Immutable append-only audit log
Every consequential action — every view, download, NDA acceptance, member added, permission flipped, document deleted — lands in an append-only Postgres table. UPDATE blocked by trigger; DELETE blocked by REVOKE. The audit log can't be tampered with, even by us.