannot be edited or deleted by anyone, including the workspace Owner. They are append-only by design. This is a hard requirement for any compliance regime (SOC2, ISO27001, HIPAA, PCI-DSS) and we built the storage layer specifically to guarantee it.

Technically, audit logs are written to an append-only column-store with verified hash chains — each log entry includes a hash of its predecessor, so any attempt to retroactively rewrite the history breaks the chain. We verify the chain nightly. If a verification ever failed, that's a P0 incident on our side.

Searching the log

The audit-log UI supports filters across every field:

• By actor — 'show me everything Maya did this week'
• By target — 'show me every change to the launch-link in the last 30 days'
• By action type — 'show me every member-removal in the last 90 days'
• By time range — last hour, last day, custom range
• By IP — useful for security investigations
• By result — succeeded / failed (failed logins are particularly worth filtering for)

Exports for auditors and regulators

One-click CSV / JSON exports of any filtered log view. For SOC2 audits we have a pre-built export format that matches what auditors typically request — saves you from reformatting the data when the auditor's spreadsheet template is more pedantic than your CSV.

On Scale we also support continuous syndication to your SIEM (Splunk, Datadog, Sumo Logic, custom). We post each log entry via webhook in real time. So your central security log already has Linkstacked events alongside your other vendor events, and your detection rules can fire on them.

Practical use cases

1. 1Incident response — 'a profile got defaced last night, when did it happen and from which IP?' The log answers in seconds.
2. 2Internal investigations — 'did anyone view our pre-launch hero link before launch?' The log shows every view by member.
3. 3Compliance evidence — 'show us all role changes in the last 12 months for the SOC2 audit.' One filter, one export.
4. 4Rollback assistance — 'what was the link copy before someone changed it on Tuesday?' The before-state is in the log entry.
5. 5Insider threat detection — flag patterns like 'member is downloading large exports outside business hours' via SIEM rules.

Plan availability

Build plan: 180 days of audit-log retention with full search and CSV export. Scale plan: unlimited retention, SIEM webhook syndication, hash-chain attestation reports for auditors. Lower plans get a 7-day summary log that's useful for casual 'who deleted that link' questions but not for compliance.

Open the log when something feels off

The audit log isn't something you check daily — it's the thing you reach for the moment a question pops up. The fastest way to internalise its value is to actually open it the next time you wonder 'how did this happen'. Within a few of those moments, you'll stop wondering whether you need it.