diff --git a/README.md b/README.md
index 9ec67af..efdc9ec 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,7 @@ This repo uses ArgoCD's app-of-apps pattern: a root Application (`root-app.yaml`
 | 9 | kong | API gateway |
 | 9 | metadata-event-handler | Kafka→ES event indexer |
 | 9 | kg-integration | EBRAINS Knowledge Graph integration |
+| 9 | audit-trail | |
 | 10 | bff | Backend-for-frontend (web) |
 | 10 | bff-cli | Backend-for-frontend (CLI) |
 | 11 | portal | Frontend UI |
diff --git a/clusters/dev/apps/audit-trail/Chart.yaml b/clusters/dev/apps/audit-trail/Chart.yaml
new file mode 100644
index 0000000..0f6b6b8
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: audit-trail
+version: 0.1.0
+dependencies:
+  - name: audit-trail-service
+    version: "0.2.0"
+    repository: https://pilotdataplatform.github.io/helm-charts/
diff --git a/clusters/dev/apps/audit-trail/application.yaml b/clusters/dev/apps/audit-trail/application.yaml
new file mode 100644
index 0000000..1528a25
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/application.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: audit-trail
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "9"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+    targetRevision: main
+    path: clusters/dev/apps/audit-trail
+    helm:
+      valueFiles:
+        - ../../registry.yaml
+        - ../../versions.yaml
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: utility
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/clusters/dev/apps/audit-trail/templates/external-secret.yaml b/clusters/dev/apps/audit-trail/templates/external-secret.yaml
new file mode 100644
index 0000000..37b1da4
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/templates/external-secret.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: audit-trail-credentials
+  namespace: utility
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: audit-trail-credentials
+  data:
+    - secretKey: atlas-password
+      remoteRef:
+        key: secret/data/atlas
+        property: atlas-password
diff --git a/clusters/dev/apps/audit-trail/values.yaml b/clusters/dev/apps/audit-trail/values.yaml
new file mode 100644
index 0000000..fec470d
--- /dev/null
+++ b/clusters/dev/apps/audit-trail/values.yaml
@@ -0,0 +1,61 @@
+audit-trail-service:
+  image:
+    repository: n47w5524.c1.de1.container-registry.ovh.net/hdc-services-image/audit-trail
+    pullPolicy: IfNotPresent
+
+  fullnameOverride: audit-trail
+  replicaCount: 1
+
+  container:
+    port: 5077
+
+  service:
+    type: ClusterIP
+    port: 5077
+
+  imagePullSecrets:
+    - name: docker-registry-secret
+
+  extraEnv:
+    ATLAS_ADMIN: "admin"
+    ATLAS_HOST: "atlas.utility"
+    ATLAS_PORT: "21000"
+
+  extraEnvYaml:
+    - name: ATLAS_PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: audit-trail-credentials
+          key: atlas-password
+
+  resources:
+    limits:
+      cpu: "1"
+      memory: 500Mi
+    requests:
+      cpu: 10m
+      memory: 50Mi
+
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    tcpSocket:
+      port: 5077
+
+  livenessProbe:
+    failureThreshold: 3
+    httpGet:
+      path: /v1/health/
+      port: 5077
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 33%
+    type: RollingUpdate
diff --git a/docs/vault-secrets.md b/docs/vault-secrets.md
index 079613e..54b7614 100644
--- a/docs/vault-secrets.md
+++ b/docs/vault-secrets.md
@@ -147,6 +147,13 @@ vault kv put secret/bff-cli \
   guacamole-jwt-public-key='<public-key-pem>'
 ```
 
+## Atlas (`secret/atlas`)
+
+```bash
+vault kv put secret/atlas \
+  atlas-password=$(openssl rand -hex 24)
+```
+
 ## Guacamole (`secret/guacamole`)
 
 ```bash