Log Management Policy

Purpose & Scope

This policy defines what log data is generated, where it is stored, how it is protected, and how it is used for security monitoring and incident response across the Ecosystem Page API, web application and infrastructure.

What is Logged

Ecosystem Page uses Pino structured logging on the API and Next.js server logs on the web. The following events are captured:

• Authentication events: magic-link issuance, token verification, refresh rotation and logout (without secrets).
• Authorization decisions: ecosystem-membership and role-check failures, IDOR-prevention rejects.
• Rate-limit triggers from the Upstash Redis sliding-window counters.
• AI-moderation outcomes, content reports and moderation actions.
• Application errors and exceptions with full stack traces (server-side only).
• Critical infrastructure events: Railway and Vercel deployment events, database connection failures.

Storage, Protection & Access

Logs are processed and retained as follows:

• Pino logs are emitted as structured JSON with PII fields scrubbed at the source (no email or token bodies).
• Hosting providers (Railway, Vercel) retain runtime logs according to their plan defaults.
• Production builds disable console.log; only the structured logger writes output.
• Stack traces are never returned to clients in production responses.
• Access to runtime logs is restricted to Plademy Oy engineering accounts.

Use of Logs

Logs are used strictly for the following purposes:

• Investigating security events and supporting the Incident Management process.
• Diagnosing platform errors and tracking service health.
• Honouring data subject and law enforcement requests within legal obligations.
• Verifying audit trails for moderation actions and admin operations.

Review & Contact

Logging configuration is reviewed at least annually and after any change to logging providers. Concerns about log content or retention can be sent to developer@plademy.com.