Audit Trail and Activity Log

The activity log records every create, update, and delete across donors, grants, funds, and allocations with the acting user, a timestamp, and a JSONB diff of before and after values. Records retain for the full federal requirement under 2 CFR 200.334 (three years after grant closeout), and an auditor-ready CSV export rebuilds the trail for any entity or period.

TL;DR

• Polymorphic activity log covers every mutable entity
• JSONB diff captures the full before and after state per changed field
• Append-only; no UI or API path to modify entries
• Retention default meets 2 CFR 200.334 federal records requirement
• CSV export filters by entity, date range, user, or grant for audit evidence

What this feature does

The activity log is the compliance record every nonprofit that accepts federal funds needs and most do not actually have. When an auditor samples ten grant expenditures and asks for the approval chain, the organization either produces it or accepts a finding. GrantPipe captures the chain automatically: every time a record changes, the log records who changed it, when, and exactly what changed. The export turns that into the evidence packet an auditor expects.

How it works

1. Every write through the API emits an activity entry via middleware
2. The entry carries entity type, entity ID, action (create, update, soft-delete, restore), user, and UTC timestamp
3. For updates, a JSONB diff captures changed fields with before and after values
4. Soft-delete and restore are logged as explicit actions, not side-effects
5. Entries are append-only; there is no mutation path
6. Exports filter by entity, user, grant, date range, or action type; output is CSV with JSON diff column

Who it’s for

Finance leads responding to the annual single audit under OMB Uniform Guidance. Executive directors fielding a funder compliance review. Board treasurers answering questions about who approved a transfer between restrictions. IT and compliance staff answering SOC 2 or data-handling questionnaires from major funders.

Why GrantPipe built it this way

Activity logging is often implemented as a per-entity audit table maintained by application code. That approach works until a new entity is added and the logging code is forgotten. The architectural decision was to make the log a middleware concern, not an application concern. Every write through the API passes through the same interceptor, so adding a new entity does not require remembering to add audit logging. The polymorphic shape (entity_type plus entity_id) means one table, not one per entity, which keeps exports simple. JSONB for the diff means the schema never has to change when a column is added, and the auditor sees the full shape of the change without joins.

What it replaces

• The per-record “last modified by” field that does not tell you what changed
• The ad-hoc spreadsheet of approvals the grants manager maintains for audit season
• The screenshot-of-the-email approval evidence packet
• The audit finding on weak documentation of changes to grant obligations
• The manual reconstruction of who approved a restriction reallocation six months ago

Start a free trial

Start a trial.