> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance exports

> Export audit data in SOC 2, GDPR, and HIPAA formats for regulatory reporting and evidence collection.

Compliance exports generate framework-specific reports from your audit logs and attestation records. Each report includes the data auditors need — formatted for the target framework — so you can respond to compliance requests without manually assembling evidence.

## Prerequisites

* The **Compliance Pack** add-on must be enabled for your tenant. Contact your account manager or enable it from **Settings > Billing > Add-ons** in the console.
* You need the `tenant.audit.export` permission to create export jobs.

## Supported frameworks

| Framework | Report type | What's included                                                                                              |
| --------- | ----------- | ------------------------------------------------------------------------------------------------------------ |
| SOC 2     | `soc2`      | Audit logs, access logs, and control mappings (CC1.1, CC2.1, CC6.1, CC6.2)                                   |
| GDPR      | `gdpr`      | Data processing activities, attestation records, retention periods, legal basis, and third-party disclosures |
| HIPAA     | `hipaa`     | Audit trail, covered entity details, and security control mappings (164.308, 164.312)                        |

## Creating an export

### From the console

1. Go to **Settings > Audit** in the console sidebar
2. Click **Export**
3. Select a report type (`SOC 2`, `GDPR`, or `HIPAA`)
4. Choose a date range and output format
5. Click **Generate report**

The export runs asynchronously. You receive a notification when the report is ready for download.

### Via the API

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/audit/exports \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "report_type": "soc2",
    "start_date": "2026-01-01T00:00:00Z",
    "end_date": "2026-03-31T23:59:59Z",
    "format": "json"
  }'
```

```json Response theme={null}
{
  "job_id": "job_9y8x7w_vut",
  "status": "PENDING",
  "estimated_completion": "2026-03-29T19:30:00Z"
}
```

## Export formats

| Format | Description                                                                                     |
| ------ | ----------------------------------------------------------------------------------------------- |
| `json` | Structured JSON report with full metadata. Available for all frameworks.                        |
| `csv`  | Tabular format for spreadsheet analysis. Available for all frameworks (SOC 2, GDPR, and HIPAA). |

## Export job statuses

Each export job progresses through the following statuses:

| Status      | Description                                             |
| ----------- | ------------------------------------------------------- |
| `PENDING`   | Job queued and waiting to be processed                  |
| `RUNNING`   | Report generation in progress                           |
| `COMPLETED` | Report ready for download                               |
| `FAILED`    | Generation failed — check the `error` field for details |
| `EXPIRED`   | Download link has expired. Create a new export.         |

## Downloading a completed export

Once an export reaches `COMPLETED` status, download the report:

```bash theme={null}
curl -O https://api.truthlocks.com/v1/audit/exports/{job_id}/download \
  -H "X-API-Key: tl_live_..."
```

Each download is logged with the requesting user's ID, IP address, and timestamp for audit purposes.

<Warning>
  Export download links expire after the time window configured in your retention policy. Generate a new export if the link has expired.
</Warning>

## Report contents

### SOC 2

The SOC 2 report includes:

* **Audit entries** — every API operation within the date range
* **Access logs** — authentication and authorization events
* **Control mappings** — evidence mapped to SOC 2 Trust Services Criteria

```json theme={null}
{
  "report_type": "soc2",
  "tenant_id": "tenant-uuid",
  "generated_at": "2026-03-29T12:00:00Z",
  "period_start": "2026-01-01T00:00:00Z",
  "period_end": "2026-03-31T23:59:59Z",
  "audit_entries": 1284,
  "access_entries": 892,
  "controls": {
    "CC1.1": "Access controls enforced via RBAC",
    "CC2.1": "Audit logging enabled for all operations",
    "CC6.1": "Logical access restrictions documented",
    "CC6.2": "Access reviews performed"
  }
}
```

### GDPR

The GDPR report provides a data processing activities record:

* **Attestation records** — all attestations created, revoked, or superseded
* **Data categories** processed during the period
* **Legal basis** for processing
* **Retention periods** configured for your tenant
* **Third-party disclosures** (if any)

### HIPAA

The HIPAA report generates an audit trail mapped to the HIPAA Security Rule:

* **Full audit trail** of all operations involving protected data
* **Security control evidence** mapped to 45 CFR 164.308 and 164.312
* **Covered entity** identification

All compliance reports — including HIPAA — can be exported as CSV for integration with existing compliance tooling.

## Controlling who can export

Use a `BUNDLE_EXPORT` [issuance policy](/guides/issuance-policies#export-control-policies) to restrict which issuers or trust tiers can trigger exports. When a `BUNDLE_EXPORT` policy denies a request, the export is blocked before any data is gathered.

## Related

<CardGroup cols={2}>
  <Card title="Audit logs" icon="scroll" href="/security/audit">
    Configure retention, query events, and integrate with your SIEM.
  </Card>

  <Card title="Issuance policies" icon="shield-check" href="/guides/issuance-policies">
    Define rules that control minting, verification, and export requests.
  </Card>
</CardGroup>