Appcircle Logging and Monitoring Policy¶
Effective date: 2025-04-10 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy defines Appcircle's requirements for logging security-relevant events and monitoring systems to support timely detection of suspicious or harmful activity, incident investigation, and compliance with applicable regulatory and contractual obligations.
Scope¶
This policy applies to:
- All Appcircle-operated production systems, services, and infrastructure components.
- Supporting environments (staging, CI/CD) where security-relevant events are generated.
- Third-party services that process Appcircle or customer data, where contractually feasible.
- Appcircle's workforce and anyone granted access to Appcircle systems or log data.
Key definitions¶
- Security-relevant event: Any action or state change that may affect the confidentiality, integrity, or availability of Appcircle systems or data.
- Log: A timestamped record of an event captured by a system, application, or service.
- Monitoring: The ongoing observation and analysis of logs and system metrics to detect anomalies, failures, or potential security incidents.
- Alert: An automated notification triggered when a monitored condition exceeds a defined threshold or matches a detection rule.
Policy statements¶
Event logging¶
Security-relevant events must be logged across all production systems. At a minimum, the following categories of events are captured:
- Authentication and session activity: Successful and failed login attempts, multi-factor authentication events, session creation and termination, and token issuance.
- Authorization and privilege changes: Permission modifications, role assignments, privilege escalations, and access grant or revoke actions.
- Administrative actions: User account lifecycle events (creation, modification, deletion), system and security configuration changes.
- Data access and modification: Access to sensitive data stores (including stores containing personal data), bulk data operations, schema changes, and data deletion events. Logging of personal data access supports traceability of processing activities in accordance with data minimization principles.
- Infrastructure and deployment activity: Service lifecycle events, deployment actions, container and orchestration changes, and network configuration modifications.
- Security-specific events: Firewall and security-group changes, certificate operations, secret and key access events, and vulnerability scan results.
- Errors and failures: Application errors, system failures, connectivity issues, and resource exhaustion events.
Log content and data protection¶
Each log entry includes, at a minimum: a timestamp (UTC), event type, source system, actor identity, action performed, outcome, and source network address where applicable.
System clocks across all logging sources are synchronized to an approved, reliable time source to ensure log consistency and support accurate event correlation.
Logs must not contain plaintext passwords, credentials, unmasked payment card data, or personally identifiable information beyond what is necessary for event identification. Log content is handled in accordance with the Data Protection Policy and applicable privacy regulations (including GDPR and KVKK).
When log data is shared with third parties (including auditors), personally identifiable information is limited to non-direct identifiers such as service account identifiers and source network addresses, unless a specific legal or contractual basis requires otherwise.
Centralized log management¶
- Logs from production systems are forwarded to a centralized log management platform to support structured querying, correlation, and investigation.
- Log collection is automated; manual log generation is not acceptable as a primary mechanism.
- Log data is encrypted in transit between source systems and the centralized platform.
Log retention¶
- Log retention periods are defined based on regulatory, contractual, and operational requirements.
- Retention periods are reviewed at least annually and adjusted when requirements change.
- Logs are not modified or deleted before the applicable retention period expires, except through an approved exception process.
- Retention periods and disposal procedures are documented in internal standards.
Log integrity and access control¶
- Access to log data is restricted to authorized personnel on a need-to-know basis.
- Administrative access to the log management platform is limited and itself logged.
- Separation of duties is enforced: personnel with administrative privileges on production systems must not have the ability to erase or deactivate logs of their own activities.
- Log data is protected against unauthorized modification or deletion. Integrity monitoring or change-detection mechanisms are applied to detect unauthorized alterations to log data.
- Changes to logging configuration (e.g., disabling a log source, modifying retention settings) follow the change management process and are logged as administrative actions.
Monitoring and alerting¶
Appcircle maintains monitoring and alerting capabilities to support timely detection of:
- Security anomalies: Unusual authentication patterns, unauthorized access attempts, privilege escalation, and indicators of compromise.
- Availability and performance issues: Service outages, resource exhaustion, and degraded response times.
-
Infrastructure health: Host, container, network, and storage health metrics.
-
Critical security control failures: Failures of critical security control systems (including network security controls, intrusion detection/prevention, access controls, anti-malware, and audit logging mechanisms) are detected and alerted. Failures are responded to in accordance with incident response procedures, including restoration of the control, documentation of the failure duration and root cause, and implementation of measures to prevent recurrence.
Alerting requirements:
- Critical security and availability alerts are routed to the responsible on-call team for timely acknowledgement and response.
- Alert rules are reviewed and tuned periodically to maintain an appropriate balance between detection coverage and false-positive rates.
- Alerting configurations are subject to change management.
- The effectiveness of monitoring controls is evaluated periodically as part of the security program's continuous improvement objectives.
Log review¶
- Security-relevant logs are reviewed on a regular, defined schedule to identify trends, anomalies, or indicators of compromise.
- Findings from log reviews are documented and, where appropriate, escalated through the incident response process.
- Review frequency and scope are documented in internal standards and adjusted based on risk.
Incident support¶
- Logging and monitoring data is available to support the Incident Response Plan.
- During an active security incident, relevant logs are preserved beyond standard retention periods if required for investigation or legal hold.
- Post-incident reviews include an assessment of whether logging and monitoring coverage was sufficient.
Roles and responsibilities¶
- Engineering Management (Policy Owner): Owns and reviews this policy; ensures alignment with security and compliance objectives.
- Platform / Operations: Implements and operates logging and monitoring infrastructure; manages retention, access controls, and alerting.
- Engineering teams: Ensure applications emit required log events in compliance with this policy.
- All personnel: Report suspected logging gaps, monitoring blind spots, or anomalous activity through approved channels.
Regulatory alignment¶
This policy supports compliance with applicable regulatory and industry frameworks, including:
- SOC 2 (Trust Services Criteria — Common Criteria and Monitoring)
- ISO/IEC 27001 (A.8.15 Logging, A.8.16 Monitoring activities)
- ISO/IEC 27701 (Privacy-specific logging and monitoring controls)
- GDPR (Article 5 — Accountability, Article 32 — Security of processing)
- KVKK (Article 12 — Data security obligations)
Specific control mappings are maintained in internal compliance documentation.
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner (or an authorized delegate).
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant changes occur to infrastructure, tooling, regulatory landscape, or contractual obligations.
Note
This public policy describes Appcircle's logging and monitoring requirements at a high level. Detailed internal standards and procedures (including specific retention periods, tooling configurations, review schedules, and alert rule definitions) are maintained separately and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- Incident Response Plan
- Data Protection Policy
- Data Retention and Disposal Policy
- Change Management Policy
- System Access Control Policy