Audit & compliance
Immutable, org-scoped audit trails for access, consent, sync, verification, and administrative actions — built for regulator and program-integrity review.
Last updated June 2026
Audit philosophy
Audit intelligence is a platform AI capability — regulators and HMOs review verified delivery, not reconstructed billing. Every identity check, consent change, record access, and sync outcome produces a structured audit event.
Immutable logs
What we log
| Category | Example events | Payload fields |
|---|---|---|
| Access | record.viewed, chart.opened | actor, subject_id, scope, IP hash |
| Consent | consent.created, consent.revoked, consent.approved | scopes, org_id, subject_cura_id |
| Verification | verification.created | outcome, reason, flags |
| EHR sync | ehr.sync.started, ehr.sync.failed | resource type, patient id, error code |
| Admin | webhook.created, membership.invited, api_key.rotated | target url, role, actor |
| Billing | claim.submitted, claim.quarantined | encounter id, payer, pre-check result |
Each entry includes: org_id, event, payload (JSON), created_at, and resolved actor name.
Audit API
/api/auditFetch recent audit logs for an organization.
Query parameters: org_id (required), limit (default 100, max 500).
Admin operators use GET /api/admin/logs for cross-tenant support with platform permissions.
Reporting & exports
- Filter by actor, event type, date range in provider admin UI
- CSV export for SIEM ingestion or regulator submission
- Print-friendly PDF for onsite inspections
- HMO program-integrity views correlate verifications with claims (Billing docs)
Regulatory alignment
| Framework | How Curably supports |
|---|---|
| NDPR (Nigeria) | Consent logs, access transparency, data residency |
| Kenya DPA | Purpose limitation, patient access rights |
| NHIA / HMO guidelines | Encounter evidence before claims adjudication |
| HIPAA (US partners) | BAA available; audit trail for PHI access |
| ISO 27001 alignment | Access control, logging, incident response |
Full security posture: Security overview
Retention
- Production audit logs: 7 years default (contract-configurable)
- Sandbox: 90 days
- Export before org offboarding; deletion follows data processing agreement