Logging data

The ClauseBase platform stores log-data for four different purposes:

• Security, e.g. to detect attacks by malicious actors and availability, e.g. to detect whether servers would reach capacity limitations. ClauseBase is ISO 27001 certified, and central logging is an important requirement under this certification scheme. Similarly, the logs also allow to detect abuse, e.g. to trace whether customers would store illegal information.

• Provide support to users, e.g. to investigate why something does not seem to work.

• Invoicing and usage limitations, e.g. to track the number of translations and LLM requests submitted by customers, and to track the number of DOCX/PDF documents exported by customers (e.g., to invoice customers who are licensing the platform on a per-export basis)

• Customer usage, e.g. to check which features are popular and which customers are actively using the platform

Location

Log data is either stored locally on the relevant server (e.g., in Germany, for enterprise customers), or centrally on our central logging server in Amsterdam.

Inspections

The centralised log data is frequently inspected by the ClauseBase team, through a variety of dashboards, such as the one below.

Only metadata

Care is taken that the logs, in general, only contain metadata. In the few instances where it is relevant from a logging/security perspective to store non-metadata, that data is encrypted by the ClauseBase platform instance before being inserted into the log file.

A sample event looks as follows:

Data being logged

Central logs for server requests

Every time the user performs an action at the server (e.g., opening a Clause9 Q&A, storing a clause in ClauseBuddy, redrafting text using ClauseBuddy's AI features, etc.), this event gets logged in the central log. These central logs are kept for 18 months.

Temporary logs

Important internal API events

During a period of 1 month, the full content of the most important events (+ user ID and timestamp) are being logged into a temporary log at each server:

• Updates to files and folders

• Updates to documents and Q&As

• Clauses sent to curators

• Updates to user account details

• Opening of anonymous links

Each night, the logs older than one month are being deleted.

Platform usage

During one month, the mere fact that a user is using the ClauseBase platform gets logged into a separate table of the secondary PostgreSQL database of each instance.

Each night, the logs older than one month are being deleted.

Invoice-related logging

In each platform instance's secondary PostgreSQL database, logs are kept for invoicing purposes, as explained elsewhere.

These logs are kept for 7 years, i.e. the term under Belgian law during which invoices can be contested.

Crash logs

When an internal API event crashes or generators an error, an email with relevant details gets sent to ClauseBase developer team, for analysis.