Audit Log & Reporting
DataGrail maintains a full audit trail for every DROP deletion request processed on your behalf. DROP requests are also visible in the Request Manager queue, where your team can track processing status alongside all other privacy requests. This article covers what is recorded in the audit log, how to access it, how to export data for compliance reporting, and how to monitor your 45-day SLA compliance.
What is Recorded
For every DROP deletion request, DataGrail records the following:
| Field | Description |
|---|---|
| Request ID | DataGrail's internal tracking ID for the deletion request |
| DROP Session ID | The DROP registry session/cycle the request originated from |
| Broker ID | Your CalPrivacy data broker registration number |
| Hash Type | The identifier list type that produced the match (email, phone, ndz, name_vin, maid, ctvid) |
| Match Outcome | Whether the request resulted in a confirmed match, no match, or uncertain match |
| Remote Identifier | Your consumer pointer — the value you sent during ingestion |
| Ingestion Timestamp | When DataGrail received the request from the DROP registry |
| Match Timestamp | When the identity matching step completed |
| Dispatch Timestamp | When DataGrail dispatched the deletion to your system |
| Completion Timestamp | When your system confirmed deletion via callback |
| Registry Confirmation Timestamp | When DataGrail reported the outcome back to the DROP registry |
| Final Status | deleted, not_found, opted_out, or failed |
Accessing the Audit Log
- Navigate to Data Broker Compliance in the left sidebar.
- Select the DROP Status tab.
- Use the date range filter to scope the view to a specific period.
- Select any request row to view the full lifecycle detail for that request.
You can filter the audit log by:
- Date range — scope to a specific DROP session or time window
- Status — filter by
deleted,not_found,opted_out, orfailed - Hash type — filter by identifier list type
- Match outcome — filter by confirmed match, no match, or uncertain match
Monitoring 45-Day SLA Compliance
The audit log includes a Days to Completion column that shows how long each request took from ingestion to registry confirmation. DataGrail will surface any requests approaching or exceeding the 45-day SLA with a warning indicator.
Requests that have not reached a final status within 40 days will be flagged in the audit log. Investigate and resolve these immediately to avoid the $200 per request, per day penalty that applies after the 45-day window.
To view at-risk requests:
- Navigate to Data Broker Compliance > DROP Status.
- Select the At Risk filter to surface requests within 5 days of the 45-day deadline.
- Review each flagged request and resolve any outstanding deletion callbacks.
Exporting Audit Data
DataGrail supports exporting audit log data to a cloud storage bucket you own for use in compliance reporting, SIEM integration, or internal audit processes.
- Navigate to Data Broker Compliance > DROP Status.
- Select Export.
- Choose your date range and file format (CSV or JSON).
- Select Download to export directly, or configure a cloud storage destination under Settings for automated daily exports.
For ongoing compliance reporting, configure a cloud storage destination in DataGrail to receive automated daily audit log exports. This creates a durable, date-partitioned record of all DROP activity that can be ingested into your SIEM or reviewed during regulatory audits.
Deletion Confirmation Records
Each completed deletion in the audit log serves as your record of compliance for that DROP request. In the event of a CPPA inquiry or audit, DataGrail's audit log provides:
- Timestamped evidence that the request was received within the monitoring window
- Confirmation that deletion was processed within the 45-day SLA
- The specific outcome reported back to the DROP registry
DataGrail retains audit log data for the duration of your partnership to support long-term compliance recordkeeping.
| Code | Meaning |
|---|---|
| 3 | Deleted |
| 4 | Opted out |
| 5 | Not found in your systems |
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.