Feature request:

Optional separate password protection for wiping security monitor logs.

The password is paired with allowing a user to set a configurable delayed deletion with options of 1, 2 or 3 months. On confirming the logs are to be wiped you must wait for the delay to elapse.

If a user wants to remove the password or change it along with the log protections a predetermined set delay will need to elapse before anything can be altered. A small window of 24 hours or more can be allowed incase the user changes their mind about the password they have chosen or protecting the logs. After the window has elapsed, changes to the password or removal of the wipe protection will require the same delay that a wipe would.

A countdown with the remaining time can be next to the wipe button for additional clarity.

The time that log protections are enabled should be an event that is noted in the monitor logs

The monitor logs are very vulnerable in the event of an account becoming compromised. I imagine a situation of a compromised account where someone has gained access, and now has the ability to wipe the monitor logs to remove evidence. Although an event is made of the wipe, you lose valuable data like: Device, IP, Location and timestamps. These are essential pieces of information, especially if a police report were to be made in this scenario or a thorough assessment is required.

With a compromised account comes the risks of
Financial fraud
Identity theft or impersonation
Compromise of third-party accounts
Exposure of sensitive business or client data

Additionally knowing that accounts will inevitably be compromised it would be a great for so many users, personal and business/company related accounts alike.
Why this is significant is because security logs are often the only reliable source of evidence after a breach. Without them users cannot fully understand what happened, Incident response is weakened and Law enforcement investigations are hindered severely.

In the business plan on the end of users who are under an organisation, much of the audit logs/monitor logs are immutable and therefore in the case of a compromised account, data is still available for a thorough assessment. The idea of data being immutable has been thought of before by the proton team and I hope that a personal account can have some of the same protections.

I'm aware proton is privacy focused and my feature request has been centered around allowing the user an option to protect their security logs whilst still taking the ability of deletion into consideration.

Thank you for taking this feature into consideration.