Skip to main content
Security and compliance teams can use this guide to answer: what did Duvo do, on whose behalf, and when? It covers what Duvo records, where to find that data in the product, how to export it for your SIEM or compliance tooling, and what is not yet captured so you can plan compensating controls.

What Gets Recorded

Duvo records activity in four event families.

Actor events

Changes to who can access Duvo and how they authenticate:

Builder events

Changes to automation configuration:

Run events

Activity during each Run execution:

Admin events

Organizational-level changes:

Finding Audit Data in the Product

Runs List

Past Runs (left sidebar) is the primary place to review run-level activity. Every Run across all agents appears here with its status, trigger source, creating user, and timestamps. Admins and Managers see the Created by column, which shows which team member started each Run. Use the filter bar to narrow by:
  • Agent — activity for a specific automation
  • Status — Failed, Completed, Running, or Stopped runs
  • Created by — activity from a specific team member (Admin and Manager only)
  • Trigger — runs started manually, by schedule, by API, or by event trigger

Team Insights

Team Insights (sidebar, under Team) shows aggregated activity: run counts, completion rates, active agents, and usage trends over time. Use this to spot sudden drops in activity or failure rate spikes across the whole team.

Human-in-the-Loop activity

All HITL approval requests, responses, and outcomes are recorded as part of the Run’s message thread. Open any Run that included a HITL step to see who approved or rejected the request, when, and with what context.

Exporting Audit Data

From the Runs List

To export run-level activity:

Open Past Runs

Open Past Runs from the sidebar.

Apply filters

Apply filters (agent, date range, status, created by).

Click Export

Click Export in the top-right corner.

Choose a format

Choose CSV or JSON.
Each export row contains: agent name, run ID, status, trigger type, created-by user, start time, end time, and duration. The run ID can then be used to retrieve the full message log via the API (see below). Download sample exports to inspect the exact field names and format:

Via the Public API

Use the API to retrieve run history and build a custom audit export pipeline. List recent runs for your team:
Filter parameters: Get status for a specific Run:
Get the full execution log for one Run:
The messages endpoint returns every step the agent took — tool calls, model responses, HITL requests, and final output — in chronological order.

Integrating with a SIEM or Observability Tool

Duvo does not currently have a native push connector for SIEM tools (Splunk, Datadog, Elasticsearch, etc.). The supported approach is a pull-based pipeline using the public API.

Building a polling pipeline

Schedule a polling script

Schedule a polling script (a cron job, Lambda, or Cloud Run job) that calls GET /teams/{teamId}/runs with sort_order=asc and an offset cursor to page through new Runs since your last poll.

Fetch each Run's execution log

For each Run, call GET /runs/{run_id}/messages to get the full execution log.

Forward to your SIEM

Transform and forward the results to your SIEM using its HTTP ingestion endpoint — for example, Splunk HTTP Event Collector (HEC) or the Datadog Logs API.
GET /runs/{run_id} returns a JSON object like this:
For the full API reference, see Running Agents via API.

Retention and Access Control

Who can view audit data

Organization Admins, Owners, and Executives have access to every team’s data within the organization. For a full breakdown of role capabilities, see Team Roles and Permissions and Organization Roles and Permissions.

Data retention

Run history and audit data is retained for the duration of your subscription. Contact security@duvo.ai if you need a full data export or have questions about retention windows under your plan.

Known Gaps

Be aware of these limitations when planning compensating controls.

Guardrails for High-Risk Automations

Risk tiers, HITL patterns, and kill switches for sensitive agents

Runs List

Filtering and monitoring all Runs across your team

Running Agents via API

API reference for starting runs, polling status, and retrieving messages

Team Roles and Permissions

Team-level roles and what each can see

Organization Roles and Permissions

Org-level access and which roles have cross-team visibility

Security & Privacy

Platform-level security controls, SOC 2, and data handling