Browse documentation
Docs/Concepts

Last reviewed 2026-06-10 - available

Compliance Evidence

How Qortara governance events become audit-ready compliance evidence for SOC 2, GDPR, and the EU AI Act.

Verified against: Qortara pre-launch docs

Download PDFDownload Markdowncontent/docs/concepts/compliance-evidence.md

Compliance Evidence

Compliance evidence is the audit-ready record that governance activity produces. Qortara does not only enforce policy; it records each decision, scan, and verification in a structured, tamper-evident form that maps to compliance framework controls, so the work of demonstrating governance is largely a byproduct of doing it.

> **Availability.** Compliance evidence generation and reporting are Qortara Cloud Governance capabilities and are in pre-launch. The endpoints, report shapes, and framework mappings below describe the hosted design. They are designed to support the named frameworks; they are not a certification, and using Qortara does not by itself make you compliant.

How evidence is generated

Evidence is produced two ways.

  1. **Continuously.** Every policy evaluation produces a governance record that maps to specific framework controls. This is designed to happen automatically, with no per-event configuration.
  2. **On demand.** A compliance scan evaluates your tenant's overall posture against a chosen framework and produces a scored report with findings and recommendations.

Both feed the same underlying record. The continuous stream is the detailed history; the scan is a periodic, framework-shaped summary built on top of it.

Supported frameworks

FrameworkWhat Qortara is designed to map
SOC 2Logical access (CC6.1), system authentication (CC6.2), monitoring (CC7.2), change management (CC8.1), external access (CC6.6), termination (CC6.3)
GDPRProcessing principles (Art. 5), lawful basis (Art. 6), data protection by design (Art. 25), records of processing (Art. 30), security of processing (Art. 32)
EU AI ActRisk management (Art. 9), record-keeping (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy and robustness (Art. 15)
NIST AI RMFGovern, Map, Measure, and Manage functions

These mappings describe what Qortara is designed to support, not a guarantee that a given control is satisfied in your environment. EU AI Act Article 12 record-keeping in particular is supported by Qortara's tamper-evident governance records, but that is a design intent ("designed for" record-keeping), not a certification. Whether your overall system meets Article 12, or any other control, is determined by your auditor and your full implementation, not by Qortara alone.

Running a compliance scan

curl -X POST https://api.qortara.com/v1/compliance/scan \
  -H "$AUTH_HEADER" \
  -H "Content-Type: application/json" \
  -d '{
    "framework": "soc2",
    "context": {
      "tenant_id": "qor:your-tenant-id",
      "agent_count": 5,
      "policies_active": 3
    }
  }'

A scan returns a scored report with the controls that passed, the findings that did not, and concrete remediation guidance.

{
  "id": "rpt_soc2_20260410",
  "framework": "soc2",
  "status": "partial",
  "score": 0.83,
  "total_checks": 6,
  "passed_checks": 5,
  "scanned_at": "2026-04-10T12:00:00Z",
  "findings": [
    {
      "check_id": "CC7.2",
      "control": "System Monitoring",
      "status": "fail",
      "detail": "No webhook endpoints configured for real-time event delivery",
      "remediation": "Configure at least one webhook endpoint for event delivery"
    }
  ],
  "passed": [
    {"check_id": "CC6.1", "control": "Logical Access Controls", "detail": "Active policies enforce access restrictions"},
    {"check_id": "CC6.2", "control": "System Authentication", "detail": "Signed authentication enforced on write routes"},
    {"check_id": "CC8.1", "control": "Change Management", "detail": "Policy versioning active with an audit trail"},
    {"check_id": "CC6.6", "control": "External Access", "detail": "Trust attestations configured for cross-org interactions"},
    {"check_id": "CC6.3", "control": "Termination Procedures", "detail": "Agent deactivation procedures in place"}
  ]
}

The score and findings are diagnostic, not a pass or fail verdict on your program. A finding tells you where evidence is thin and what to do about it; the remediation field points at a concrete next step.

What triggers evidence generation

TriggerEvidence producedFrequency
Each policy evaluationA governance record with the decision, policy, agent, and framework tagsPer evaluation (100 to 10,000 per day is typical)
A compliance scanA scored report with findings and recommendationsOn demand (daily is a reasonable cadence, monthly a minimum)
A cross-org trust lookupA signed trust attestation with a Merkle proofPer lookup
A saga verificationA verified or mismatch result linked to the original actionPer saga step
A budget threshold crossingA budget alert eventEvent-driven

Presenting evidence to an auditor

For a SOC 2 review, an auditor typically wants to see five things, and Qortara is designed to produce each as an export.

  1. **That policies exist.** Export your active policies.
  2. **That policies are enforced.** Export governance records over the audit period showing allow and deny decisions.
  3. **That the record is tamper-evident.** Run a chain integrity verification to show the records have not been altered.
  4. **That scans pass over time.** Export scan history for the framework to show your score trend.
  5. **That monitoring is in place.** Show your webhook configuration and SIEM integration.

The combination of a continuous governance record, periodic scans, and a tamper-evident chain is designed to give an auditor a complete and verifiable picture of governance posture over the period under review.

Export formats

FormatHow you get it
JSONAll API responses are JSON by default.
Structured reportRetrieve a full scan report by its report id.
Governance recordsExport records with pagination over a date range.
Chain verificationRequest an integrity proof over a range of records.

JSON is the native format. If you need a document for a reviewer, your compliance team's reporting tools can render the JSON into their preferred format.

Limits and caveats

  • Compliance evidence and reporting are hosted Cloud Governance and are pre-launch.
  • Evidence can support a compliance program, but it does not guarantee compliance. Your auditor decides whether the control and the evidence satisfy your requirements.
  • Framework mappings describe what Qortara is designed to support. They are not certifications, and they cover only the controls Qortara is positioned to observe, not your entire system.
  • Evidence reflects the activity that actually flowed through Qortara. An action taken outside the governed path leaves no record, so route the activity you need to evidence through Qortara deliberately.

Related concepts

  • [Policy enforcement](/docs/concepts/policy-enforcement) produces the governance records that become evidence.
  • [Saga verification](/docs/concepts/saga-verification) contributes verification outcomes to the record.
  • [Webhooks and events](/docs/concepts/webhooks-events) stream the same activity to your SIEM in real time.