Compliance records
The audit posture, on the record.
What we keep, how long for, how we prove the chain is unbroken, and how we hand it to a regulator. The platform's compliance spine is published — not assumed — so the firms that bet on us can answer the next IAA, OMARA, ASIC, ATO, or IRD audit from a single export.
Ten ledgers. One spine.
Every action the platform takes lands in one of these ten append-only ledgers. Together they cover the full obligation surface for a NZ or AU professional services firm.
AuditLog — every action, every record
Every CRUD on every record, plus logins, exports, sign-offs, consents, and regulator submissions. Append-only — no UPDATE, no DELETE. Each row hashes the prior row's hash, so the chain is tamper-evident even if the database itself is compromised.
DocumentVersion — supersede, never delete
Every document revision is preserved with a sha256 content hash. Three years on, a regulator can ask for the v3 that the partner relied on, and we return the exact bytes with a hash that proves it.
CommunicationRecord — file notes are not optional
Email, SMS, voice call, portal message, letter, in-person note. IAA Standard 26 (NZ) and OMARA Code Pt 6 (AU) require contemporaneous file notes. The platform writes the file note as a by-product of the work — there is no second job.
RegulatorFiling — every lodgement, with a receipt
Every filing to IR, IRD, ATO, ASIC, AFSA, AUSTRAC, FIU, INZ, Home Affairs, USCIS, CRA, HMRC. Payload hashed, regulator reference captured, response stored. "Did we lodge that?" answered in seconds, not days.
AccessGrant — who could see what, when
Every permission grant, revoke, role change, and impersonation. Privacy-regulator inquiries about "who could see this client's data on Date X" answered from the ledger, not from anyone's memory.
PrivacyBreachIncident — the register that has to exist
NZ Privacy Act 2020 s114 — notify within 72hrs of awareness where serious harm is likely. AU NDB scheme — assess within 30 days, notify if eligible. GDPR Art 33 — 72hrs to the supervisor. The register tracks the clock, the assessment, the notification, the remediation.
ComplaintRecord — IAA, OMARA, NZLS, TPB, ARITA
Every regulator that issues a code of conduct expects a complaint register. One ledger, every forum, every status, every external reference number.
AmlAssessment + SuspiciousActivityReport
CDD, risk-rating with the factors that drove it, sanctions and PEP screening, SARs to the FIU (NZ) and STRs to AUSTRAC (AU). All append-only. All retained for the full statutory period.
SignoffRequest — the human gate on AI
Every consumer-facing AI output passes through a sign-off queue and is approved by a licensed professional before release. Who signed, when, with what review. The shield against UPL, FTC §5, and reliance suits.
Consent + ToS audit — the evidentiary record
Versioned ToS, versioned platform acknowledgment, signup IP, signup user agent, timestamps. The acknowledgment carves out non-waivable CGA 1993 (NZ) and ACL (AU) consumer rights — owning the carve-out is what makes the rest enforceable.
Retention floors.
Each record is held to the strictest applicable floor. Default platform floor is seven years. Legal-hold flags extend indefinitely until released.
| Authority | Floor | Scope |
|---|---|---|
| NZ AML/CFT Act 2009 | 5 years from end of relationship | CDD, transaction records, SARs, risk assessments, programme, audit reports |
| AU AML/CTF Act 2006 | 7 years | KYC, TTRs, IFTIs, SMRs, AML/CTF Program, board approvals |
| NZ Tax Administration Act 1994 s22 | 7 years | Books, working papers, tax-agent records |
| AU TAA 1953 + ITAA 1997 | 5 years (some 7) | Tax records, TPB service records, transfer-pricing docs (5 yrs from lodgement) |
| NZ Lawyers' Trust Account Regs 2008 | 6 years | Trust ledger, statements, reconciliations |
| NZ Lawyers and Conveyancers Act 2006 | 7 years typical | Client files, engagement, conduct records |
| AU APES 305 / 310 | 7 years | Engagement letters, client-monies records |
| NZ IAA Code of Conduct 2014 | 7 years from completion | Written agreement, statement of services, file notes |
| AU OMARA Code of Conduct 2021 | 7 years | Client agreement, file notes, Form 956 |
| AU ASIC RG 217 + ARITA Code | 7 years post-administration | Receipts/payments, time records, remuneration disclosures |
| NZ Privacy Act 2020 + AU Privacy Act 1988 | Only as long as necessary | Subject to the carve-outs above where they apply |
| GDPR (any EU subjects) | Per Art 5(1)(e), 30(1) ROPA continuously current | DPIAs, ROPA, consent records, processor list |
Architectural rules.
The principles that make the audit posture honest. Without these, "we keep records" is marketing. With them, it is a standard a regulator can stand on.
Append-only, by design
Audit-relevant tables accept INSERT only. Soft-delete is a tombstone row, not a vanished one. Even an admin cannot rewrite history.
Hash chain on every entry
Each AuditLog row hashes the prior row's hash. A regulator export ships with the chain head and a verification script — tampering is detectable end-to-end.
WORM-style storage
Audit objects are written to S3 Object Lock (or equivalent compliant immutable storage). The bucket policy refuses overwrite, even from the root account.
Signed regulator exports
Audit pulls export as a signed bundle: PDF + JSON + manifest, with chain head, document hashes, and our signing certificate. The auditor verifies in minutes.
Right-to-erasure with statutory carve-out
Privacy Act erasure requests are honoured except where TAA, AML/CFT, or professional rules mandate retention. The data subject is told which section requires it — the platform does not silently refuse.
Per-tenant isolation
Every audit row carries the firm identifier. Cross-tenant reads are not possible from application code; the database enforces row-level scoping.
This page describes the audit posture of the Marco Reid platform. It is not legal advice. Each firm remains responsible for its own compliance programme; the platform makes the programme tractable and auditable. For the canonical model definitions see prisma/schema.prisma.
Bet your practice on the chain.
The audit comes. The insurer asks. The complainant escalates. The answer is one signed export away.