Audit and compliance¶

Why this matters¶

Having a clear trail of who did what and when matters for any business, especially regulated ones. ZaazCRM has built-in audit mechanisms you should know as an administrator.

The four evidence sources¶

1. Per-record activity timeline¶

Each contact, lead, case, quote, etc., has its own activity timeline. See Activity timeline.

Settings → Audit → Sessions. Who signed in, from which IP, which browser, when. Useful to spot suspicious access.

3. Admin operations log¶

Settings → Audit → Admin operations. Sensitive changes (create user, change permissions, delete) stay here.

4. Export for external auditor¶

Settings → Audit → Export. Generates a ZIP with CSVs and PDFs of evidence.

Retention policy¶

Per-record activity timeline — as long as the record exists.
Sessions — 1 year by default, configurable.
Admin operations — indefinite by default.

Your jurisdiction may require longer. Configure retention accordingly.

Digitally signed documents¶

ZaazCRM keeps the signature certificate with the document: who signed, when, from which IP, with what method.

Let the customer access their data — Export contact profile.
Let the customer request erasure — soft-delete + admin command for real deletion.
Notify breaches — configure alerts.

Watch out for¶

Modifying logs is illegal in many jurisdictions. ZaazCRM doesn't allow modifying logs from the UI.
Deleting a user doesn't delete their logs.
Backups are your IT team's responsibility, not ZaazCRM's.

Where to next¶

Part 7 (Extensions) — additional features per your install.
Your profile — each user's account security.