Back to blog Security

Audit trails in access control: more than just logging

Why immutable access logs are a competitive advantage

30 Jan 2026
Audit trails in access control: more than just logging

What an audit trail actually is

An audit trail is a chronological, immutable log of all events in a system. In the context of access control, that means: every door opening, every failed access attempt, every rights change, every admin login.

“Immutable” is the key word here. A log that can be subsequently altered or deleted is legally worthless and operationally useless. A proper audit trail cannot be changed retroactively — not by the system itself, not by admins, not by tenants.

For self-storage operators, the audit trail has direct legal relevance. If a tenant claims their goods were stolen and accuses the operator of inadequate security, the access log is central evidence.

The log can show:

  • When the unit was last accessed, by whom
  • Whether there were unauthorised access attempts
  • Whether there were technical faults at the relevant time
  • Whether the access rights were properly set up

Without a tamper-proof log, this evidence doesn’t exist. With it, many disputes can be resolved quickly and out of court.

GDPR and data minimisation

The audit trail must comply with GDPR. Access data is personal data — it documents the presence of a specific person at a specific time at a specific location.

The key requirements:

  • Storage limitation: Access logs must not be kept indefinitely. A typical retention period is 90–180 days, unless there is a specific reason for longer storage (legal dispute, investigation).
  • Right to erasure: If a tenant exercises the right to erasure, the access logs associated with them must also be deleted.
  • Data minimisation: Only the data actually necessary should be logged. The log entry should contain the tenant ID, unit, timestamp and result — not unnecessary additional data.

sedisto implements all these requirements natively. Retention periods are configurable, right-to-erasure requests can be processed automatically, and the log schema is documented and minimised.

Beyond legal relevance, the audit trail offers practical benefits:

Dispute resolution: A tenant claims the door was broken on Saturday morning. The log shows: 23 successful openings between Friday 22:00 and Monday 06:00. The issue was elsewhere.

Security analysis: Unusual access patterns — many failed attempts, access attempts outside contracted hours, access at unusual times — can indicate problems. A good audit trail enables automated alerting.

Process optimisation: Which units are accessed most frequently? At what times are most tenants on site? This data helps with capacity planning and security concepts.

Handover documentation: When tenants move out, the last access documentation is part of the orderly handover. When was the unit last accessed? Were there any anomalies?

What to look for when choosing a system

Not all access logs are equal. Points to check:

Tamper-proofing: How is immutability guaranteed technically? Cryptographic chaining (like in blockchain) is the gold standard. Simple database entries that can be overwritten are not enough.

Completeness: Is everything logged — including failed attempts, admin actions, system events? A log that only records successful openings misses the most important data.

Export: Can the log be exported? In what format? CSV and JSON are standard. A system that locks access data in is a risk.

Retention management: Are retention periods configurable? Is the deletion process documented and verifiable?

Integration: Can the log data be connected to the booking system to enrich events with booking context (tenant name, unit, contract)?

sedisto provides a fully documented audit trail API with configurable retention, automated GDPR deletion and CSV/JSON export. The data can also be forwarded directly to SIEM systems via webhook.