Feature

Every action recorded
across the workspace

A timestamped, attributed activity record of every finding, engagement, scan, document, comment, invoice, and team change. Filter by entity, scope by user, and retain history for the audit window your plan supports.

Get Started Free

No credit card required. Free plan available forever.

A workspace audit trail your auditor and your incident reviewer can both read

Security work generates a long tail of changes that matter only after the fact. Who changed that critical finding from open to accepted? Who uploaded the report? When did the engagement status flip from in progress to delivered? Programmes that lose this information either over-trust their team memory or reconstruct the timeline from chat history under audit pressure. SecPortal records every workspace action against a canonical activity log so the timeline is recoverable from a query rather than from memory.

The activity log is on by default for every workspace. Server-side code calls a single helper to record an event, the row lands in the activities table, and the dashboard, engagement detail, and client portal views read from the same source. Supabase row-level security keeps activities scoped to the tenant. The result is a single audit surface that findings management, team collaboration, and compliance tracking all share, rather than three separate timelines that only line up by hand.

Eight entity classes, one timeline

The activity log records actions across the entities that drive a security programme. Each row carries the actor, the action, the entity type, the entity identifier, a metadata payload describing the change, and a timestamp. The same shape covers a finding state change, an invoice payment, and a team-role update, so the timeline reads consistently across the work.

Findings

Creation, severity changes, status transitions (open, in progress, resolved, accepted), assignment changes, bulk imports, and deletes are all logged with the actor, the prior and new values, and the parent engagement.

Engagements

Engagement creation, status changes, scope updates, and deletion. The activity record carries the engagement title and the client it belongs to so the audit trail walks back from a finding to the engagement to the client without a separate join.

Clients

Client creation, deletion, and portal user invitations. Useful when an auditor wants to see when a client was added to the workspace, who invited the portal users, and when access was revoked.

Documents

Document uploads and deletes against findings and engagements, with the file name and the user who uploaded it. Evidence custody questions resolve to a single record rather than a folder timestamp.

Comments and messages

Comments on findings and messages inside an engagement thread record the actor, the parent finding or engagement, and a timestamp. Conversations remain attached to the work, not scattered across email and chat.

Team and roles

Member invitations, removals, and role changes inside the workspace. RBAC changes that grant or revoke permissions are visible on the same timeline as the work that those permissions affect.

Invoices and billing

Invoice creation, send, payment, status changes, refunds, and subscription changes. Finance audit questions land on the same activity feed as security audit questions.

Workspace settings

Workspace setting changes are logged so policy moves (retention, MFA enforcement, plan changes) are reviewable after the fact rather than reconstructed from memory.

Filter the timeline to the question you are answering

The dashboard activity page exposes filter tabs that narrow the feed to a single entity class. When the question is about remediation throughput, the findings filter answers it. When the question is about evidence handover, the documents filter answers it. When the question is about access, the team filter answers it.

All activities (default cross-entity timeline for the workspace)
Findings (every finding-level event for triage and remediation review)
Engagements (engagement-level lifecycle for delivery review)
Clients (client onboarding and portal access events)
Invoices (financial activity for billing reconciliation)
Documents (evidence custody and report delivery events)
Comments (conversation history attached to findings)
Team (RBAC and membership changes)

What auditors and incident reviewers ask the log

Auditors reading SOC 2 CC4.1 and CC7.1, ISO 27001 Annex A 8.15 (logging), or PCI DSS Requirement 10 read activity logs to evidence operating effectiveness rather than narrative claims. Incident reviewers read the same trail to reconstruct who took which action when, without trusting reconstruction from chat scrollback.

Demonstrate when a finding was discovered, by whom, and how its status moved through the SLA window
Show the chain of custody for evidence files attached to a finding from upload to retention or deletion
Evidence the operating effectiveness of a remediation control by showing dated state transitions on the underlying finding
Reconstruct what happened during an engagement when a tester rotates off and a successor takes over the record
Trace back a contested finding decision to the user who closed or accepted it and the comment they left
Provide auditors a per-user activity profile to evidence segregation of duties between testers, reviewers, and approvers

Properties that keep the trail defensible

Activity logs are only useful if they are durable, scoped, and attributed. SecPortal applies the same properties to every event, so the audit surface does not vary by feature area or by the team member who took the action.

Append-only at the API layer: workspace users write through the logActivity helper from server-side code, never from the browser
Workspace-scoped: every activity row carries a workspace_id that ties it to the tenant; cross-tenant reads are blocked by Supabase row-level security
Actor-attributed: activities reference the auth user that took the action, with email and name carried in metadata for display
Entity-typed: each row records action, entity_type, and entity_id, so queries can filter to a single object or roll up across an entity class
Schema-stable: the activities table has been the canonical event log since the platform shipped, so queries do not need to migrate when new event types are added
Notification-aware: activities fan out into per-user notifications and per-client notifications via Postgres functions, so subscribers do not poll the activity feed

Workspace, engagement, and client portal views

The same activity record is rendered through three different scopes depending on who is reading. A workspace member sees the cross-engagement feed at the dashboard level. An engagement lead opens an engagement and sees the activity attached to that engagement. A client portal user sees only the activity attached to their engagements, so the audit trail is transparent to the client without leaking across tenants.

Workspace activity feed surfaces every action across every client and engagement the user has access to under their RBAC role
Engagement-scoped views surface only the activity attached to a single engagement so engagement leads see signal without cross-client noise
Client portal views surface only the activity attached to engagements the portal user has access to, so client-facing transparency does not leak across tenants
Filter tabs (findings, engagements, clients, invoices, documents, comments, team) narrow the timeline by entity type without changing scope

Retention by plan

Activity retention is tied to the workspace plan. A daily cleanup job runs on Vercel Cron and removes activities older than the plan retention window, along with the notifications that fan out from those activities. Active workspaces stay inside the retention window without manual archiving; workspaces that need a longer window upgrade to the plan that matches the audit observation period.

Starter

30 days

Suitable for short-cycle assessments and trial workspaces where the audit window is the most recent month. After 30 days, activities older than the cutoff are removed by the daily cleanup cron.

Pro

90 days

Aligns with quarterly SOC 2 sample periods and most pentest engagement reporting cycles. Activities inside a quarter remain intact through the audit observation window for that quarter.

Team

365 days

Covers annual SOC 2 Type 2 and ISO 27001 surveillance audit windows. A full year of activity stays available for the auditor period without external archival.

Where the activity log fits in your audit and incident process

Activity logging is the connective tissue between operational security work and the evidence layer the audit cycle reads. It plugs directly into audit evidence half-life: an artefact captured at one point in time gets a half-life longer than its date stamp when the underlying activity log can reproduce the chain of state changes against the live record. It also lifts remediation tracking out of an interpretation question and into a query against the timeline. For the deeper view of how activity logs sit alongside scanning, reporting, compliance, and client delivery, see the security workflow orchestration research.

For frameworks that name a logging control directly, the activity log is the operating record: ISO 27001 Annex A 8.15 expects logging of user activities, exceptions, and security events; SOC 2 CC7.2 expects monitoring of system components and the operation of controls; and PCI DSS Requirement 10 expects logging of all access to system components. Workspace activity logging satisfies the platform-level expectation; system-of-record logs outside SecPortal still cover the rest of the estate.

Sensitive object lifecycles surface on the same timeline as the rest of the work. Credential creation and revocation events flow through the activity log alongside the objects they enable, so the audit trail for encrypted credential storage does not live in a separate vault log that has to be reconciled by hand.

Document custody questions resolve through the same feed. Every upload and delete on the engagement record writes a document.uploaded or document.deleted event with the file name and the actor identity, so the chain of custody for the engagement deliverable lives on the same timeline as the findings the deliverable describes. For the storage shape underneath, see document management.

The activity log is the historical record; the live signal layered on top is the per-user inbox. Each event that fans out into notifications and alerts is keyed to the originating activity row, so the bell points back to the same record the activity feed shows in retrospect. The audit surface and the live notifications surface share one source rather than two systems that diverge between reporting cycles.

The activity feed answers retrospective questions; the workspace global search palette answers prospective ones. An auditor reading back through a finding lifecycle opens the activity feed; an operator who already knows the finding name presses Cmd+K and lands on the engagement scoped to it. Both views read against the same workspace record, so the palette and the timeline never disagree about what happened or where it sits today.

Related use cases

Compliance audits

Remediation tracking

Security testing program management

Bring the audit trail into the work

Activity logging is on by default for every workspace. Sign up and the trail starts the moment your team takes the first action.