SUSTAINABILITY

GDPR Audit Logging

Middleware-based audit system automatically capturing login, logout, data access, modification, and deletion for every request.

3 months3 engineers6 min read

Key Results

Request Coverage100%

Action Types5

View Code ChangesZero

PII in LogsZero

Client

Enterprise SaaS Client

Industry

Sustainability & ESG

Location

Europe

Overview

GDPR and similar regulations require audit trails of who accessed what data and when. Implementing logging in every view is error-prone and easy to forget. The platform handles sensitive user and company data, and demonstrating compliance required answering ‘who did what when’ for any request.

We built a middleware-based audit system that captures login, logout, data access, modification, and deletion—automatically, for every relevant request, with no view-level code required. Smart filtering ensures static files and admin internals don’t fill the audit log with noise.

Architecture Overview

The Challenge

Comprehensive Coverage

Every data access, modification, and deletion needed logging—not just the ones developers remembered to instrument.

Right Level of Detail

Logs needed user identity, IP address, and action type—but not request bodies that might contain PII.

No Noise

Static files, media, and admin internals shouldn’t fill the audit log with irrelevant entries.

Our Solution

Architecture Overview

Middleware

Runs on every request automatically

Classifier

Derives action type from path + method

Audit Store

Metadata-only log entries

Automatic Classification

The middleware derives action type (login, logout, data_access, data_modification, data_deletion) from the request path and HTTP method. No view needs to declare what kind of action it performs.

MiddlewareClassificationDjango

Metadata Only Logging

Each log entry captures user ID, email, username, IP address, user agent, path, and method—never request or response bodies. This keeps the audit log useful without creating a PII storage problem.

GDPRMetadataPrivacy

Smart Filtering

Static files, media, favicon, and admin i18n paths are skipped in both phases. The audit table contains only user-driven actions.

FilteringPerformanceNoise Reduction

Two-Phase Capture

process_request stores minimal data; process_response classifies and writes—ensuring the user is authenticated before logging. Fail-safe writing ensures a failing audit write never breaks the user’s response.

Two-PhaseFail-SafeResilience

Performance Metrics

Transaction Throughput

Response Time Distribution

100%

Coverage

Action Types

Zero

View Changes

Zero

PII Stored

Technology Stack

Backend

Django
Python 3.11
Django Middleware

Compliance

GDPR
Audit Trail
PII-Free Logging

Data

PostgreSQL
Audit Table
Thread-Safe Writes

Outcomes & Impact

Compliance Impact

Every authenticated request automatically logged—no developer action required
Five action types enable compliance reporting: login, logout, access, modification, deletion
Audit log contains zero request body content—no accidental PII storage

Technical Achievements

New views are automatically covered without any logging code
Path-based rules detect login/logout by patterns; HTTP method determines action type
Fail-safe writing ensures audit failures never break user responses

Operational Benefits

Two-phase capture ensures user is authenticated before logging begins
Smart filtering keeps audit table clean—only user-driven actions stored
Helper function extracts user info consistently, decoupled from User model internals

“The audit logging system gave us instant GDPR compliance without touching a single view. Our compliance team can answer any regulator question about data access in minutes.”