Skip to content

Audit and compliance

Why this matters

In an RCIC practice (or any legal firm), having a clear trail of who did what and when isn't optional — it's a professional requirement. ImmCase has built-in audit mechanisms you should know and configure as an administrator.

This page summarizes the tools. Each has its specific chapter — here they're tied together.

The four evidence sources

1. Per-record activity timeline

Each applicant, case, quote, etc., has its own activity timeline — every change to that specific record. See Activity timeline. Recommended reading to understand what gets logged automatically.

2. Sign-in log

ImmCase logs every sign-in: which user, from which IP, in which browser, on what date. Access:

  • Settings → Audit → Sessions.

Useful to spot unauthorized or unusual access.

3. Admin operations log

Sensitive changes (create user, change permissions, delete records) are logged in a separate admin log:

  • Settings → Audit → Admin operations.

Filter by user who made the change, by operation type, by date range.

4. Export for external auditor

When an external auditor (RCIC College of Immigration Consultants, accountant, regulator) needs to review:

  1. Settings → Audit → Export.
  2. Pick date range and evidence type (activity timeline, sessions, admin operations).
  3. ImmCase generates a ZIP with CSVs and PDFs.
  4. Timestamp and optional digital signature for integrity.

Retention policy

How long does ImmCase keep logs?

  • Per-record activity timeline — indefinite (as long as the record exists). If you delete a case, its timeline goes with it.
  • Session log — 1 year by default. Configurable in Settings → Audit → Retention.
  • Admin operations — indefinite by default. These are the most critical.

Your jurisdiction may require longer retention. RCIC in Canada typically requires keeping files for 6 years after case closure. Configure retention accordingly.

Digitally signed documents

If your practice uses electronic signatures (on PDFs, on eForms), ImmCase keeps the signature certificate alongside the document: who signed, when, from which IP, with what method (on-screen handwriting, OTP via SMS, etc.).

This certificate is what a court or regulator accepts as evidence that the applicant signed.

GDPR / PIPEDA / LGPD compliance

Some jurisdictions require:

  • Letting the client access their personal data your practice holds. ImmCase has Export applicant profile that generates a PDF/JSON with everything you have on them.
  • Letting the client request erasure. Soft-delete + configured retention covers this, but for real deletion, there's a specific admin command.
  • Notifying data breaches. ImmCase can alert on unusual access — configure it in audit alerts.

Watch out for

  • Modifying logs is illegal in many jurisdictions. ImmCase logs can't be modified from the UI by users (including admins) — only added to. If server access allows modifying the database, that's an infrastructure-security concern, not an ImmCase one.
  • Deleting a user doesn't delete their logs. The actions that person took remain logged. Soft-deleting the user only blocks future access.
  • Backups are your IT team's responsibility, not ImmCase's. Confirm with your technical administrator that there are daily backups and a recovery plan.

Where to next

  • Part 7 (Specialty tools) — ImmCase-specific functions for immigration.
  • Your profile — each user should configure their own account security.