Audit log
Tracking of admin actions. Available today on the platform super-admin side. For merchants it's on the roadmap as a Scale feature.
Roadmap. The exportable audit log for merchants is on the roadmap for the Scale plan. Today actions are logged in our database (admin_audit_logs) but are only accessible to WooshPayment staff via super-admin, not from the merchant dashboard.
What we log today
At the backend level, we record sensitive actions in AdminAuditLog (Prisma table). Tracked types:
- Admin/super-admin login (success/failed)
- Platform configuration changes
- Merchant impersonation by staff
- Refunds executed by super-admin
- GDPR erasure requests
For actions executed by the merchant on their own dashboard (e.g. the "Refund" button), there's no merchant-side exportable log today. They are recorded in application logs (Pino) but not surfaced in the UI.
Audit row schema (current model)
| Field | Example |
|---|---|
id | cuid |
event | merchant.refund, super_admin.login |
actorId | admin/merchant id |
actorEmail | (PII-redacted after retention) |
actorIp | source IP |
metadata | JSON with details |
createdAt | ISO UTC timestamp |
How merchants will access it (on the roadmap)
The plan is to expose, on the Scale tier:
- Table filterable by date, event, actor
- CSV/JSON export
- 7-year retention
- API endpoint
GET /api/merchant/audit-logsto integrate with external SIEMs
ETA: post launch.
What you can do NOW
If you need evidence of specific actions (e.g. legal disputes, internal audit):
- Open a ticket at
noreply@wooshpayment.comwith a specific request (date range + event type + merchant involved) - WooshPayment staff runs the query on our system and sends you an encrypted CSV
Average time: 2 business days.
Retention & GDPR
- Application logs (Pino) have 90-day retention
- Prisma logs (
AdminAuditLog) are indefinite until we implement the retention policy - PII redaction after a GDPR erasure request (see GDPR)
Useful links
- GDPR โ right to erasure
- Refund flow