Audit logs, email logs & security
Review sensitive actions, trace every email, catch voting fraud, and understand the platform's security posture.
Votare keeps a record of the actions that matter, every email it sends, and the voting anomalies it catches — so you can answer "who did what, when?" and trust that your results are clean. This guide covers the audit log, email logs, the Violations feed, and the platform's overall security posture.
Audit logs#
The audit log captures sensitive actions across your organization so you have an accountable history. Recorded events include:
- Role changes
- Logins and failed login attempts
- Organization creation
- Voting violations
- Other sensitive administrative actions
Each entry records:
- Actor — who performed the action.
- Timestamp — when it happened.
- IP address — where the request came from.
- User-agent — the browser or client used.
- Metadata — action-specific details.
You can filter and review the audit log in Settings. Use it to investigate unexpected changes, confirm who removed a member or changed a role (see Members, roles & groups), or trace suspicious login activity.
Email logs#
Every transactional email your organization sends is recorded in the email log, including:
- Invitations
- Alerts
- Daily summaries
- Document reminders
Each log entry captures:
- Provider — Resend or Supabase.
- Status — sent or failed.
- Message ID — the provider's identifier for the message.
- Error reason — why a send failed, when it did.
Sends retry automatically, and messages that still can't be delivered are handled through a dead-letter path rather than silently disappearing. If a member says they never received an invite or reminder, the email log tells you whether it was sent, delivered, or failed — and why.
Violations: catching voting fraud#
The Violations feed surfaces voting fraud and anomalies so your results stay trustworthy. Votare detects and de-duplicates suspicious voting through several mechanisms:
- Duplicate-vote detection — repeated attempts to vote are flagged.
- Device fingerprinting — votes from the same device are recognized.
- IP + user-agent de-duplication — votes sharing an IP and user-agent are collapsed so one person can't look like many.
- Email-alias normalization — Gmail dot and plus tricks (like
name.surname@orname+anything@) are normalized so a single mailbox can't masquerade as multiple voters.
Flagged events land in the Violations feed for you to review.
Hackathon voting fraud prevention#
Hackathon voting uses the same protections, tuned for public participation:
- Device fingerprinting and IP + user-agent checks to catch repeat voters.
- Per-hackathon email allowlists so only approved addresses can vote.
- Alias normalization to defeat Gmail dot/plus workarounds.
Anything the system flags shows up in Violations, giving you a clear trail when adjudicating close results.
MVP vote audit trail is owner-only#
Ordinary MVP history — leaderboards and past results — can be granted to members through the mvp:view-history permission. The audit trail that reveals who voted for whom is a separate, owner-only capability (mvp:view-audit-trail) and cannot be granted to anyone else. This keeps individual ballots private while still letting the right people see outcomes. See Members, roles & groups for how these permissions are assigned.
Security posture#
Votare is built on standard, defense-in-depth practices:
- Authentication — handled by Supabase Auth.
- CSRF protection — enforced on all mutations (any create, update, or delete).
- Rate limiting — applied to protect endpoints from abuse.
- HTTPS — all traffic is encrypted in transit.
Together with the audit log, email logs, and Violations feed, these give you both prevention and a reviewable record after the fact.