Use case · compliance & audit history

Seven years of history, one query away.

When an auditor asks who touched what, when it happened, and whether the record is complete, the answer is one query against telemetry that has stayed hot the whole time. No archive to thaw, no reconstruction to defend, no gaps to explain.

Answering

From question to evidence set.

Pick an audit question and watch the answer resolve: the scope of the search, the year-deep records it reaches, and an evidence set ready to export. Every timestamp is a real position in the retained record, years back and still hot.

An audit answer console. Selecting one of four audit questions renders a mono answer trail: the question, the scope of the search, the year-deep records found in the retained telemetry, and an exportable evidence set. The trail can be stepped through and is shown in full when reduced motion is preferred.

Ask the record

bloo · auditaccess-review
answer complete

The full story

Answer the auditor from the primary record.

Most compliance programs defend their telemetry story with a mix of archives, screenshots, and institutional memory. This article walks through what changes when the story is simply the record itself: what the mandates actually demand, why archives fail audits that hot history passes, and how residency and fidelity become properties instead of projects.

What an auditor is really asking

Every audit question reduces to the same three parts: show me what happened, prove the record is complete, and prove it has not been altered. The specific prompt might be about privileged access to a payments system, the handling of a past incident, or the enforcement of a retention policy, but the shape never changes. What the auditor is testing is not your security posture, it is your memory.

That is why compliance is a telemetry problem before it is a policy problem. A control that fired without a record is indistinguishable from a control that never fired. Organizations discover this at the worst moment, mid-audit, when the evidence for a control turns out to live in a tool that was decommissioned or a window that expired. The pattern is common enough that we wrote about it directly in security log retention: regulation, risk, and reality.

On Bloo, the audit answer is a query against Datafabric, the substrate that has been capturing the primary record at full fidelity all along. The console above this article shows the workflow: question in, scoped search across years of hot history, evidence set out.

The mandates, and what they actually require

Regulated industries carry explicit retention numbers. PCI DSS wants a year of audit trail with three months immediately available. SOX evidence cycles run to seven years. SEC rules for broker-dealers, OCC expectations for banks, and the EU's DORA regime for operational resilience each add their own horizon, and the practical superset lands between five and seven years. We map the financial-services landscape in detail in log retention for financial services and the EU regime specifically in DORA telemetry retention.

The subtle requirement is not the number of years, it is the usability of the record across them. A mandate satisfied by an unreadable archive is satisfied only until someone asks a question. Auditors increasingly do ask, with specific entities and specific date ranges, and the response clock is measured in days. Our broader survey, security log retention and compliance, covers how frameworks from HIPAA to ISO 27001 make the same demand in different words: retained means retrievable.

Why archives fail audits that hot history passes

The standard architecture splits the record: a short hot window in the SIEM for operations, and years of cold object storage for the mandate. The split exists for one reason, ingestion-priced platforms make hot retention unaffordable, an economics we take apart in SIEM ingestion cost and SIEM versus security data lake.

Under audit pressure the split becomes the weakness. Answering from an archive means a restore project: provisioning a temporary cluster, re-ingesting terabytes, rediscovering that the schema changed twice in three years, and burning the response window on plumbing. Datafabric removes the split rather than managing it. The whole retention term stays hot for its full life, and search reaches every year of it with the same latency as last week. A seven-year-old record is one query away, which is precisely the property the console above demonstrates.

Residency by construction, not by contract

Every audit of telemetry eventually asks where the data physically lives and who can reach it. For most SaaS analytics platforms the honest answer involves a vendor's cloud, a data processing agreement, and a diagram with more arrows than anyone is comfortable defending.

Datafabric's answer is structural: the fabric runs inside your own cloud account, so the telemetry never leaves your jurisdiction to be collected, retained, or queried. The query, the matching records, and the exported evidence set all resolve where the data already lives. Data residency stops being a contract clause and becomes a deployment fact, which is a much shorter conversation with a regulator. For sectors where this dominates, financial services in particular, residency by construction is often the deciding property, a theme that runs through our FinTech compliance work.

Full fidelity means no gaps to explain

Sampling and dropped fields are what turn an audit into a negotiation. The moment an evidence set is a selection rather than a record, the conversation shifts from what happened to why the rest was not kept, and no answer to that question improves the auditor's mood.

Datafabric captures every field of every record, the property we define precisely in what full-fidelity log retention means. The evidence set is complete by construction, so the answer stands on its own. Completeness also compounds: the same unsampled record that satisfies the auditor is what lets an investigation reconstruct an incident with chain of custody and lets detection sweep years of history. One record, kept properly once, serves every consumer that needs it.

The record outlives the tools, the team, and the schema

Audits reach back further than most things in an IT organization last. Across a seven-year horizon the SIEM gets replaced, the pipeline gets rebuilt, the analyst who answered the last audit moves on, and every source changes its log format at least once. A compliance story built on tools inherits the lifespan of those tools, a failure mode we dissect in why financial services SIEMs fail.

  • Tool churn. Because the telemetry lives in the fabric rather than in whichever tool collected it, a vendor change never opens a hole in the history.
  • Team churn. Institutional memory sits in the record, not in someone's head, so an answer produced three years ago is reproducible today by whoever holds the keyboard now.
  • Format churn. Full-fidelity capture in an open data format keeps the original fields, so a record from years ago reads with the same completeness as one written this week.

Durability is the quiet argument for treating telemetry as organizational memory rather than as tool exhaust: memory is supposed to outlast the circumstances that created it.

The economics of keeping seven years hot

None of this matters if seven hot years are unaffordable, and on ingestion-priced platforms they are, which is how the archive split happened in the first place. The math is unforgiving: volume grows every year, the meter runs on every gigabyte, and retention becomes the first budget casualty. We walk the numbers in the true cost of SIEM.

Datafabric inverts the model: economics scale with time, not volume, with no ingestion penalty, running on storage you already own inside your own cloud. A compliance retention term becomes a predictable line item that can be planned years ahead, the approach behind our enterprise logging and risk and compliance solutions. The mandate stops being the expensive afterthought and becomes a side effect of infrastructure the organization wanted anyway.

Datafabric holds the full retention term hot, inside your own cloud.

Related reading

Articles

From the blog

Answer the next audit from the record.

See how years of full-fidelity telemetry turn an audit request into a single, exportable answer.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy