Audit Logging System Design for SaaS at Pre-Seed Stage
Pre-seed founders face a constant build-fast vs. build-right tradeoff. Audit logging almost always loses. It is invisible to users, does not ship features, and rarely makes the MVP list. That is the wrong call.
Audit logging retrofitted at Series A — under SOC 2 pressure, with 50,000 active records and a multi-tenant schema — costs months. Audit logging built at pre-seed costs two days. The gap between those outcomes is the entire point of this guide.
This article covers what pre-seed SaaS founders should actually build now, what they can safely defer, and how to design a minimal logging foundation that earns its place from day one and compounds in value as the company scales.
Why Pre-Seed Founders Need an Audit Log (Yes, Even Now)
The standard objection is: "I'll add it when I need it." The problem is that audit logs need historical data to be useful. When your first enterprise prospect asks for an audit log in their security review, a log that starts the day you added the feature tells them nothing — and signals that you did not think about this from the start.
Three things happen at pre-seed where audit logging is immediately valuable:
- Debugging production incidents — when something goes wrong and you have no record of the sequence of actions that led to the problem
- Customer disputes — when a customer reports "someone deleted our data" and you cannot tell who did what or when
- Your own access to customer data — every time you access a customer's account for debugging or support, that access should be logged. Customers expect this. Compliance frameworks require it.
None of these require a complete, SOC 2-grade audit system. They require a small, well-structured log that captures the events that matter. That is the goal at pre-seed.
The Minimum Viable Audit Log: Five Event Categories
At pre-seed, you do not need to log everything. You need to log the events that are irreversible, security-sensitive, or likely to be disputed. That narrows the list considerably.
The Five Categories to Log Now
- Authentication events — login, logout, failed login attempts, password reset, MFA enrollment and removal. These are the security baseline. Every compliance framework requires them.
- Data destruction events — delete, purge, archive, and bulk-remove operations. These are irreversible and the most common cause of customer disputes at early stage.
- Admin and team access to customer data — every time a member of your team accesses a customer account (for support, debugging, or any other reason), log it. This is both a security requirement and a customer trust expectation.
- Billing and plan events — plan upgrades, downgrades, cancellations, payment failures, trial conversions. Billing disputes are common early on. Having the log resolves them quickly.
- Permission and role changes — when a user's access level changes, when a new admin is added, or when a user is removed from an account. Role escalation is a common attack vector.
Everything else — general CRUD operations, read events, feature-level activity — can be deferred until you have a clear reason to add it.
Pre-Seed Event Priority
| Event Category | Priority | Reason |
|---|---|---|
| Authentication events | Required now | Security baseline; required by all compliance frameworks |
| Data destruction events | Required now | Irreversible; most common early-stage customer dispute |
| Admin access to customer data | Required now | Trust and compliance; customers expect this logged |
| Billing events | High | Disputes are common; a log resolves them in minutes |
| Permission and role changes | High | Access control integrity; security baseline |
| General CRUD events | Defer | High volume, lower signal at pre-seed |
| Read and view events | Defer | Very high volume; only required for regulated data categories |
Simple Implementation for a Tiny Team
The pre-seed audit log does not need a separate service, a dedicated database, or a message queue. It needs a well-structured table in your primary database and a disciplined habit of writing to it at the right moments.
Minimal Schema
CREATE TABLE audit_events (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
account_id TEXT NOT NULL,
actor_id TEXT NOT NULL,
actor_email TEXT,
action TEXT NOT NULL, -- e.g. 'user.deleted', 'billing.plan_changed'
resource_type TEXT NOT NULL,
resource_id TEXT,
metadata JSONB, -- action-specific context
ip_address TEXT,
result TEXT NOT NULL DEFAULT 'success' -- 'success' or 'failure'
);
CREATE INDEX idx_audit_account_time
ON audit_events (account_id, timestamp DESC);
CREATE INDEX idx_audit_actor_time
ON audit_events (actor_id, timestamp DESC);This schema supports every query pattern you will need at pre-seed: account-level activity, actor-level activity, and event type filtering via the action field.
Action Naming Convention
Use a resource.verb pattern: user.deleted, billing.plan_changed, document.bulk_purged, admin.account_accessed. Consistent naming enables prefix-based filtering without custom logic. Choose names that are readable directly from a SQL query — you will not always have a UI when you need this data.
Where to Store It
In your primary database, in a dedicated schema (audit or audit_log). A separate schema prevents audit queries from polluting your main query namespace and makes it easy to apply different permissions later. No separate database is needed until you are processing more than a few thousand events per day.
The Immutability Minimum
Even at pre-seed, revoke UPDATE and DELETE on the audit table from your application database user. The application can INSERT and SELECT — not modify. This is two lines of SQL and prevents both accidental deletion and the most common application-layer tampering vectors.
REVOKE UPDATE, DELETE, TRUNCATE
ON audit.audit_events
FROM app_user;
GRANT INSERT, SELECT
ON audit.audit_events
TO app_user;What to Safely Defer Until Seed Stage
Pre-seed is not the time to build a full audit infrastructure. These belong on the seed-stage roadmap, not the pre-seed backlog:
- Customer-facing audit log UI — enterprise buyers will ask for this, but it is a seed-stage feature. At pre-seed, direct database access is sufficient for your own investigations.
- Cryptographic chaining — tamper-evident hash chains are a compliance enhancement, not a day-one requirement. Row-level immutability via database permissions comes first.
- Retention automation and archival tiers — hot/warm/cold tiering with automated archival is a seed-stage concern. At pre-seed, keep everything in the primary database and set a manual reminder to review retention at 90 days.
- Async message queue-based logging — writing audit events synchronously in the same transaction as the primary operation is the correct default at pre-seed. Async pipelines add complexity not justified until volume exceeds a few thousand events per day.
- Advanced filtering and export for enterprise buyers — build the data correctly now; build the UI later. The schema above supports every filter you will eventually need.
Making the Foundation SOC 2-Ready
SOC 2 Type II is typically the first compliance framework pre-seed SaaS companies pursue when selling to enterprise. It is not a pre-seed requirement, but the audit log you build now will be evaluated in your first SOC 2 audit.
What SOC 2 Auditors Look For
SOC 2 Trust Services Criteria CC7.2 and CC7.3 require evidence that security incidents and anomalous activity are detected and responded to. Auditors review:
- Whether authentication failures are logged
- Whether privileged access to customer data is logged
- Whether permission escalations are logged
- The retention period of audit logs (12 months is the standard minimum)
- Evidence that audit logs cannot be modified (immutability controls)
The minimal implementation above satisfies the event coverage requirements. Two additions before your first SOC 2 audit: a formal retention policy document (12 months minimum, written down) and monitoring that alerts when the audit log write pipeline fails — gaps in coverage are an auditor finding.
Retention Policy at Pre-Seed
Define the retention period before you have customers. Write it as a one-paragraph internal document: "Audit logs are retained for 12 months. Events older than 12 months are archived to [location] and retained for an additional [X] years before deletion." Auditors want the policy document, not just evidence that old rows are deleted. Update it when you implement archival automation at seed stage.
The Pre-Seed Audit Logging Stack
Specific tool recommendations based on common pre-seed SaaS stacks:
PostgreSQL
Store audit events in a dedicated audit schema within your primary PostgreSQL database. Use the schema above. Apply immutability permissions on day one. When query volume grows, add a read replica for audit queries. When you outgrow the primary database, export to ClickHouse or Timescale.
Supabase
Supabase has built-in audit logging for database-level events, but it does not capture application-level events like billing changes or admin access patterns. Create the audit table in your application schema and write to it from application code. Use Supabase Row Level Security to restrict INSERT to your service role only — this enforces immutability at the platform layer.
PlanetScale or Neon
Branching databases complicate immutability guarantees — schema branches should not include audit data. Use a separate, non-branching connection for your audit table, or store audit events in a separate database from the start.
Hosted Audit Log Services
Services like WorkOS Audit Logs abstract schema and storage. The tradeoff: faster to integrate, harder to customize, vendor-dependent. For most pre-seed teams, a simple PostgreSQL table is faster to set up than an external integration and gives you full control. Revisit hosted services when you need a customer-facing audit UI with filtering and export — that is where they earn their cost.