Audit log

Full event history for your workspace — who did what, when, and to which document.

The audit log is the permanent record of every action taken in your workspace. Use it for compliance reviews, incident investigations, customer support ("when did the document go out?", "was it signed or just viewed?"), and team accountability.

It lives at Settings → Security → Audit log.

What's recorded

Events come from five domains:

Document — created, updated, viewed, completed, deleted, cancelled, restored, PDF generated, PDF downloaded
Respondent — invited, viewed, submitted, link expired, invitation resent, reminder sent
Signature — requested, OTP sent, OTP verified, signed, declined
Webhook — fired (successful delivery), failed (after retry budget exhausted)

Every event carries:

Timestamp (UTC, rendered in your configured time zone)
Event type
Document it happened against
Actor — either a team member (email shown), a respondent (type shown), or the system (for automated events like reminder emails firing)
For respondent actions, the IP and user-agent the action came from — these live inside the event data and also print on the per-document audit PDF

Events are append-only. Crove never deletes audit records, even when you delete the underlying document — the record stays and shows the document.deleted event with the actor who did it.

Filtering

The filter row lets you narrow the view down to what you actually need:

Search — matches the document name, case-insensitive
Events — multi-select dropdown grouped by domain. Click a domain heading to toggle all its events at once.
Actor — any / team member / respondent / system
Date range — two date pickers, inclusive of both endpoints. The end date includes the full day up to 23:59:59 local time.

The "Clear" button resets everything back to the unfiltered view. Filters apply to the Export CSV button too, so you can cut exactly the slice compliance asked for.

Exporting

Click Export CSV to download a CSV of up to 10,000 events matching the current filters. Columns:

Timestamp (UTC) — ISO 8601 timestamp
Event — event type string (e.g. document.completed)
Document ID — the UUID of the document the event happened to
Document — the document's human-readable name at the time of export
Actor Type — user / respondent / system
Actor — the team member's email, the respondent's marker, or system
Event Data — JSON blob with event-specific extras (e.g. IP, user agent, reason, file sizes, signer role)

If you need more than 10,000 rows, narrow with a date range and export in chunks.

Retention

Audit events are retained for the lifetime of the workspace. Deleting the workspace deletes the audit log along with it. There is no self-serve purge — this is deliberate; compliance regimes like SOC 2 and HIPAA require a stable trail that individual users can't trim.

Compared to Recent activity

The Recent activity card on the dashboard shows the most recent 10 events in the same data set. Think of that card as a live tail; the Audit log page is the full searchable archive behind it.

For a per-document view of the same events — including the certificate-of- completion PDF that merges into the signed document — open the document and switch to the Activity tab.

It lives at Settings → Security → Audit log.

What's recorded

Events come from five domains:

Document — created, updated, viewed, completed, deleted, cancelled, restored, PDF generated, PDF downloaded
Respondent — invited, viewed, submitted, link expired, invitation resent, reminder sent
Signature — requested, OTP sent, OTP verified, signed, declined
Webhook — fired (successful delivery), failed (after retry budget exhausted)

Every event carries:

Timestamp (UTC, rendered in your configured time zone)
Event type
Document it happened against
Actor — either a team member (email shown), a respondent (type shown), or the system (for automated events like reminder emails firing)
For respondent actions, the IP and user-agent the action came from — these live inside the event data and also print on the per-document audit PDF

Events are append-only. Crove never deletes audit records, even when you delete the underlying document — the record stays and shows the document.deleted event with the actor who did it.

Filtering

The filter row lets you narrow the view down to what you actually need:

Search — matches the document name, case-insensitive
Events — multi-select dropdown grouped by domain. Click a domain heading to toggle all its events at once.
Actor — any / team member / respondent / system
Date range — two date pickers, inclusive of both endpoints. The end date includes the full day up to 23:59:59 local time.

The "Clear" button resets everything back to the unfiltered view. Filters apply to the Export CSV button too, so you can cut exactly the slice compliance asked for.

Exporting

Click Export CSV to download a CSV of up to 10,000 events matching the current filters. Columns:

Timestamp (UTC) — ISO 8601 timestamp
Event — event type string (e.g. document.completed)
Document ID — the UUID of the document the event happened to
Document — the document's human-readable name at the time of export
Actor Type — user / respondent / system
Actor — the team member's email, the respondent's marker, or system
Event Data — JSON blob with event-specific extras (e.g. IP, user agent, reason, file sizes, signer role)

If you need more than 10,000 rows, narrow with a date range and export in chunks.

Retention

Compared to Recent activity

The Recent activity card on the dashboard shows the most recent 10 events in the same data set. Think of that card as a live tail; the Audit log page is the full searchable archive behind it.

For a per-document view of the same events — including the certificate-of- completion PDF that merges into the signed document — open the document and switch to the Activity tab.

Audit log

What's recorded

Filtering

Exporting

Retention

Compared to Recent activity

On this page

Audit log

What's recorded

Filtering

Exporting

Retention

Compared to Recent activity

On this page