Skip to main content

Activity Logging & Audit Evidence

This document describes what activity Boxcurve Unity records inside your Microsoft 365 tenant, where those records are held, who can view them, and what your organisation must enable and retain. It is written for your internal audit, compliance and security teams.

Boxcurve Unity runs entirely within your own Microsoft Power Platform environment. Every record described below is stored in your tenant's Dataverse database, under your control.

Activity evidence for Boxcurve Unity sits across three layers. Keep them distinct when planning your audit approach.

  1. Microsoft platform auditing (inherited). The Dataverse audit capability provided by Microsoft Power Platform. Your administrator must explicitly enable it; Boxcurve Unity does not turn it on for you.
  2. Boxcurve Unity's own records. Change-tracking and error records the application writes as users work. These exist whether or not platform auditing is switched on.
  3. What your organisation enables and reviews. Activating Dataverse auditing, setting retention, and governing who may view, query or export activity records is your responsibility.

1. Activity the Boxcurve Unity application records itself

Boxcurve Unity includes built-in records that capture certain activity as it happens. The application creates these records and stores them in your tenant.

Change history for tasks, accountability maps and stakeholder assignments

Boxcurve Unity maintains a change history for three categories of working data:

  • the task records held in a project's accountability map,
  • the accountability-map records themselves, and
  • the stakeholder-to-map assignment records.

Whenever one of these records is created, updated or deleted, the application automatically writes a corresponding change-history entry. Each entry captures:

  • The type of change, whether the record was created, updated or deleted.
  • Who made the change, the person's display name, email address, their Microsoft Entra ID object identifier, and their user identifier.
  • The source of the change, an indicator of where the change originated.
  • A snapshot of the record's values at the time of the change. For task changes, this includes the task name, classification, category, notes, priority, risk, jurisdiction and related task details.
  • The date and time the entry was recorded.

Scope of change history

The application's built-in change history covers the task, accountability-map and stakeholder-assignment records described above. It is not a tenant-wide audit log and does not, by itself, record every action a user can take in the application. For comprehensive change tracking across all Boxcurve Unity data, enable Dataverse platform auditing (Section 2) in addition to the built-in change history.

Error records

Boxcurve Unity records application errors in a dedicated Error Log. When a process or operation fails, an error record may be created capturing details such as an error message, an error code, the component and application area involved, the environment, contextual information, and the email address of the affected user, together with the date and time. These records support troubleshooting of the application.

Task closure timestamps and comments

In addition to the change history, the application records:

  • When a task is closed, a closed-on date and time is set on a task when it is marked as closed.
  • Comments on tasks, each comment captures the comment text, the task it relates to, and the identity of the author as recorded at the time of the comment (name, email and Microsoft Entra ID identifier).

Where these records are held and who can view them

All of the records above are stored in your tenant's Dataverse database.

Boxcurve Unity includes an in-application Error Logs view on its Administration Dashboard. As delivered, this view is presented only to Boxcurve's own support staff, identified by the sign-in email domain of their account. It is not surfaced to your standard administrator or end-user roles within the application interface. The same view provides a function to clear the stored error records.

Change history is captured into Dataverse tables in your tenant as records are created, updated and deleted. Each change-history entry records the type of change, who made it, the date and time it was recorded, and the previous and current values. Boxcurve Unity does not present a dedicated end-user screen for browsing this change history; your administrators access the change-history records directly through the data in your environment, subject to your Dataverse permissions.

Customer access to the underlying records

Because the in-application Error Logs view is restricted to Boxcurve support staff, your audit and compliance teams should plan to obtain change and error evidence from the underlying Dataverse records and from Dataverse platform auditing (Section 2), rather than from an in-application screen. How your administrators query and present Dataverse data is a Power Platform function. See Microsoft's documentation: https://learn.microsoft.com/power-apps/maker/data-platform/data-platform-intro

2. Dataverse platform auditing (you must enable it)

Separately from the application's own records, Microsoft Power Platform provides a Dataverse audit capability that can record create, update and delete operations, and optionally record access, across the tables in your environment. This is platform functionality, not a Boxcurve Unity feature.

Boxcurve Unity does not enable Dataverse auditing for you. As delivered, environment- and table-level Dataverse auditing is not switched on for the Boxcurve Unity tables. If your organisation requires a tamper-evident, platform-managed audit trail of changes to Boxcurve Unity data, your Power Platform administrator must enable Dataverse auditing.

Enabling, configuring and operating Dataverse auditing is a Microsoft Power Platform administration task. For how the platform performs auditing, refer to Microsoft's official guidance:

Enabling Dataverse auditing requires settings at three levels

Dataverse auditing is controlled at the environment, the individual table, and the individual columns. Boxcurve Unity ships with audit settings defined on a number of columns, but the environment- and table-level switches that activate auditing are not turned on in the delivered solution. All required levels must be enabled for an audit trail to be produced. Follow Microsoft's guidance above to configure them.

What Dataverse auditing captures

What a Dataverse audit trail records, the operations captured, the change values, retention behaviour and how it is viewed or exported, is determined by the Power Platform and your configuration, not by Boxcurve Unity. Refer to the Microsoft documentation linked above for the authoritative description.

3. Exporting activity records for an audit

Boxcurve Unity does not include a dedicated feature for exporting its change-history or error records as an audit package. Where activity evidence must be exported, it is obtained from the platform:

Boxcurve Unity does include a feature to export task data to a file for operational purposes. That is a task-management capability, not an audit-evidence export, and is covered in the application's feature documentation rather than here.

4. Your responsibilities

To establish a complete and durable audit trail for Boxcurve Unity, your organisation is responsible for the following.

  • Enable Dataverse auditing. The built-in change history covers tasks, accountability maps and stakeholder assignments only. For comprehensive, platform-managed change tracking across all Boxcurve Unity data, your Power Platform administrator must enable Dataverse auditing at the environment, table and column levels. It is not enabled in the delivered solution.
  • Define and apply a retention policy. Boxcurve Unity does not define a retention period for its change-history or error records, and Dataverse audit retention is a platform setting you control. Determine how long activity evidence must be kept to meet your compliance obligations and configure retention accordingly. See Microsoft's guidance: https://learn.microsoft.com/power-platform/admin/manage-dataverse-auditing
  • Control deletion of records. The application provides a function to clear the stored error records, and it removes change-history entries as part of normal create, update and delete processing of the tracked records. If your evidence requirements demand that change and error records be preserved, rely on Dataverse platform auditing, which is managed independently of the application's own records, and govern who holds the application's administrative permissions.
  • Govern access to the records. Decide which roles in your organisation may view, query or export activity records, and apply your Dataverse and application security roles accordingly.

Tamper protection

Boxcurve Unity does not provide a tamper-protection or immutability guarantee for its own change-history or error records. Where a tamper-evident trail is required, use Dataverse platform auditing, whose protections are described in Microsoft's documentation: https://learn.microsoft.com/power-platform/admin/manage-dataverse-auditing