Audit and compliance
What's audited automatically, where to view audit logs, and how this fits with NDPR/HIPAA-like requirements.
Overview
MyDentalPractice records a tamper-evident audit trail of every action that touches sensitive data — patient records, financial transactions, configuration changes, authentication events. The audit log is your evidence that the system is being used appropriately and your tool when investigating incidents.
What's audited
| Category | Examples |
|---|---|
| Authentication | Sign-in success/failure, sign-out, 2FA enrol/disable, password reset |
| Patient data | Record creation, edits, deletions, exports |
| Clinical | Note creation/lock/amendment, prescription issued/dispensed, treatment plan approval |
| Financial | Invoice creation, payment recorded, refund issued, cash-up submitted/approved |
| Configuration | Settings changes, role changes, location changes, fee schedule edits |
| Platform-side | Tenant impersonation, feature flag changes, plan changes |
Steps to use the audit log
Open the audit view. Settings → Security → Audit Log. By default it shows the last 30 days for your tenant.
Filter to narrow. Filter by user, by category (auth, patient, clinical, financial, config), by date range. Combinations are AND-ed.
Inspect a row. Click any row to expand. You see actor, timestamp, IP address, user-agent, the action verb, the resource type, the resource ID, and a data file diff of what changed (for edits).
Export for an audit. Click Export to download the filtered set as CSV or data file. Include a date range to keep the file sensible. Large exports are emailed to you when ready.
Investigate an incident. Filter by the date/time and the actor or resource you're investigating. The full chain of access shows you who did what and when.
Be aware audit log entries are immutable. They cannot be edited or deleted, even by an Owner. The platform staff cannot edit them either. The trail is the trail.
Compliance mapping. For NDPR (Nigeria) and similar regulations, the audit log satisfies the "record of processing activities" requirement. Your DPO can pull the export to demonstrate compliance during inspections.
Retention. Audit records are retained for at least 7 years. Older records can be archived to cold storage but are still queryable on request to support.