Databus Logo
Blog Login →
The Immutable Forensic Trail for School Trusts & Auditors

A mark changed. A fee was adjusted. "Who did that, and when?" — and a record that can actually answer.

This is the change-history layer — an immutable, tamper-evident trail of every record-changing action across SchoolDeck, capturing who did what and when, aligned to the DPDP Act 2023. The record an auditor or inspector asks for, that can't be quietly rewritten.

For administrators, trustees & auditors · who-did-what-when · append-only & tamper-evident · records what users did (permissions are role-based-access; live numbers are analytics).

See a real log extract →
In plain English

Audit logs keep the immutable, tamper-evident forensic trail of every record-changing action across SchoolDeck — who did what, and when — aligned to the DPDP Act 2023. It's the record a school produces when a Trust auditor or CBSE inspector asks how a fee, mark or record came to be what it is: a history that can be read but not quietly rewritten. It owns the change history specifically. It is not the permission system — role-based access owns who-can-see-and-do-what; this records what they actually did. And it's not the live numbers — the current fee-collection rate, attendance and result trends are the analytics & reporting solution, which reads the live state and defers the change trail to this page.

Who · what · when
every record-changing
action, every module
Append-only
tamper-evident —
not quietly editable
DPDP Act 2023
aligned forensic trail,
phased to 2027
Inspection-ready
for Trust audits +
CBSE inspections
A real query · K-12 school · "what happened to this mark?"

The log an auditor actually reads — and the two questions it deliberately doesn't answer.

A parent queries a changed mark. Instead of an argument, Mrs Bhattacharya opens the trail and searches the record. Here's the kind of forensic extract it returns — who, when, and what changed from and to.

Audit trail · record search · append-only · tamper-evident Who did what, when
WhenWho (actor)ModuleAction — from → to
Term-2, day 14Class teacherExaminationsmark entered: A → B
Term-2, day 15HODExaminationsmark corrected: B → A (re-totalling)
Term-2, day 20AccountantFeesconcession applied: 0 → sibling 10%
Term-2, day 22Front officeAdmissionsrecord edited: phone updated
Term-2, day 28CustodianInventoryasset marked: in-use → disposed
The mark wasn't tampered with — it was a re-totalling correction by the HOD, and the trail shows exactly that, with the actor and the day. The trail answers what was done. It deliberately does not answer the other two questions: whether that person was permitted to do it (that's role-based access) or what the current result trend is (that's analytics). Three questions, three pages.
Where "who changed this?" goes unanswered

Four ways a school can't account for its own records.

The mark changed, nobody knows who

A parent queries a grade, it has clearly been altered, and there's no record of who changed it or when — so it becomes one person's word against another rather than a fact anyone can check.

The auditor asks, the school guesses

A Trust auditor asks how a fee figure came to be, and the school reconstructs the story from memory and scattered notes — exactly the kind of answer an auditor cannot rely on.

A log you can quietly edit isn't a log

An "audit list" that any admin can open and rewrite proves nothing — if the evidence can be doctored, it stops being evidence. Without tamper-evidence, the record is decorative.

Different logs in every module

Each module keeps its own partial history in its own way, so there's no single consistent trail — and an inspection that spans fees, marks and admissions has to be assembled from incompatible pieces.

How the forensic trail works

Logged automatically, captured fully, searchable on demand.

1

Every record-changing action is logged automatically

Whenever a fee record, mark, admission entry or any other record is created, edited or deleted, the action is written to an append-only log automatically — without anyone choosing to record it — capturing the actor, the timestamp and the change, across every module.

2

The log captures before-and-after

Each entry records not just that something changed but what it changed from and to, so a mark altered from one value to another, or a fee adjusted, leaves a complete picture rather than a bare note that "something was edited."

3

The trail is tamper-evident, not quietly editable

The log is append-only and tamper-evident: it can be read and searched, but entries aren't meant to be silently rewritten, so the record itself is defensible. This is what separates a forensic trail from an ordinary editable list — its value is that it resists being doctored.

4

Search by user, record or date for an inspection

When the Trust auditor or CBSE inspector asks about a specific fee, mark or period, the relevant entries are found by searching the trail by user, record or date — producing the history of that item rather than a reconstruction from memory.

5

Read it alongside permissions and the live numbers

The trail records what was done; role-based access governs who was permitted to do it, and analytics & reporting shows the current numbers. A complete answer reads the change history here, the permissions there, and the live state on the dashboard.

The honest frame this runs inside

A record whose whole value is that it can't be quietly changed.

Append-only & tamper-evident

Actions are written to the log, not removed from it. We describe this honestly as tamper-evident — the design goal is that any attempt to alter the record is itself visible — rather than claiming the storage can never be touched under any circumstance. A log you could quietly clear would defeat its own purpose.

DPDP Act 2023 aligned

The trail is aligned to the DPDP Act 2023, implemented in phases through 2027. Keeping a record of who accessed and changed personal data — much of it about minors — is part of handling that data responsibly, and the audit trail is the mechanism that makes that accountability possible.

Reading it is access-controlled

The trail itself is access-controlled and India-hosted; who may even read it is governed by role-based access, so the forensic record doesn't become a second uncontrolled copy of the data. It records actions on data without exposing the data afresh.

Framework references: DPDP Act 2023 (forensic trail of access and change to personal data, phased to 2027). "Tamper-evident" is stated honestly — the design goal is that any change to the record is itself visible, not an absolute claim that the record can never be altered. The trail records what was done; the permission catalogue (who-can-see-and-do) is owned by the role-based-access feature, and the live operational numbers by the school-analytics-reporting solution.

Forensic trail vs permissions vs live numbers · what this page owns

The change history ≠ the permission catalogue ≠ the live numbers.
This page owns "what was done, and when"; the other two are their own pages.

SchoolDeck keeps the forensic trail, the permission system and the live dashboard as three separate pages on purpose — they answer three different questions, so each ranks for its own and none competes with the others.

This page owns

  • The immutable forensic trail — who did what, when, across every module.
  • Before-and-after capture of each record-changing action.
  • Tamper-evident, append-only design — the record resists being doctored.
  • The DPDP Act 2023 alignment of the change trail.
  • Inspection-ready search by user, record or date for audits.

This page defers to

  • The permission catalogue — who-can-see-and-do-what, the role matrix — lives in Role-Based Access. It governs who is allowed; this page records what they did.
  • The live operational numbers — current fee rate, attendance, result trends — live in Analytics & Reporting. It shows the state; this page shows the history.
  • The consolidated Trust accounts — P&L, Tally bridge, Maker-Checker — live in Finance Management. The trail records changes to financial records; finance consolidates them.
  • Cross-campus oversight for a Trust head lives in the Multi-Branch use case; the trail underpins it but doesn't own the group view.
Three times the trail earns its place

The same forensic record, three moments.

The trail is the same; the moment it matters shifts with the reader.

Trust audit

The auditor's "show me"

When the Section 12A/12AB auditor asks how a fee or asset record changed, the school searches the trail and produces the history — who, when, from and to — rather than reconstructing it. It underpins the asset register and finance records the auditor reviews.

CBSE inspection

Defensible records on demand

An inspection that spans marks, admissions and fees gets one consistent change history across modules, so the school shows a defensible record instead of stitching together separate partial logs.

Everyday dispute

"Who changed this?" — settled

A parent queries a mark, a figure looks wrong, a record changed unexpectedly — and instead of an argument, anyone authorised can look and see, factually, who made the change and when. The same trail that satisfies an auditor keeps daily record-keeping honest.

From the field

Howrah, West Bengal · CBSE school · administrator & compliance in-charge.

"I'm the administrator, which means I'm the one who faces the auditor and the inspector, and the question that used to make my stomach drop was always some version of 'who changed this, and when?' A mark that had been corrected, a fee with a concession nobody could explain — and all I had was people's memories and a few notes. Now there's a proper trail. When a parent disputed a grade last term, I searched the record and could see in seconds that the HOD had corrected it after a re-totalling, with the date — not someone quietly altering it. What I appreciate is that the team was honest with me about what it is: they call it tamper-evident, not unhackable, and that's the right word — the point is that any change to the record shows up, so it can't be doctored silently. And they were clear it's a different thing from our permissions module and from the analytics dashboard. This one answers 'what was done.' That's exactly the question I get asked."
Mrs Anuradha Bhattacharya Administrator & Compliance In-Charge · CBSE school · Shibpur, Howrah-711102, West Bengal
Immutable forensic trail · who-did-what-when across modules · before-and-after capture · tamper-evident & append-only · DPDP Act 2023 aligned · for Trust audits and CBSE inspections
Quick answers

School ERP audit logs, asked and answered.

What every administrator, trustee and auditor asks before they rely on the trail for an inspection.

What do the audit logs do?
They keep an immutable, tamper-evident forensic trail of every record-changing action across SchoolDeck — who did what, and when. Whenever a fee record, mark, admission or other entry is created, edited or deleted, the action is logged automatically with the actor, the timestamp and the before-and-after. It is the record a school produces when a Trust auditor or CBSE inspector asks how a figure came to be what it is, anchored to the DPDP Act 2023. It owns the change history; it is not the permission system and not the live numbers.
How is this different from role-based access?
They are a pair, and the distinction is deliberate. Role-based access owns the catalogue of who-can-see-and-do-what — the permission matrix that decides a class teacher may edit their own marks but not the fee ledger. Audit logs record what people actually did once they acted. One is permission, the other is history: RBAC sets who is allowed, audit logs capture what happened. Together they answer both halves of an inspector's question — "was this person permitted to do it" and "what exactly did they do, and when" — but each lives on its own page.
How is this different from analytics & reporting?
Analytics shows the live numbers — the current fee-collection rate, attendance and result trends a Principal reads each morning. Audit logs show the forensic history — who changed a number and when. The analytics dashboard answers "where do we stand now"; the audit trail answers "how did this value come to be, and who touched it". The analytics page reads the current state and defers the change history to this page; the two are different questions on different pages. One is the live state, the other is the evidential record.
What does 'tamper-evident' actually mean here?
It means the log is append-only and not designed to be silently rewritten — entries are added, not quietly edited away, so the record resists being doctored after the fact. That is the whole point of a forensic trail: its value comes from the fact that someone cannot simply change a mark and then erase the evidence that they did. We describe this honestly as tamper-evident rather than claiming it is impossible to ever alter under any circumstance; the design goal is that any change to the record is itself visible.
Which modules does it cover?
Every module where records change — fees, marks and examinations, admissions, inventory, staff records and the rest. Because the trail is platform-wide rather than bolted onto one module, an auditor or inspector gets one consistent history across the whole school rather than separate, differently-kept logs per module. The point of owning this as a single forensic layer is that the record-changing action is captured the same way wherever it happens in SchoolDeck.
How does it help with a CBSE inspection or Trust audit?
When an inspector or auditor asks how a particular fee, mark or record came to be, the school searches the trail by user, record or date and produces the history of that item — who created it, who changed it, when, and what it changed from and to. Instead of reconstructing events from memory or hoping a register is complete, the school shows a defensible record. This is why the trail is anchored to the DPDP Act 2023 and built specifically for Trust audits and CBSE inspections.
Does it relate to the DPDP Act 2023?
Yes — the forensic trail is aligned to the DPDP Act 2023, which is being implemented in phases through to 2027. Keeping a record of who accessed and changed personal data, much of it relating to minors, is part of handling that data responsibly, and the audit trail is the mechanism that makes such accountability possible. The trail itself is access-controlled and India-hosted; it records actions on data without becoming a second uncontrolled copy of the data, and access to read it is itself governed by role-based access.
Can the audit log itself be edited or deleted?
That is exactly what it is designed to resist. The log is append-only — actions are written to it, not removed from it — and reading it is governed by role-based access so that not everyone can even view it, let alone attempt to alter it. The honest framing is tamper-evident: the design goal is that any attempt to change the record is itself recorded and visible, rather than a promise that the underlying storage can never be touched. A forensic trail that could be quietly cleared would defeat its own purpose, so resisting that is the central design requirement.
Is this useful day-to-day, or only at audit time?
Both. At audit or inspection time it produces the defensible history. Day-to-day, it settles the ordinary "who changed this" questions that otherwise turn into disputes — a fee that looks wrong, a mark a parent queries, a record that changed unexpectedly. Being able to look and see, factually, who made a change and when, resolves those quickly and fairly rather than by argument. The same trail that satisfies the auditor also keeps everyday record-keeping honest, which is often the more frequent benefit.

Stop answering "who changed this?" with a guess.
Answer it with a record that can't be doctored.

We'll show you the forensic trail — who did what and when across every module, with before-and-after capture and tamper-evident, append-only design — and how it's searched for a Trust audit or CBSE inspection, on your school's actual data.

See the Audit Trail →