Compliance Reporting and Audit Data Architecture
Regulated industries and compliance frameworks (GDPR, SOC 2, ISO 27001, PCI-DSS, FCA) require organisations to demonstrate that controls are operating effectively. This requires a data architecture that captures, retains, and makes queryable the audit evidence that compliance teams need.
What Compliance Reporting Requires
- Access logs: Who accessed what data, when, from where — queryable by user, resource, time period
- Change logs: What data was created, modified, or deleted — by whom and when
- Authentication events: Login attempts, MFA events, account changes
- System events: Configuration changes, deployments, privilege changes
- Data processing records: Evidence of data processing activities for GDPR Article 30 (Record of Processing Activities)
- Consent records: Evidence of when and how consent was obtained, for what purpose, and when withdrawn
Designing for Compliance
- Audit logs must be immutable — write once, read many. Separate log storage from application storage.
- Log retention must meet regulatory minimums — design retention periods into the architecture from the start
- Logs must be queryable — raw log files are not sufficient; structured, indexed log storage is needed
- Log access must itself be logged — prevent insider threat from manipulating or deleting logs
How We Help
We design compliance data architectures as part of systems that operate in regulated sectors — including FCA-regulated financial services, healthcare, and public sector. We produce evidence packages for auditors as part of our delivery documentation.