Skip to main content
Compliance exports generate framework-specific reports from your audit logs and attestation records. Each report includes the data auditors need — formatted for the target framework — so you can respond to compliance requests without manually assembling evidence.

Prerequisites

  • The Compliance Pack add-on must be enabled for your tenant. Contact your account manager or enable it from Settings > Billing > Add-ons in the console.
  • You need the tenant.audit.export permission to create export jobs.

Supported frameworks

FrameworkReport typeWhat’s included
SOC 2soc2Audit logs, access logs, and control mappings (CC1.1, CC2.1, CC6.1, CC6.2)
GDPRgdprData processing activities, attestation records, retention periods, legal basis, and third-party disclosures
HIPAAhipaaAudit trail, covered entity details, and security control mappings (164.308, 164.312)

Creating an export

From the console

  1. Go to Settings > Audit in the console sidebar
  2. Click Export
  3. Select a report type (SOC 2, GDPR, or HIPAA)
  4. Choose a date range and output format
  5. Click Generate report
The export runs asynchronously. You receive a notification when the report is ready for download.

Via the API

curl -X POST https://api.truthlocks.com/v1/audit/exports \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "report_type": "soc2",
    "start_date": "2026-01-01T00:00:00Z",
    "end_date": "2026-03-31T23:59:59Z",
    "format": "json"
  }'
Response
{
  "job_id": "job_9y8x7w_vut",
  "status": "PENDING",
  "estimated_completion": "2026-03-29T19:30:00Z"
}

Export formats

FormatDescription
jsonStructured JSON report with full metadata. Available for all frameworks.
csvTabular format for spreadsheet analysis. Available for all frameworks (SOC 2, GDPR, and HIPAA).

Export job statuses

Each export job progresses through the following statuses:
StatusDescription
PENDINGJob queued and waiting to be processed
RUNNINGReport generation in progress
COMPLETEDReport ready for download
FAILEDGeneration failed — check the error field for details
EXPIREDDownload link has expired. Create a new export.

Downloading a completed export

Once an export reaches COMPLETED status, download the report: 
curl -O https://api.truthlocks.com/v1/audit/exports/{job_id}/download \
  -H "X-API-Key: tl_live_..."
Each download is logged with the requesting user’s ID, IP address, and timestamp for audit purposes.
Export download links expire after the time window configured in your retention policy. Generate a new export if the link has expired.

Report contents

SOC 2

The SOC 2 report includes:
  • Audit entries — every API operation within the date range
  • Access logs — authentication and authorization events
  • Control mappings — evidence mapped to SOC 2 Trust Services Criteria
{
  "report_type": "soc2",
  "tenant_id": "tenant-uuid",
  "generated_at": "2026-03-29T12:00:00Z",
  "period_start": "2026-01-01T00:00:00Z",
  "period_end": "2026-03-31T23:59:59Z",
  "audit_entries": 1284,
  "access_entries": 892,
  "controls": {
    "CC1.1": "Access controls enforced via RBAC",
    "CC2.1": "Audit logging enabled for all operations",
    "CC6.1": "Logical access restrictions documented",
    "CC6.2": "Access reviews performed"
  }
}

GDPR

The GDPR report provides a data processing activities record:
  • Attestation records — all attestations created, revoked, or superseded
  • Data categories processed during the period
  • Legal basis for processing
  • Retention periods configured for your tenant
  • Third-party disclosures (if any)

HIPAA

The HIPAA report generates an audit trail mapped to the HIPAA Security Rule:
  • Full audit trail of all operations involving protected data
  • Security control evidence mapped to 45 CFR 164.308 and 164.312
  • Covered entity identification
All compliance reports — including HIPAA — can be exported as CSV for integration with existing compliance tooling.

Controlling who can export

Use a BUNDLE_EXPORT issuance policy to restrict which issuers or trust tiers can trigger exports. When a BUNDLE_EXPORT policy denies a request, the export is blocked before any data is gathered.

Audit logs

Configure retention, query events, and integrate with your SIEM.

Issuance policies

Define rules that control minting, verification, and export requests.