Skip to main content

Platform events

qaudit.* events are emitted by QAudit itself rather than by a connected product. They record what the platform did — tenant provisioning, key rotation, access to the event store — and carry the same cryptographic signature and chain-link guarantees as business events.

QAudit's integrity model makes no exception for the platform's own actions: lifecycle changes, key rotations, and access to data are all part of the same tamper-evident chain as the events they govern.

Chain genesis

Every tenant's chain begins with qaudit.tenant.created, a platform event emitted when the tenant is provisioned. It is the anchor of the entire chain — no business event can be stored before this event exists. Its payload includes the initial signing public key, making the chain self-contained: a verifier walking the full chain can locate the right key without consulting an external registry.

Tenant lifecycle

Changes to a tenant's lifecycle — suspension, reactivation, migration — are recorded as platform events on the tenant's chain. The lifecycle history of a tenant is therefore tamper-evident and independently verifiable using the same chain-walk procedure as any other audit verification.

Key rotation

When the signing key associated with an organisation is rotated, the rotation is recorded as a qaudit.tenant.signing-key.rotated event on the chain. The event records which key was replaced and which key replaced it.

This makes the chain self-describing: a verifier walking the chain can read the rotation event to determine which key should be used to verify each range of events — no external registry needs to be consulted.

See Signing and integrity for the full key management model.

Access audit trail

Every access to the event store — by a user, an API client, or a support agent — is recorded as a qaudit.* event on the relevant tenant's chain. This includes support sessions being opened, evidence packs downloaded, and report subscriptions created.

These access events carry the same integrity guarantees as business events: the access log is part of the chain and cannot be silently altered. QAudit's own activity is subject to the same tamper-evident record as the data it holds.

Support-session access requires explicit consent and generates a qaudit.session.opened event visible in the event explorer. See Data sovereignty for the contractual implications.