← Back to Dashboard
Compliance Reporting
Generate and manage compliance reports for SOC2, GDPR, and audit requirements.
Overview
For everyone: The Compliance page helps you stay audit-ready by generating official reports about how your AI agents handle data. Whether you need to prove your security controls for SOC2, export personal data for GDPR, or review administrative actions, this page generates the documents you need — in formats auditors and regulators can work with.
For technical users: The compliance module generates structured reports by querying the engine's audit trail, agent activity logs, DLP violations, and access patterns. Reports are generated asynchronously via POST /compliance/reports/:type and downloadable in JSON or CSV format. Agent-scoped and date-range-scoped queries are supported.
How It Works
- Select report type — choose SOC2 Summary, GDPR Export, or Audit Summary.
- Configure scope — set date range, select specific agents (optional).
- Generate — the report is created asynchronously on the server.
- Download — once completed, download in JSON (programmatic) or CSV (spreadsheet) format.
Key Concepts
Report Scoping
Reports can be scoped by:
- Date range — for SOC2 and Audit reports, specify a start and end date.
- Agent — for GDPR exports, select a specific agent (required). For Audit reports, optionally filter to one agent.
- Organization — all reports are automatically scoped to the current organization.
Report Lifecycle
| Status | Meaning |
|---|
| completed | Report is ready for download |
| pending | Report is being generated |
| failed | Report generation encountered an error |
Report Types
SOC2 Summary
Documents security controls, access patterns, and policy enforcement for SOC2 auditors. Includes:
- User access and authentication activity
- Agent permission boundaries and enforcement
- DLP rule configurations and violation counts
- Vault access patterns
- Administrative action summary
Scope: Date range + optional agent filter
GDPR Export
Generates a data subject access report for a specific agent, showing all personal data processed. Useful for responding to data subject access requests (DSARs). Includes:
- All emails sent and received by the agent
- Personal data detected in agent communications
- Data processing activities and legal basis
- Third-party data sharing records
Scope: Specific agent (required)
Tip: GDPR exports require selecting a specific agent because the report is about data processed by that agent. You cannot generate a GDPR export for "all agents" — create one per agent as needed.
Audit Summary
Aggregated view of all administrative actions over a date range. Useful for internal reviews and general audit readiness. Includes:
- User creation, deletion, and permission changes
- Agent configuration modifications
- Secret access and rotation events
- DLP rule changes
- System configuration changes
Scope: Date range + optional agent filter
Generating Reports
- Navigate to the Generate tab.
- Select the Report Type from the dropdown.
- For SOC2/Audit: set the From and To dates (defaults to last 30 days).
- For GDPR: select the target Agent (required).
- For Audit: optionally select a specific Agent to filter.
- Click Generate Report.
- Switch to the Reports tab to monitor status and download when complete.
Tip: For SOC2 audits, generate monthly reports to maintain a continuous compliance record. This makes annual audits much smoother.
Report History
The Reports tab shows all previously generated reports with:
| Column | Description |
|---|
| Title | Auto-generated descriptive title |
| Type | SOC2, GDPR, or AUDIT badge |
| Status | Completed, pending, or failed |
| Generated | Timestamp of report creation |
| By | User who generated the report |
| Actions | Download as JSON or CSV (completed reports only) |
Download Formats
- JSON — structured data for programmatic processing, integrations, or archival.
- CSV — tabular format for spreadsheet review, sharing with auditors, or importing into GRC tools.
Configuration & Setup
API Endpoints
| Method | Endpoint | Description |
|---|
| GET | /compliance/reports?orgId= | List all reports |
| POST | /compliance/reports/soc2 | Generate SOC2 summary |
| POST | /compliance/reports/gdpr | Generate GDPR export |
| POST | /compliance/reports/audit | Generate audit summary |
| GET | /compliance/reports/:id/download?format= | Download report (json or csv) |
Request Body Examples
// SOC2 Summary
POST /compliance/reports/soc2
{
"orgId": "org-123",
"dateRange": { "from": "2026-01-01", "to": "2026-01-31" },
"agentIds": ["agent-1", "agent-2"] // optional
}
// GDPR Export
POST /compliance/reports/gdpr
{
"orgId": "org-123",
"agentId": "agent-1" // required
}
// Audit Summary
POST /compliance/reports/audit
{
"orgId": "org-123",
"dateRange": { "from": "2026-01-01", "to": "2026-03-01" },
"agentIds": ["agent-1"] // optional
}
Best Practices
- Generate monthly SOC2 reports — maintain a continuous compliance trail rather than scrambling before audits.
- Process GDPR requests promptly — regulations typically require response within 30 days of a DSAR.
- Archive reports externally — download and store completed reports in your document management system. Reports on the dashboard are not guaranteed to persist indefinitely.
- Use agent scoping wisely — generate agent-specific reports when investigating incidents; use org-wide reports for periodic reviews.
- Review Audit Summaries before releasing access changes — after modifying user permissions or agent configurations, generate an audit summary to verify the changes are recorded correctly.
- Keep date ranges manageable — very large date ranges (years) may take longer to generate. Quarterly or monthly is ideal.
- Download both formats — JSON for your systems, CSV for auditors and compliance teams.
Troubleshooting
Report stuck in "pending" status
Large reports with wide date ranges may take several minutes. Wait and refresh the Reports tab. If it stays pending for more than 10 minutes, there may be a backend issue — check server logs.
Report shows "failed" status
Common causes: invalid date range (from > to), agent ID not found, or database timeout for very large datasets. Fix the parameters and regenerate.
GDPR export has no data
Verify the selected agent has actually processed data during the reporting period. Newly created agents with no activity will produce empty reports.
Download not starting
The download opens in a new tab via /api/engine/compliance/reports/:id/download. Ensure your browser isn't blocking popups. Try right-clicking the download button and selecting "Open in new tab."
Cannot generate reports
Report generation requires admin-level access. Check your user role and permissions on the Users page.
DLP — DLP violations feed into compliance reports.
Vault — Vault audit logs are included in SOC2 and Audit summaries.
Users — User activity is tracked in Audit Summary reports.
Database Access — Database query audit logs can inform compliance reviews.