Compliance Reports
🔒 Paid feature. Available on the Team, Pro, Business, and Enterprise plans. SOC 2 Type I is included on every paid plan; HIPAA and ISO 27001 templates require Enterprise.
The Compliance page in the Control Panel turns your tenant audit log into a printable evidence packet for SOC 2, HIPAA, or ISO 27001. Open Organization → Compliance to access the wizard and history view.
Workflow
- Pick a template. SOC 2 Type I ships with 17 populated controls; HIPAA and ISO 27001 ship with starter control sets that grow over time.
- Pick a period. Default is the last 90 days. The maximum is 400 days.
- Pick a format. PDF for printing, CSV for raw evidence, or ZIP to download both at once.
- Click Generate report. The job is queued and processed asynchronously — you can leave the page and check back. The history view polls every 5 seconds.
- When the job flips to
completed, click PDF, CSV, or ZIP in the history row to download the artifact.
What’s inside
Each report has four sections:
- Cover page with the framework, tenant, period, and overall score.
- Executive summary with a category-level pass / partial / fail / unknown breakdown.
- Detailed findings with one block per control: status, headline, sample audit rows, and the underlying control description.
- Remediation appendix — auto-generated suggestions for any control that did not pass.
The score is (pass + 0.5 × partial) / total × 100. Unknown controls (no evidence available) are excluded from scoring so the result reflects evidence-grounded controls only.
Templates
| Template | Tier | Controls |
|---|---|---|
| SOC 2 Type I | Team+ | 17 (CC1–CC9 + Availability A1.1) |
| HIPAA Security Rule | Enterprise | 6 (preview) |
| ISO/IEC 27001:2022 | Enterprise | 5 (preview) |
The HIPAA and ISO 27001 templates use the same evidence collectors as SOC 2 today. They are flagged “preview” because the control catalogues will keep growing release by release.
Evidence sources
All evidence is read from the tenant audit log (cc_audit_log). Each control runs one or more of the following query helpers:
| Helper | What it answers |
|---|---|
AuthEvents | How many logins, of which percentage satisfied MFA. |
FailedLoginsByUser | Brute-force / credential-stuffing patterns. |
PasswordPolicy | Password rotations, MFA enrolments / disables. |
TLSConfig / CertEvents | Certificate rotation and lifecycle. |
AlertingEvents | Alerts fired, incidents opened / resolved. |
AuditLogVolume | Audit-log coverage across the period. |
AdminActions | Privileged-administration actions (role changes, billing). |
BackupEvents / UpdateEvents | Backup hygiene and patch hygiene. |
The verdicts (pass / partial / fail / unknown) follow conservative thresholds (e.g. ≥ 90 % MFA coverage = pass, 50–89 % = partial). Operators tune these by forking the template under internal/compliance/templates/.
API
| Endpoint | Method | Description |
|---|---|---|
/api/compliance/templates | GET | Catalogue with allowed flag per template. |
/api/compliance/reports | POST | Enqueue a new report. Returns {job_id} (202). |
/api/compliance/reports | GET | History (most recent first). |
/api/compliance/reports/{id} | GET | One job’s status + summary. |
/api/compliance/reports/{id}/download?format=pdf|csv|zip | GET | Stream the rendered artifact. |
Storage backend is configured via COMPLIANCE_LOCAL_ROOT (default: ~/.quazzar-cp/compliance/reports). Cloud-blob backends will land alongside the marketplace S3/R2 adapter.