# Audit trail and security Source: https://developer.avalara.com/ai-onboarding/pga8517320303196/ # Audit trail and security This section provides reference information for audit trail generation, data protection, and security controls. ## Onboarding run record This section describes the immutable audit record created for each onboarding session to support traceability, compliance, and troubleshooting. Each onboarding session creates an immutable onboarding run record during the finalization step. Field Description `sessionId` An unique identifier assigned to the onboarding session. `timestamp` ISO 8601 timestamps indicating the start and end of the onboarding session. `userId` Identifier of the user who performed and approved onboarding actions. `stepsCompleted` List of onboarding steps implemented, including timestamps for each completed step. `apiCalls` Request and response hashes for all AvaTax API calls implemented during onboarding. `aiRecommendations` AI-generated recommendations along with user accept or reject decisions. `configSnapshot` Before and after snapshots of AvaTax configuration captured during onboarding. Onboarding run records can be exported as PDF files to support compliance documentation and audit review. ## Data sensitivity **This section describes the types of sensitive data processed during onboarding and post onboarding workflows and how that data is handled to meet compliance and privacy requirements.** Note All data processing performed as part of this solution must comply with applicable privacy and data protection regulations, including GDPR, CCPA, and other relevant regional requirements. Data type Sensitivity and handling Customer PII High sensitivity. Includes customer names, addresses, and contact information. Data is handled in accordance with established privacy policies and applicable regulations. Transaction history High sensitivity. Used as business intelligence for economic nexus analysis and processed within a secure environment. Exemption certificates High sensitivity. May include government identifiers and tax status information. Data is stored using encryption and protected access controls. Item catalog Medium sensitivity. Includes product data used for item classification. Data isn’t retained beyond the active onboarding session. ## Access control This section describes how user roles, permissions, and confirmation requirements control access to onboarding and post onboarding operations. - **Administrator required**: Onboarding operations require administrator-level access in the ERP system to perform configuration and write operations. - **Role-based monitoring**: Post onboarding monitoring alerts and dashboards respect existing role and permission configurations. - **Explicit confirmation**: All write operations require explicit user approval. Configuration changes are never applied automatically or without confirmation. - **AI as operator**: Users can instruct the AI to perform actions on their behalf. The AI always requests confirmation before implementing any operation. ## Error handling This section describes common errors that may occur during onboarding and post onboarding workflows and how the AI assistant responds to guide resolution. Error Description AI response **144** Duplicate nexus error Indicates that the nexus declaration already exists. The AI surfaces the existing configuration and offers options to review or update it. **309** Invalid address Indicates that the address could not be validated. The AI presents address correction options using the ResolveAddressPost API. **1715 / 1716** Rate limit exceeded Indicates that API rate limits have been exceeded. The AI applies exponential backoff and queues large batch operations for retry. **AuthenticationError** Invalid credentials Indicates that authentication failed. The AI prompts the user to verify the AvaTax connector configuration and credentials.