Compliance Reports
The Audit Service generates compliance reports through the ComplianceReportController and ComplianceReportService. These reports aggregate audit data into standardized compliance formats including SOC 2, GDPR, security summaries, and user activity reports. Reports default to a 30-day window when no dates are specified.
SOC 2 Compliance Report
Endpoint: GET /api/v1/audit/reports/tenants/:tenantId/soc2
Generates a SOC 2 compliance report covering security, availability, and confidentiality controls.
| Parameter | Type | Default | Description |
|---|---|---|---|
startDate | Instant | 30 days ago | Report start date |
endDate | Instant | now | Report end date |
curl "http://localhost:8086/api/v1/audit/reports/tenants/550e8400/soc2?startDate=2026-01-01T00:00:00Z" \
-H "Authorization: Bearer ${TOKEN}"The SOC 2 report includes:
- Compliance score (0-100) based on control effectiveness
- Metrics: total events, security events, data access events
- Incidents: security incidents detected during the period
- Control assessments: status of each SOC 2 control point
GDPR Compliance Report
Endpoint: GET /api/v1/audit/reports/tenants/:tenantId/gdpr
Generates a GDPR compliance report covering data protection and privacy controls.
| Parameter | Type | Default | Description |
|---|---|---|---|
startDate | Instant | 30 days ago | Report start date |
endDate | Instant | now | Report end date |
The GDPR report includes:
- Metrics: data access count, data export count, deletion request count
- Consent tracking: consent management compliance status
- Data subject requests: summary of processed GDPR requests
- Data protection controls: encryption, access control assessments
Security Summary Report
Endpoint: GET /api/v1/audit/reports/tenants/:tenantId/security-summary
Generates a security summary covering authentication, access control, and threat indicators.
The security summary includes:
- Authentication stats: successful logins, failed logins, password resets
- Access control stats: permission grants, access denied events
- Security alerts: rate limit violations, suspicious activity
- Top risk indicators: users with most failed logins, most accessed resources
User Activity Report
Endpoint: GET /api/v1/audit/reports/tenants/:tenantId/users/:userId/activity
Generates an activity report for a specific user.
| Parameter | Type | Default | Description |
|---|---|---|---|
startDate | Instant | 30 days ago | Report start date |
endDate | Instant | now | Report end date |
Combined Compliance Summary
Endpoint: GET /api/v1/audit/reports/tenants/:tenantId/summary
Generates a combined summary from all compliance report types in a single response.
curl "http://localhost:8086/api/v1/audit/reports/tenants/550e8400/summary" \
-H "Authorization: Bearer ${TOKEN}"Response Structure
{
"tenantId": "550e8400-e29b-41d4-a716-446655440000",
"startDate": "2026-01-12T00:00:00Z",
"endDate": "2026-02-12T00:00:00Z",
"generatedAt": "2026-02-12T10:30:00Z",
"complianceScore": 87,
"totalEvents": 45320,
"securityEvents": 1250,
"dataAccessEvents": 12400,
"failedLogins": 45,
"accessDenied": 12,
"securityIncidents": 2
}Compliance reports are generated on-demand from the audit event data in PostgreSQL. They are not pre-computed. For large datasets, report generation may take several seconds. Consider caching reports in a frontend application for repeated access.