Audit log
CaseFlow records security-relevant events to a tamper-evident audit log on every plan. This page describes what is recorded, how long it is kept, and how you or your IT team can export it or feed it into your security tools.
Quick answer for InfoSec questionnaires
CaseFlow's audit log cannot be altered or deleted after the fact. Trust-account events are kept for seven years on every plan. General events are kept for a configurable window. The log can be exported as CSV or as a tamper-sealed digital file, and it can be forwarded in real time to your firm's security platform (Splunk, Datadog, Microsoft Sentinel, Elastic, and similar). Each firm's audit log is held in its own isolated database — no other firm's activity ever appears in your records.
What we log
Logging is always on across every plan. Plans differ in how long events are kept, who can view them, and what export and integration tools are available — not in what gets captured.
| Category | Examples |
|---|---|
| Sign-in activity | Successful and failed logins, two-factor challenges, password resets, password changes, account lockouts, partner-firm impersonation |
| Access control | Role assignments, permission changes, staff invites and deactivations |
| Matter activity | Matter created, edited, status changed, assigned, closed, or deleted |
| Client activity | Client created or edited, contacts added, portal access toggled |
| Document activity | Documents uploaded, replaced, shared with the client portal, or deleted |
| Billing activity | Invoices, estimates, proposals, payments, refunds — created, sent, paid, voided |
| Trust accounting | Trust accounts opened or closed; deposits, disbursements, transfers, reconciliations, statements sent |
| Administrative | Settings, firm configuration, plan changes, API keys |
| Audit hygiene | Retention policy changes, audit exports, and any attempt to clear the log itself |
For each event we record who did it (staff member, client contact, or the system itself), what they did, what record was affected, the originating IP address and device, the precise time, and — for changes — what the value was before and after.
Retention by plan
Trust-account events are kept for seven years on every plan, in line with the requirements of the New York Rules of Professional Conduct Rule 1.15 and equivalent rules in California, Texas, Illinois, Florida, and other states. General activity is kept on a plan-tiered schedule.
| Solo | Growth | Multi-Practice | |
|---|---|---|---|
| Trust-event retention | 7 years | 7 years | 7 years |
| General-event retention | 90 days | 12 months | 7 years |
| Firm-wide activity log viewer | — | ✓ (12-month window) | ✓ (full retention) |
| Per-matter activity tab | — | ✓ | ✓ |
| CSV export | Trust only | All | All |
| Tamper-sealed digital export | — | ✓ | ✓ |
| Real-time security-platform streaming | — | ✓ | ✓ |
| Independently certified daily timestamps | — | — | ✓ |
This follows the same approach used by major cloud platforms (AWS, Microsoft Azure, Google Cloud): events are always captured; long retention and reporting tools are tiered. Your obligation to your clients under the rules of professional conduct does not change with your subscription tier, and neither does our underlying logging.
Trust-account audit (separate, isolated record)
Trust events are written to a dedicated, isolated record that is never automatically deleted, has its own access control (firm administrators and designated bookkeepers only), and continues to exist even if the originating trust account is closed. This satisfies New York Rule 1.15(d), the American Bar Association's Model Rules on Client Trust Account Records, and equivalent state-bar requirements that require five-to-seven-year retention of every deposit, withdrawal, transfer, and reconciliation.
Each entry captures the trust account, transaction reference, matter, client, amount, currency, who made the change, originating IP, and a full record of what changed.
Tamper evidence
Every entry in the audit log carries a cryptographic seal that links it to the entry recorded before it. Because each seal mathematically depends on the previous one, any later modification — to any historical entry — would break every seal that follows. The audit log can be verified end-to-end using industry-standard cryptographic methods.
In plain terms: if even a single character of an old record is changed, the verification fails. The proof that the log has not been tampered with is built into the log itself.
Independently certified daily timestamps (Multi-Practice)
For Multi-Practice firms, the seal at the end of each day is independently certified by a trusted third-party time-stamping authority. Two authorities are used (one primary, one fallback). These daily certificates can be verified by your forensic experts or outside counsel using standard cryptographic-timestamp verification tools, producing evidence suitable for litigation chain-of-custody.
This approach is the same one used by document-retention systems that serve financial institutions regulated by the SEC and FINRA, and is increasingly expected by enterprise legal-malpractice insurers and outside forensic firms.
Exports
CSV export
Available on all plans for trust events; on Growth and Multi-Practice plans for the full activity log. Each row includes its cryptographic seal so log integrity can be verified after download.
Trigger from Utilities → Activity log → Export → CSV (or Matter → Activity → Export for a single matter). Exports are scoped to your firm and respect your team's access rules.
Tamper-sealed digital export (Growth and Multi-Practice)
Returns a structured digital archive plus a signed manifest that includes the running seal value, the number of entries, the time range, your firm's identifier, and a separate cryptographic fingerprint of the archive itself. Suitable for e-discovery, litigation hold productions, and regulatory review.
Real-time security-platform streaming
CaseFlow can forward audit events to your firm's security platform in real time. We support:
- Splunk (via HTTP Event Collector)
- Datadog, Elastic, Microsoft Sentinel, Sumo Logic, and any system that accepts standard JSON over HTTPS — through our generic webhook
Configure at Settings → Security → Security-platform streaming. Per firm. You choose the endpoint, the authentication, and which event types to forward. Events are buffered if your platform is briefly unavailable and retried for up to 24 hours.
This is one of the more differentiated capabilities in legal practice management. Among the major platforms in this category (Clio, MyCase, PracticePanther, Smokeball, CosmoLex), none currently ship a documented native integration with the security tools used by enterprise law firms.
Compliance mapping
| Requirement | How CaseFlow addresses it |
|---|---|
| ABA Model Rule 1.6(c) — reasonable safeguards against unauthorized disclosure | Sign-in activity, document access, and exports are recorded; the log is tamper-evident |
| ABA Model Rule 1.15 + Client Trust Account Records Rule 1 — complete trust records, five-plus year retention | Dedicated trust-event store, 7-year retention regardless of plan, full event detail |
| ABA Formal Opinion 477R — secure portal with an audit trail | Document and client-portal access events are captured |
| New York Rule 1.15(d) — 7-year per-event retention for trust records | Trust events are retained 7 years on every plan |
| HIPAA §164.312(b) — audit controls (for firms handling healthcare matters) | Sign-in, access, change, and configuration events recorded with tamper evidence |
| GDPR Article 30 — records of processing (for firms with EU clients) | The log surfaces who accessed what data and when; combined with our per-firm data isolation, supports demonstration of compliance |
| SOC 2 Common Criteria CC6 and CC7 — logical access and system operations | Sign-in and access-control events with structured detail; centralized logging with security-platform streaming for customer-side alerting; minimum 12-month retention on Growth and Multi-Practice |
| Cloud Security Alliance CAIQ — Logging and Monitoring domain | Tamper protection, configurable retention, restricted access to logs, audit clock synchronization, encryption in transit on exports and streaming |
| Shared Assessments SIG Lite / Core — Threat Management and Server Security | Append-only logs, configurable retention, security-platform forwarding, restricted log access |
CaseFlow does not yet hold a SOC 2 Type II attestation; our security architecture is designed to support that audit when we pursue it. We provide this audit-log specification as part of vendor-assessment due diligence; firms are welcome to share it with their IT and InfoSec teams.
What we do not do (in the spirit of calibration)
- Specialized "write-once" storage for trust events. This is required for SEC and FINRA broker-dealer records; state bars require complete records, not specifically write-once storage. We may add this for enterprise customers on request.
- Recording every read (every time a matter is opened or a document is viewed). High volume, not currently required by any InfoSec questionnaire we have seen. We can enable per-record read logging on request for matters placed under litigation hold.
- Real-time forensic search across years of logs. The current search experience handles all practical scales today and we will revisit when usage patterns warrant.
Verifying log integrity
Each entry's cryptographic seal is calculated when the entry is recorded. To verify the log end-to-end against a downloaded export, your IT or forensic team can use standard cryptographic verification tools. The verifier runs against the exported archive without requiring access to CaseFlow systems.
How CaseFlow administrators control the log
- Cannot alter or delete historical audit entries — there is no way for any user, including firm administrators, to modify or remove a recorded entry.
- Can configure retention within the plan's allowed window (for example, on Growth you can choose 3, 6, 9, or 12 months for general events; trust retention is fixed at 7 years).
- Can configure security-platform streaming (Growth and Multi-Practice) — endpoint, authentication, event filter, and retry behavior.
- Can export — CSV at any time; tamper-sealed digital export on demand on Growth and Multi-Practice.
- Cannot view another firm's events. Per-firm data isolation enforces this at the storage layer.
Contact
For specific questions about audit-log architecture, retention customization for your firm, or InfoSec questionnaire responses, contact support. Our team can join InfoSec review calls on request.