Audit Logs & Compliance¶
Every Polyguard help desk verification creates a tamper-proof record. This page explains where to find those records, what they contain, and how to use them for compliance, incident investigation, and audit reporting.
Where to Find Verification Records¶
Polyguard provides verification records through three channels. Use whichever best fits your workflow.
Polyguard Console¶
The quickest way to review verification history is through the web console.
- Log in to console.polyguard.ai.
- Navigate to Activity in the left sidebar.
- Use the filters to narrow results by date range, Link name, verification status, or employee name.
- Click any record to view its full details.
REST API¶
For programmatic access, the Polyguard REST API provides endpoints to query and retrieve verification records.
- List sessions -- Retrieve all trust check sessions for a given Link, with filtering by date, status, and metadata.
- Get session detail -- Retrieve the full record for a specific session, including all proofs, device attestation, and event log.
- Download affidavit -- Retrieve the cryptographically-signed transaction affidavit for a completed verification.
API documentation
Full API reference is available at dev.polyguard.ai. Authentication requires an API key, which you can generate in the Console under Settings > API Keys.
Webhook Event Logs¶
If you configured webhooks during setup (see Setting Up Polyguard for Help Desk), every verification event is delivered to your endpoint in real time. These webhook payloads can be ingested into your SIEM, ticketing system, or security data lake for centralized logging.
What Each Record Contains¶
Every help desk verification record includes the following information:
| Field | Description |
|---|---|
| Session ID | A unique identifier for this verification session |
| Link name | The help desk Link used (e.g., "Password Reset Verification") |
| Employee identity | Verified name from the employee's identity credential |
| Proofs completed | Which identity proofs were satisfied (e.g., Face Biometric, Device Identity) |
| Device attestation | Whether the employee's device passed hardware integrity checks |
| Geographic location | State and country at the time of verification (if Geographic Location was required) |
| Status | Final status: Verified, Failed, or Expired |
| Timestamp | When the verification was initiated and when it was completed |
| Agent reference | Any metadata attached by the agent (e.g., ticket number, agent name) |
| Event log | A chronological list of every step in the verification process |
Transaction Affidavit¶
For completed verifications, Polyguard generates a transaction affidavit -- a cryptographically signed, non-repudiable record of the verification. This affidavit:
- Is signed using Polyguard's PKI infrastructure
- Cannot be altered after generation
- Can be independently verified by any party with access to Polyguard's public keys
- Serves as litigation-ready evidence that identity verification took place
You can download affidavits from the Console (click Download Affidavit on any completed record) or retrieve them via the REST API.
Correlating Records with Help Desk Tickets¶
To connect a Polyguard verification record with the help desk ticket that triggered it, use one or both of the following approaches:
Using Agent Metadata¶
When an agent sends a trust check link, they can include a reference note (such as the ticket number). This metadata is stored in the verification record and can be searched in the Console or queried via the API.
For example, if an agent includes INC0012345 as the reference when sending a verification, you can later search the Activity log for that string to find the corresponding record.
Using Webhook-Based Ticket Updates¶
If your ticketing system integration or webhook is configured to receive verification events, the Polyguard session ID and status can be automatically written back to the ticket. This creates a two-way link:
- From the ticket -- View the Polyguard session ID and verification outcome
- From the Polyguard record -- View the ticket reference in the agent metadata
Consistent ticket references
Establish a standard practice with your help desk team: always include the ticket number when sending a Polyguard trust check. This makes it straightforward to correlate records during audits or investigations.
Compliance and Regulatory Considerations¶
Polyguard's help desk verification records are designed to support a range of compliance and regulatory requirements.
What Polyguard Records Demonstrate¶
- Who requested a credential change (verified identity, not just a claimed name)
- When the verification occurred (precise timestamps)
- How the identity was verified (which proofs were completed, device attestation status)
- What the outcome was (verified, failed, or expired)
- Where the employee was located at the time of verification (administrative region level)
Relevant Frameworks¶
Polyguard help desk verification can support compliance with:
| Framework | How Polyguard Helps |
|---|---|
| SOC 2 (Trust Services Criteria) | Provides evidence of identity verification controls for access management |
| ISO 27001 | Supports access control (A.9) and operations security (A.12) requirements |
| NIST 800-63 | Aligns with identity proofing and authentication assurance levels |
| PCI DSS | Supports strong authentication requirements for access to cardholder data environments |
| HIPAA | Provides verifiable identity confirmation for access to systems containing protected health information |
| SOX (Sarbanes-Oxley) | Creates auditable records of identity verification for access to financial systems |
Consult your compliance team
The information above is provided for general guidance. Work with your organization's compliance and legal teams to determine how Polyguard verification records fit into your specific regulatory obligations and audit processes.
Data Retention¶
Polyguard retains verification records for the duration specified in your organization's service agreement. Default retention periods are:
- Verification session records -- Available for at least two years from the date of the verification
- Transaction affidavits -- Available for at least two years from the date of generation
- Webhook delivery logs -- Available for 90 days from the date of delivery
If your organization requires longer retention, you can export records via the REST API and store them in your own systems.
Employee biometric data is not retained by Polyguard
Polyguard does not store employee biometric data, facial scans, or identity document images on its servers. All biometric data remains on the employee's device. Verification records contain only the redacted proofs and attestation results -- never the underlying personal data.
What's Next?¶
- MFA & Password Reset Verification -- The agent's step-by-step verification workflow
- Setting Up Polyguard for Help Desk -- Revisit configuration and integration setup
- Return to the Help Desk & Password Reset Overview