Skip to Content
DocsCloud OSCompliance Reports

Compliance Reports

Phase Г.3 of the GA roadmap: one click in CP → a SOC 2 / HIPAA / ISO 27001 evidence packet zip, ready to hand to an auditor. Audit log is already collected; compliance is a presentation layer that filters and renders.

Templates

Three shipped (SOC 2 production-ready; HIPAA + ISO 27001 are previews):

IDNameControlsStatus
soc2_type1SOC 2 Type I17+shipped
hipaaHIPAA6preview (full version follows)
iso27001_baselineISO 27001 baseline5preview

Each template is Go code so we can run actual audit-log queries against the tenant’s data, not just static text.

Walkthrough

  1. CP → ComplianceGenerate report.
  2. Pick template.
  3. Pick period (last 30d / 90d / 365d / custom).
  4. Pick format (PDF only / PDF + CSV bundle / CSV only).
  5. Click Generate. Status pill flips to Running with a progress bar (SSE).
  6. When Completed, click Download → zip bundle.

Each report retains for 90 days (configurable per tenant). Re-download from the history view.

Inside the bundle

report-soc2_type1-2026Q1.zip
├── report.pdf               — cover + summary + findings + remediation appendix
├── controls/                — one CSV per control with raw evidence rows
│   ├── CC6.1-auth-events.csv
│   ├── CC6.6-tls-config.csv
│   └── …
├── MANIFEST.json            — report metadata (template, period, generated_at, tenant)
└── README.txt               — auditor-facing overview

Per-control evidence

Each control declares one or more evidence collectors. The shipped query helpers cover the SOC 2 baseline:

  • AuthEvents(days) — per-user login successes/failures
  • FailedLoginsByUser(days) — distribution
  • PasswordPolicy() — live snapshot
  • TLSConfig() — public-port TLS settings
  • CertEvents(days) — ACME issue / renew / revoke
  • AlertingEvents(days) — alert fires + acknowledgements
  • AuditLogVolume(days) — total + per-category
  • AdminActions(days) — privileged actions
  • BackupEvents(days) — scheduled backup runs + outcomes
  • UpdateEvents(days) — OS package updates applied

All scoped to tenant_id; cross-tenant only for global admins.

Plans

TierCompliance reports
Free / Pro
Team✅ (SOC 2 Type I template only)
Enterprise✅ all templates + custom periods

License gates: compliance_reports (Team+), compliance_full_templates (Enterprise).

API

GET  /cp/api/v1/compliance/templates                → list
POST /cp/api/v1/compliance/reports                  → 202 { job_id }
GET  /cp/api/v1/compliance/reports                  → tenant-scoped list
GET  /cp/api/v1/compliance/reports/{id}             → status + bundle URL
GET  /cp/api/v1/compliance/reports/{id}/download    → 307 → signed bundle URL
DELETE /cp/api/v1/compliance/reports/{id}           → soft-delete

Storage: local disk by default (under COMPLIANCE_LOCAL_ROOT); S3 / R2 swap-in via the same pattern as the marketplace storage layer.

Caveats

  • Not auto-attesting compliance. We assemble evidence; humans still sign.
  • Not running compliance scanners (Trivy, Falco). Out of scope for Г.3.
  • Not GDPR-specific — that template lands separately if asked.
  • HIPAA + ISO 27001 are preview templates — control coverage will grow in С.3.b.
MSP PortalCluster Autoscaling