Skip to main content

Generate compliance reports for SOC 2, HIPAA, and similar

Surfaces used: dashboard compliance reports + audit retention Modes supported: Hosted Hybrid Tiers: Solo (basic) Teams (full retention + export)

What you'll do

Configure retention, pick a report template (SOC 2 CC-style, HIPAA-style, or custom), set a date range, and generate a packaged report containing the activity summary, policy inventory, incident log, and raw audit export. Hand to your auditor.

Why this is the right path for you

  • If an auditor has asked "how do you control AI use of customer data?" and you need a document, not a conversation, this is the fastest path.
  • Works only if your enforcement surfaces are actually in place and writing audit events. Governance without data is not a report.
  • If you do not yet have enforcement deployed, start there: gateway, browser extension, coding hooks, or an SDK.

When NOT to use this approach

caution

If you need a SOC 2 Type II report of Control Zero itself (the product), that is a separate artifact. Contact us. This use case is about generating a report of your AI activity, governed by Control Zero.

5-minute setup

  1. Dashboard -> Settings -> Retention. Set your retention window:
    • Solo: 30 days default, configurable up to 90.
    • Teams: 90 days default, configurable up to 365. Longer on request.
  2. Dashboard -> Compliance -> New report. Pick:
    • Template: SOC 2-style, HIPAA-style, or Custom.
    • Date range.
    • Scope: all projects or selected.
  3. Click Generate. The report builds in seconds to minutes depending on volume, and produces:
    • A signed PDF summary (controls, counts, top rules, top denies, top users).
    • A CSV of every audit event in the range.
    • A JSON manifest with a hash of each artifact for tamper-evidence.
  4. Click Download or Share via signed link to hand to your auditor.

Verifying it's working

  1. Open the generated PDF. The summary page should list:

    • Total requests governed in the window.
    • Breakdown by surface (gateway, hooks, extension, SDK).
    • Policy inventory with publish dates.
    • Top-10 deny reasons.
    • Incident log (any tamper alerts, quarantine events).

  2. Spot-check the CSV: count of rows should match the summary.

  3. Verify the manifest hash:

    sha256sum compliance-report-2026-Q2.pdf
    # Compare to the hash printed in the manifest.json

Common follow-ups

  • "I need longer retention" -> Contact us for extended retention on Teams.
  • "I need to export events to my SIEM" -> Alert channels includes webhook shipping.
  • "I want a dashboard of ongoing posture" -> Analytics, Coverage.
  • "I need self-hosted retention" -> Self-Hosted.

Reference