CompanyFebruary 19, 20266 min read

Why We Built Trailbase

Every B2B SaaS app eventually needs audit logs. We got tired of rebuilding the same infrastructure from scratch, so we built an API for it.

The email that starts it all

It always begins the same way. You're shipping features, growing your user base, closing deals. Then one day an email arrives from your biggest prospect's security team:

"Before we can proceed, we need to review your audit logging capabilities. Please provide documentation on how user actions are logged, how long logs are retained, and how we can export them for our compliance reviews."

You look at your codebase. You have console.log statements. Maybe some entries in a user_activity table you built during a hackathon. Nothing that would survive a security review.

So you do what every engineering team does: you build it yourself.

The audit log trap

Building audit logs looks simple on the surface. Record who did what, when. Store it somewhere. Make it searchable.

But the scope creeps fast. Here's what "just add audit logging" actually means:

Schema design — What fields do you capture? Actor, action, target, metadata, IP address, timestamp? What about nested resources?
Immutability — Audit logs can't be editable. Your security team will ask how you guarantee tamper evidence. SHA-256 hash chains aren't trivial to get right.
Retention policies — SOC 2 wants 12 months. HIPAA wants 6 years. Your enterprise customer in Germany wants GDPR-compliant deletion. Now you need configurable, per-tenant retention.
Search and filtering — Your compliance officer needs to find every action a specific contractor took between March and June. Your security team needs to filter by IP range. Full-text search across millions of events is a scaling problem.
Exports — Your customer's auditor wants a CSV. Their SIEM needs JSONL. Their compliance tool wants a REST API. Now you're building export infrastructure.
Customer-facing dashboard — Your enterprise customer doesn't want to ask you for logs. They want a self-serve dashboard they can hand to their auditor.

What started as "a few days of work" becomes a quarter-long project. You pull engineers off your core product. You ship it, but it's never quite done. There's always another compliance framework, another export format, another edge case.

We've done this before. Three times.

Before Trailbase, we built audit logging systems at three different companies. Each time, we made the same mistakes:

Started with a simple events table, then realized we needed immutability guarantees.
Built search, then rebuilt it when the table hit 10 million rows and queries took 30 seconds.
Shipped a basic export endpoint, then spent weeks building scheduled exports to customer S3 buckets.
Hard-coded retention to 90 days, then scrambled when a customer needed 7 years for HIPAA.

By the third time, the pattern was obvious: every B2B SaaS company rebuilds the same infrastructure, makes the same mistakes, and ends up with something that barely passes audit.

There had to be a better way.

What we built

Trailbase is the audit log infrastructure we wished existed. One API integration. Everything you need to pass compliance audits and satisfy enterprise security reviews.

Here's what that looks like:

// Install
npm install @trailbase/sdk

// Send your first audit event
import { TrailbaseClient } from '@trailbase/sdk';

const tb = new TrailbaseClient({
apiKey: process.env.TRAILBASE_API_KEY,
});

await tb.send({
action: 'document.shared',
actor: { id: 'user_123', email: 'jane@acme.com' },
target: { type: 'document', id: 'doc_456' },
metadata: { sharedWith: 'bob@acme.com', permission: 'view' },
});

That's it. Five lines of code and you have:

Immutable, cryptographically linked logs — Every event is chained using SHA-256 hashes. Tamper with one record and the chain breaks. Your auditor can verify integrity with a single API call.
A searchable dashboard — Filter by actor, action, target, date range, or any metadata field. Hand it to your customer's security team and let them self-serve.
Scheduled exports — Daily JSONL and CSV exports delivered directly to your customer's S3 bucket, with checksum verification.
Configurable retention — 30 days, 12 months, 7 years. Set it per tenant and forget about it.
Compliance automation — Generate on-demand security documentation for SOC 2, HIPAA, and GDPR procurement questionnaires.

What we didn't build

We intentionally kept Trailbase focused. We're not a SIEM. We're not an observability platform. We don't do application performance monitoring or error tracking.

Trailbase does one thing: it gives your B2B SaaS app a production-grade audit trail so you can close enterprise deals and pass compliance audits without pulling your engineering team off your product.

The deals you're losing

We talk to a lot of SaaS founders. The pattern is remarkably consistent:

A $50k ARR deal stalls because the prospect's security team needs audit log documentation you don't have.
You scramble to build something "good enough" in two weeks.
The deal closes, but now you have technical debt that will haunt you for years.
The next enterprise prospect asks for something slightly different, and you're back to building.

Trailbase exists so that the next time that email lands in your inbox, the answer is: "Here's your dashboard login. Our audit logs are immutable, searchable, and exportable. Here's our compliance documentation."

That response takes five minutes, not five sprints.

Try it

We're opening up early access now. If you're building B2B SaaS and the words "audit log" give you a headache, we built this for you.

Read the getting started guide — ship your first event in under 5 minutes.
Browse the SDK reference — see the full API surface.
See pricing — starts at $99/mo for startups.

Or join the waitlist below and we'll reach out when your spot is ready:

We'll be sharing more about the technical decisions behind Trailbase — how we designed the hash chain, how we handle multi-tenant retention, and how we built the export pipeline. Follow along on the blog.