Design a System for Data Auditing

To design a robust auditing system for sensitive data, I would first clarify that every read, write, and modification must be captured with a timestamp, user ID, and the before/after state. The core challenge is immutability. I propose an append-only ledger where each new log entry contains a cryptographic hash of the previous entry, creating a linked chain. If an attacker modifies a historical record, the subsequent hashes will no longer match, instantly flagging tampering. For storage, we should use a distributed object store like S3 with versioning enabled, ensuring even deleted entries are recoverable. To maintain performance during high-throughput writes typical in Salesforce environments, the logging mechanism should be asynchronous; the main application thread writes to a local buffer and flushes to the audit service via a message queue like Kafka. This decouples the critical path from the heavy I/O of logging. We must also enforce strict RBAC so only authorized compliance officers can view raw logs, while all other users see only aggregated metrics. Finally, we implement a daily integrity verification job that recalculates the Merkle tree root of the entire log set to ensure global consistency. This approach ensures we meet strict compliance standards while maintaining system availability.