
# Audit logs, email logs & security

Votare keeps a record of the actions that matter, every email it sends, and the voting anomalies it catches — so you can answer "who did what, when?" and trust that your results are clean. This guide covers the audit log, email logs, the Violations feed, and the platform's overall security posture.

## Audit logs

The audit log captures sensitive actions across your organization so you have an accountable history. Recorded events include:

- Role changes
- Logins and failed login attempts
- Organization creation
- Voting violations
- Other sensitive administrative actions

Each entry records:

- **Actor** — who performed the action.
- **Timestamp** — when it happened.
- **IP address** — where the request came from.
- **User-agent** — the browser or client used.
- **Metadata** — action-specific details.

You can filter and review the audit log in Settings. Use it to investigate unexpected changes, confirm who removed a member or changed a role (see [Members, roles & groups](/docs/admin/members-and-roles)), or trace suspicious login activity.

## Email logs

Every transactional email your organization sends is recorded in the email log, including:

- Invitations
- Alerts
- Daily summaries
- Document reminders

Each log entry captures:

- **Provider** — Resend or Supabase.
- **Status** — sent or failed.
- **Message ID** — the provider's identifier for the message.
- **Error reason** — why a send failed, when it did.

Sends **retry automatically**, and messages that still can't be delivered are handled through a dead-letter path rather than silently disappearing. If a member says they never received an invite or reminder, the email log tells you whether it was sent, delivered, or failed — and why.

## Violations: catching voting fraud

The Violations feed surfaces voting fraud and anomalies so your results stay trustworthy. Votare detects and de-duplicates suspicious voting through several mechanisms:

- **Duplicate-vote detection** — repeated attempts to vote are flagged.
- **Device fingerprinting** — votes from the same device are recognized.
- **IP + user-agent de-duplication** — votes sharing an IP and user-agent are collapsed so one person can't look like many.
- **Email-alias normalization** — Gmail dot and plus tricks (like `name.surname@` or `name+anything@`) are normalized so a single mailbox can't masquerade as multiple voters.

Flagged events land in the Violations feed for you to review.

### Hackathon voting fraud prevention

Hackathon voting uses the same protections, tuned for public participation:

- **Device fingerprinting** and **IP + user-agent** checks to catch repeat voters.
- **Per-hackathon email allowlists** so only approved addresses can vote.
- **Alias normalization** to defeat Gmail dot/plus workarounds.

Anything the system flags shows up in Violations, giving you a clear trail when adjudicating close results.

## MVP vote audit trail is owner-only

Ordinary MVP history — leaderboards and past results — can be granted to members through the `mvp:view-history` permission. The **audit trail that reveals who voted for whom** is a separate, **owner-only** capability (`mvp:view-audit-trail`) and cannot be granted to anyone else. This keeps individual ballots private while still letting the right people see outcomes. See [Members, roles & groups](/docs/admin/members-and-roles) for how these permissions are assigned.

## Security posture

Votare is built on standard, defense-in-depth practices:

- **Authentication** — handled by Supabase Auth.
- **CSRF protection** — enforced on all mutations (any create, update, or delete).
- **Rate limiting** — applied to protect endpoints from abuse.
- **HTTPS** — all traffic is encrypted in transit.

Together with the audit log, email logs, and Violations feed, these give you both prevention and a reviewable record after the fact.

## Related

- [Members, roles & groups](/docs/admin/members-and-roles)
- [Organization settings & branding](/docs/admin/settings-and-branding)
- [Getting started as an admin](/docs/admin/getting-started)
