Logging & Monitoring Policy
Version 1.0 | Effective: February 24, 2026 | Confidential
1. Purpose
This policy defines the logging, monitoring, and alerting requirements for Monaro's production infrastructure and application systems. The purpose is to ensure that all material events affecting user data, system security, and application availability are captured, retained, and monitored for timely detection and response.
2. Scope
This policy applies to: Supabase Cloud (PostgreSQL, auth, Edge Functions, storage), Vercel (frontend hosting, serverless functions), third-party API integrations (Razorpay, Claude API), and all devices with administrative access to production systems.
3. What We Log
Application-Level
- Authentication events: login attempts, password resets, session lifecycle
- Transaction import operations: SMS scan events, CSV import events, manual entries
- Data access events: API requests to sensitive endpoints, AI Copilot interactions (query count, not content)
- Administrative actions: account deletions, subscription changes, data exports
- Error events: application errors, API failures, rate limit hits
Infrastructure-Level
- Supabase: PostgreSQL query logs, auth logs, Edge Function execution, RLS violations
- Vercel: Deployment logs, serverless invocation logs, HTTP request logs
- Razorpay: Payment event logs, webhook delivery, subscription lifecycle
4. Monitoring & Alerting
- Sentry: Real-time error tracking. Alerts for new exceptions, error spikes (>10/min), critical function failures
- PostHog: Privacy-first product analytics. No third-party data sharing
- Supabase Dashboard: Database health, connection pool, query performance, storage
- Vercel Dashboard: Deployment status, function performance, bandwidth
Security Alerts
- Multiple failed auth attempts from single IP (>10 in 5 minutes)
- Webhook signature validation failures (Razorpay)
- Row Level Security violations
- Unusual API usage patterns
5. Alert Severity Levels
| Severity | Response Time | Examples |
|---|---|---|
| Critical | < 1 hour | Data breach indicators, total outage, payment failure |
| High | < 4 hours | Bank sync pipeline failure, auth errors, API failures |
| Medium | < 24 hours | Error rate increase, performance degradation |
| Low | Next review cycle | Minor errors, non-critical warnings |
6. Log Retention
| Log Type | Retention | Storage |
|---|---|---|
| Application audit logs | 2 years | Supabase PostgreSQL |
| Authentication logs | 1 year | Supabase Auth |
| Transaction import logs | 1 year | Supabase PostgreSQL |
| Error tracking logs | 90 days | Sentry |
| Deployment/function logs | 30 days | Vercel |
| Product analytics events | 1 year | PostHog |
| Payment event logs | 7 years | Razorpay (provider) |
Logs containing PII are subject to deletion requests under GDPR. Associated entries are anonymized or deleted within 30 days of a valid request.
7. Log Protection
- AES-256 encryption at rest via Supabase managed PostgreSQL
- TLS 1.3 for all data in transit
- Row Level Security on audit log tables
- Append-only audit logs (no modification via application layer)
- MFA-protected administrator dashboard access
- Log data never exposed through public API endpoints
8. Incident Response
- Alert received via configured channel
- Initial assessment within severity response time
- If confirmed: isolate affected systems, document incident
- Root cause analysis using cross-system logs
- Remediation implemented and verified
- Post-incident report with findings and preventive measures
- If user data affected: notify users and authorities per data protection laws
9. Contact
Policy questions: arthi@nivo.run
Approved by: Arthi, App Developer, Monaro — February 24, 2026