Compliance & Audit

How Majormatic supports compliance obligations — audit log access, data export, GDPR controls, retention management, and the immutable execution record that underpins legal defensibility.

1

Audit by Design

Majormatic is built around a principle that audit trails are not a feature to be enabled — they are a structural property of the platform. Every execution creates immutable records. This is not optional and cannot be disabled.

🔒
Immutable records

Once written, audit records cannot be modified or deleted. They form a tamper-evident record that can be produced to any regulator, auditor, or legal authority.

⛓️
Verifiable integrity

Execution records are linked in a way that makes any alteration detectable. The integrity of the audit trail can be independently verified.

👤
Accountability boundary

Finalisation creates a permanent, explicit accountability boundary. Before finalisation, outputs are platform-managed drafts. After, they are user-owned decisions with a sealed audit record.

📋
If it is not recorded, it did not happen

This is the operational principle. Actions not in the audit log have no evidential standing. Every action relevant to a professional output is captured.

2

What Is Recorded

The platform records a comprehensive set of events for every execution. All records are scoped to the organisation and accessible to admins with audit access permission.

Execution Records

  • Run ID and timestamp
  • App ID and version
  • Pipeline stages executed
  • Input references (not raw input data)
  • Output schema version
  • Execution status: Created → Running → Draft → Review → Acknowledged → Finalised
  • Risk classification applied

User Actions

  • User identity and role at time of action
  • Acknowledgement events with timestamp
  • Output edit events (if user-edited output)
  • Supervision annotations and overrides
  • Finalisation events with sealed record
  • Rejection events with reason

Governance Events

  • Governance profile applied
  • Supervision state transitions
  • Policy checks and outcomes
  • Output validation results
  • Multi-level approval actions

Billing Events

  • Pre-run cost calculation
  • Wallet deduction at execution
  • Reversal events (failed executions)
  • Settlement records on finalisation
  • Top-up events with transaction reference
3

Accessing Audit Logs

Audit logs are accessible from the Admin Dashboard. Access requires the audit access permission. Logs are searchable, filterable, and paginated.

1
Navigate to Admin Dashboard → Audit → Execution Logs
2
Filter by date range, user, app, or execution status
3
Click any execution record to view the full audit detail for that run
4
Use Audit → Search to find specific run IDs or user actions

Filtering Options

Date range

Filter to specific time windows for compliance investigations or periodic reporting.

User

Filter to all executions performed by a specific user — useful for individual accountability reviews.

App & Engine

Filter by app or engine type to review all runs of a specific workflow category.

Status

Filter by lifecycle state (Finalised, Failed, Cancelled) to find incomplete or problematic runs.

4

Export & Reporting

Audit data can be exported in multiple formats for use in compliance reporting, legal proceedings, or internal governance reviews.

JSON

Full machine-readable audit export. Includes all fields and nested metadata. Suitable for importing into compliance management systems or custom reporting tools.

CSV

Tabular export of execution records. Suitable for spreadsheet analysis, reporting tools, and compliance dashboards.

PDF

Human-readable formatted report. Suitable for presenting to auditors, regulators, or legal proceedings.

How to Export

1
Navigate to Admin Dashboard → Audit → Export
2
Select the date range, scope (all users or specific users), and format
3
Click Generate Export. Large exports are processed asynchronously.
4
Download the export from Admin Dashboard → Audit → Export History
5

GDPR & Data Subject Rights

Majormatic is GDPR-aligned. The platform is designed to support compliance with data subject rights requests. Admins are responsible for responding to requests from their organisation's users and processing them through the Admin Dashboard.

Right to Access

Users may request a copy of their personal data. Admins can generate a data export for specific users from Admin → Data → User Export. The export includes account data, execution metadata, and billing records.

Right to Erasure

Users may request deletion of their personal data. Admins can initiate a deletion request from Admin → Data → Delete User Data. Execution audit records required for legal compliance obligations may have extended retention — these are flagged clearly.

Right to Rectification

Users may request correction of inaccurate personal data. Account profile data can be updated by the admin. Execution records are immutable — they cannot be corrected as this would undermine audit integrity.

Right to Portability

Users may request their data in a portable format. The JSON export format satisfies portability requirements. Admins can generate a user-scoped JSON export for this purpose.

Admin responsibility: You are the data controller for your organisation's use of Majormatic. Majormatic acts as a data processor. You are responsible for ensuring your use of the platform is compliant with applicable data protection law.
6

Data Management

Majormatic uses a 3-layer data architecture with distinct retention rules for each layer.

Raw Evidence
Primary Vault

Uploaded input documents and raw execution evidence. Temporary — active 30-day window by default. Vault extension is available for continuity beyond the active window.

Processed Results
Generated Vault

Structured execution outputs and associated metadata. Linked to execution records. Retained for the duration of the active workspace plus any vault extension purchased.

Supervision Patterns
Governance Store

User annotations, overrides, and acknowledgement events. Governed retention — duration determined by compliance policy and applicable law. Always transparent to the owner.

Data Classification

All data in the platform is classified into one of three categories:

PUBLIC

App catalogue metadata and publicly available information. No access restrictions.

USER_PRIVATE

User inputs, outputs, and account data. Accessible only to the data subject and authorised organisation admins.

REGULATED

Data subject to specific legal or regulatory handling requirements. Additional controls apply.

7

Admin Responsibility

Admins bear specific compliance obligations for their organisation's use of Majormatic. These are distinct from what the platform itself guarantees.

Admin Is Responsible For

  • Ensuring proper data usage within the organisation
  • Responding to data subject rights requests
  • Maintaining appropriate organisational governance policies
  • Ensuring users understand their acknowledgement obligations
  • Reviewing audit logs for compliance and operational oversight
  • Configuring supervision requirements to match regulatory obligations

Platform Is Responsible For

  • Enforcing all configured governance policies
  • Maintaining immutable audit records
  • Processing data in accordance with the Data Processing Agreement
  • Providing GDPR-compliant infrastructure
  • Technical security of data in transit and at rest
  • Providing audit export tools and data subject request mechanisms
For specific data processing agreements, DPA templates, or compliance queries beyond this guide, contact [email protected] or visit our contact page.

Related Documentation

Admin Guide

User management, roles, governance policies, and supervision configuration

Read guide →

Privacy Policy

How we collect, process, store, and protect personal data

Read policy →

Security Posture

Data separation, access control, and security architecture for enterprise

Read more →