Immutable audit logs for a fintech

For a financial institution, audit logs are not just another file: they are the proof of what happened, when, and who did it. European regulation requires that this evidence be preserved intact for years and that not even an administrator with every credential can alter it. Here's how an anonymous fintech platform met that requirement with OtterStorage.

The challenge

The platform generates a continuous stream of audit logs: transaction traces, access events, configuration changes and logs from its critical systems. The compliance team had to guarantee three things at once:

• Unalterability. Neither an attacker with valid credentials nor a human error could delete or overwrite a record once written. Real immutability, not a configuration promise.
• Alignment with DORA and NIS2. The Digital Operational Resilience Act (DORA) and the NIS2 directive require keeping traces intact and demonstrable, with the ability to freeze evidence in the face of a legal request or an investigation.
• Data sovereignty. The records had to remain within EU territory, without depending on third-country jurisdictions, and with clear control over who can touch what.

Their copies lived on standard storage, with no mechanism to prevent deletion, and building and maintaining immutability by hand (object-by-object policies) was fragile and hard to audit.

The solution with OtterStorage

The team created dedicated buckets for the records subject to legal requests and pointed them to the standard S3 endpoint https://es-mad-1.s3.otterstorage.io in the EU-MAD (Madrid) region, thus keeping all the evidence within the EU. Ingestion is done with S3-compatible tools they already used, with no custom development.

1. Per-bucket isolation with dedicated keys

Each audit bucket has its own access key + secret key pair, isolated from the rest of the organization. The systems that write logs only know the credentials for their bucket, so a compromise elsewhere in the platform cannot reach the evidence. The setup is prepared following the access keys guide and bucket creation.

2. Object Lock in WORM mode

The buckets are created with Object Lock enabled (OtterVault) over versioning, so each record is written in WORM (write once, read many) mode. The mode applied depends on the level of strictness required:

• Governance, when you need firm retention that a role with special privileges can manage in a controlled way.
• Compliance, for the most sensitive evidence: during the retention period no one, not even the account administrator, can shorten it, delete or overwrite the object.

With this, once a record is written, the version is fixed until its retention period expires. The detail of modes and behavior is in the Object Lock documentation.

3. Bucket-level Legal Hold

On top of Object Lock, in the face of a legal request or an audit, the team activates Legal Hold on the entire bucket with a single switch from the console. While Legal Hold is active, OtterStorage freezes the whole bucket: no one can delete or overwrite a record, or change the bucket's policy, not even the account administrator, and the lock applies equally to all access keys. Reads and downloads keep working normally, so auditors and investigators access the evidence without being able to alter it. It's reversible: when the request is closed, it's deactivated from the console. The details are in the Legal Hold guide.

Since OtterStorage does not charge for requests or for deletes, neither the continuous ingestion of logs nor the operations denied by the lock add any cost: the bill depends only on the TB retained.

Results

• Real WORM: with Object Lock in Compliance mode, no record can be modified or deleted during its retention, not even with administrator credentials.
• Bucket-level Legal Hold: freezing all the evidence in the face of a legal request is one click in the console, and it blocks deletes, overwrites and policy changes for all keys at once.
• Alignment with DORA and NIS2: intact preservation and the ability to freeze evidence cover the traceability and preservation requirements of both regulations.
• EU sovereignty: the buckets live in EU-MAD (Madrid), with the evidence always within the European Union.
• Predictable cost: with no charges for requests or for deletes, spending is calculated per TB in advance, with clear rates in pricing.

The result is a digital chain of custody that is simple to operate and to audit: the evidence is written once, preserved intact in the EU and frozen on demand, with no in-house infrastructure to maintain.