Inside the Papyrus Audit Trail: Why Hash Chaining Matters
How Papyrus's audit log is engineered to be tamper-evident — even against a malicious Platform Admin.
Inside the Papyrus Audit Trail: Why Hash Chaining Matters
A document management system without a credible audit trail is a system that auditors don't trust. A credible audit trail must be tamper-evident — you need to be able to detect any alteration, including those by your most-privileged users.
This is how Papyrus does it.
The threat model
We assume an adversary who has compromised:
- Platform Admin credentials in your tenant
- Direct database access (read/write)
- Backup file access
What we want: any alteration of the audit log — adding, deleting, modifying entries — should be detectable by external review.
The hash chain
Each audit log entry contains:
- Entry data (timestamp, user, action, resource, before/after)
- Hash of the previous entry
This is the chain. To alter any entry without breaking the chain, the attacker must:
- Modify that entry
- Update the hash in the next entry
- Update the hash in the entry after that
- ...etc. all the way to the most recent entry
That's a lot of work, but achievable for a determined attacker with full DB access. So we add two more defences.
Periodic anchoring
Every N entries (typically every 100), we publish the current chain head's hash to a separate anchor store — a write-once log that's accessed by different credentials. To rewrite history convincingly, the attacker would need to alter the anchor store too. That's a second system to compromise.
External anchor (optional, opt-in)
For tenants on Enterprise plans, we can publish the chain-head hash daily to a public anchor (cryptocurrency blockchain, or a customer-controlled third-party logging service). This makes the audit log integrity verifiable without trusting Papyrus at all — you compare what Papyrus shows you with what the public anchor recorded.
What gets logged
Everything that touches a document, a workflow, a permission, or a user:
- Document creation, read (where applicable), update, delete, restore
- Workflow start, advance, approve, reject, complete
- Permission grant, revoke, inherit, override
- User creation, role assignment, MFA setup, password change
- Configuration changes (retention policies, tenant settings, integration credentials)
- Login, logout, login failure, MFA challenge
Auditors can filter by any of these categories.
What it costs
Hash chaining costs us roughly 80 bytes per audit entry (the previous-hash field). At 10,000 audit entries per day per tenant, that's 800KB/day of overhead. Negligible.
Verification — checking that the chain is intact — runs in milliseconds for the most recent year of audit log. We run continuous background verification and alert any tenant whose chain integrity breaks.
The legal value
In a courtroom or arbitration setting, the question “did anyone tamper with this evidence?” has a credible answer. The audit log certificate produced by Papyrus is hash-signed, the chain is verifiable, and the integrity model is documented.
We've had two customers use this in litigation. In both cases, opposing counsel did not contest the audit log evidence. That's the win.
Limitations
Hash chaining detects post-hoc tampering. It doesn't prevent a malicious user from logging an incorrect action at the time of the action. If a Platform Admin deliberately approves a document and the log faithfully records that, the log can't tell you the approval was malicious.
Combine the audit log with role separation, MFA, and periodic privileged-access reviews to address that gap.