Skip to main content

Audit log, backups and GDPR

The compliance surface for administrators: what happened in your organisation, whether your data is being backed up, and how to exercise the organisation's right to export or delete its data.

The audit log

Admin -- Audit log shows every recorded event in the organisation. Reading it requires the Administrator tier (T7) or above.

Three event streams are merged into one view:

  • Sign-ins and identity -- account and membership lifecycle events.
  • Data access -- dataset runs, dashboard views, dashboard exports and card data fetches: who touched which data, when.
  • Governance -- administrative changes: certifications and reviews, sensitive flags, access-list grants and revocations, role changes, alert rule changes, view-as sessions, export and deletion requests.

You can filter by stream, by actor, by action, and by date range; events are shown most recent first. Audit events outlive the content they describe -- deleting a dashboard does not erase the record that it was viewed or exported.

Backups

Admin -- Backups answers the question an administrator actually has: is my data being backed up, and when was the last one? Reading it requires the Administrator tier (T7) or above.

The page is read-only. It shows whether encrypted backups are configured for your organisation, the most recent snapshots with their timestamps and sizes, and the retention period. Restores are handled by Flynt support rather than from this page -- contact support if you need one.

If backups have not been configured for your environment, the page says so plainly rather than showing an empty history.

GDPR: exporting your organisation's data

An Administrator (T7+) can download a complete export of the organisation's data from Admin -- Data export & deletion. The export is a ZIP archive containing the organisation's datasets, cards, dashboards, connection records and audit history as JSON files, plus a manifest describing what was included.

Encrypted connector credentials are excluded by design -- they are integration secrets, not your data. The export itself is recorded in the audit log.

GDPR: deleting your organisation

Deletion is a two-step lifecycle with a safety margin:

  1. An Administrator (T7+) requests deletion from Admin -- Data export & deletion. This starts a 30-day grace period; the page shows the date after which deletion becomes final.
  2. After the grace period, the organisation's data is irreversibly removed.

During the grace period the organisation keeps working normally, and any Administrator can cancel the request from the same page -- cancelling restores the normal state with nothing lost. Only one deletion request can be pending at a time, and the request, and any cancellation, are recorded in the audit log.

If you want a copy of your data, run the export before the grace period ends -- after hard deletion there is nothing left to export.