Read the audit log inside Case Settings on the Legal hold tab to see every recorded step on the matter. The log captures who did what and when, plus when custodians opened notices and acknowledged them. Run Verify integrity at any time to confirm nothing in the log has been altered or removed since it was written. Hand this audit log to opposing counsel as part of your case record.
What the audit log captures
Any action that touches a legal hold writes one row to the audit log. The hold itself, the custodians on it, the notices that go out, the acknowledgments that come back, and any blocked attempt to delete or dedupe content under hold. The log is append-only by design. Hintyr writes new rows. Nothing rewrites or deletes old ones.
The columns you see in the log: when the action happened, who triggered it (you, a custodian, or Hintyr's scheduler), the action label, and a one-line summary. Click a row to expand the extra detail recorded with that event.
Action labels you'll see
The log uses plain-language labels for the actions it captures. Common labels:
- Hold drafted- You started a draft hold but haven't issued it yet.
- Hold issued - The hold transitioned from draft to active. Preservation rules are now in force on the case.
- Custodians added - One or more custodians joined the roster.
- Custodian updated - A custodian record changed (employment status, contact info, scope override, or similar).
- Notice composed - A preservation notice was drafted but not yet sent.
- Notice sent - A notice went out to one or more custodians.
- Notice opened by custodian - A custodian opened the secure link inside the notice.
- Acknowledgment received - A custodian completed the attestation, either through the online page or through an offline channel recorded by an attorney.
- Reminder sent- Hintyr's scheduler sent a reminder notice to custodians who hadn't acknowledged within the cadence window.
- Scope amended - The scope of the hold changed and the prior values were recorded for the audit trail.
- Action blocked - Someone tried a destructive action (delete, dedupe, custodian removal) that the hold blocked. The block itself is recorded.
- File added during hold - A file was uploaded after the hold was issued. Uploads are allowed under hold and tagged so the timeline is clear.
- Hold released - The hold transitioned from active to released. Preservation duties on the case end.
- Package exported - You downloaded a signed export package of the hold record.
Verifying integrity
Click Verify integrity at the top of the audit log to walk the recorded events and check that nothing has been altered or removed. The check runs in your browser against the events the page just loaded. It takes a moment on a busy hold, a fraction of a second on a quiet one.
On success, the modal reports the events walked, confirms no changes were detected, and offers a verification report you can download as a PDF. The report includes the event count walked, the starting and ending fingerprints, and the timestamp the check ran. Save the report with the matter file when you need a point-in-time record.
What the audit log proves in court
The audit log is part of your case record. It shows when the hold was placed, which custodians were on it, when each custodian acknowledged, when notices and reminders went out, and when the hold was released. Courts use this kind of log to evaluate whether the firm's preservation practices were reasonable under spoliation case law, FRCP 37(e), and the Sedona Conference Commentary on Legal Holds. Having a clean record matters. Not having one is the worst position to argue from.
Underneath the labels and timestamps, the log keeps the events linked in order. Each event includes a unique fingerprint computed from its own data and the fingerprint of the previous event. Altering any event breaks the chain. That's why the Verify integrity check works the way it does. You don't need to know the mechanics to use it. You only need to know that if it passes, the record is intact, and if it ever fails, the system has detected an out-of-band change.
What a broken verification means
Broken verification is rare. When it happens, Hintyr treats it as a serious incident. The system records the broken state automatically, so the report itself reflects what was detected. Contact support and do not export the package until support has reviewed the case. Continuing as if nothing happened weakens the chain you may need to defend later.
In normal operation, Verify integrity passes. Reaching a broken result usually points to a direct database edit outside the product, a backup-restore that crossed a hold boundary, or another out-of-band intervention. Support will identify the cause and document the timeline.
Edge cases and limits
- The audit log shows actions taken inside Hintyr. Actions taken outside Hintyr (in Microsoft 365 Purview, Google Vault, Slack retention settings, etc.) live in those systems and are your firm's responsibility to document. See External preservation systems for where to record those steps.
- Released holds keep their audit log. Releasing a hold doesn't delete history; it transitions the status so destructive actions unblock on the case going forward.
- Opening the Legal hold tab and reading the log does not write a new event to the chain. Verify integrity is a read-only check.