Finducation - EZBudget™
Logging and Monitoring Policy
Audit trails, structured logging, and monitoring for production assets and APIs.
1. Policy Statement
Deseo Developers LLC maintains logging and monitoring practices to support security detection, troubleshooting, and auditability for material events affecting Finducation production assets, including EZBudget APIs and integrated financial services.
2. Scope
- Netlify serverless functions and API gateway routes (
/api/*) - Authentication and session validation flows (Supabase Auth)
- Plaid integration handlers and related backend operations
- Deployment and build pipeline status (Netlify, GitHub)
- Database and storage services (Supabase) as exposed through provider audit capabilities
3. Logging Standards
3.1 Structured Application Logs
- Backend functions use structured JSON logging via
shared/lib/logger.js. - Log entries include timestamp, severity level, message, and contextual metadata (e.g., module name).
- Secrets, credentials, and full financial account numbers are not written to application logs.
3.2 Material Events Logged
| Event Category | Examples | Log Location |
|---|---|---|
| Authentication | Token validation failures, auth provider errors | API function logs; Supabase Auth logs |
| API errors | 4xx/5xx responses, unhandled exceptions, validation failures | Netlify function logs |
| Financial integrations | Plaid link/token errors, sync failures, MFA gate rejections | Plaid handler function logs |
| Operational | Deployment outcomes, build failures | Netlify deploy logs; GitHub Actions (where enabled) |
4. Monitoring and Review
- Engineering personnel review logs during incident triage, support escalations, and post-incident analysis.
- Deployment platform status and error rates are monitored through Netlify dashboards.
- Authentication anomalies are investigated using Supabase and API logs.
- Alerting on auth failure spikes, elevated 5xx rates, and Plaid integration errors is planned as the program matures.
This policy reflects current operational practices. Automated real-time alerting and centralized SIEM are roadmap items, not yet deployed.
5. Log Retention
- Netlify function logs are retained according to Netlify platform retention limits for the active plan.
- Supabase provider logs and audit trails are retained per Supabase configuration and plan terms.
- Log exports for incident investigation are retained only as long as needed for remediation and compliance.
6. Access to Logs
- Production log access is limited to authorized engineering and operations personnel.
- Access follows least-privilege principles defined in the Access Control Policy (EZB-ACM-001).
- Log access for troubleshooting is purpose-bound and not used for unrelated data browsing.
7. Audit Trail Expectations
- Material configuration changes are tracked through version control (Git) with commit history.
- Database access for application data is mediated through authenticated APIs and row-level security policies.
- Privileged administrative actions on infrastructure providers require authorized accounts on those platforms.
8. Review Cadence
- This policy is reviewed at least annually and after material architecture or incident changes.
- Logging coverage gaps identified during reviews or incidents are documented and remediated.
9. Related Documents
- Information Security and Governance Policy (EZB-ISG-001)
- Access Control Policy (EZB-ACM-001)
- Data Retention and Deletion Policy (EZB-RET-001)
10. Approval
Approved By: Deseo Developers LLC — Authorized Representative
Date: July 9, 2026
Contact: contact@deseodevelopers.com