Compliance Reports

FoundryDB can generate cryptographically signed compliance evidence packets for your organization. A packet is a structured JSON document containing per-control assertions drawn from live platform records: service zones, encryption flags, TLS status, backup schedules, and audit log coverage. Packets are signed with an Ed25519 key so an auditor can verify authenticity without contacting FoundryDB.

For GDPR data residency posture and a quick overview, see Signed Compliance Reports. This page covers the full evidence packet system: frameworks, subscriptions, generation, verification, and PDF download.

Supported Frameworks

Framework	Identifier	What it attests
SOC 2 Type II	`soc2`	Control assertions for access control, availability, confidentiality, processing integrity, and privacy
GDPR Art. 30 ROPA	`gdpr_ropa`	Record of Processing Activities for data hosted on behalf of your organization
DORA	`dora`	ICT register and operational resilience evidence under the Digital Operational Resilience Act
EU AI Act	`eu_ai_act`	Infrastructure obligations for organizations using the platform for high-risk AI system infrastructure

Subscriptions

Each framework is a paid monthly add-on. Generating a packet returns 402 until the organization is subscribed.

Listing Subscription Status

curl -u user:password \
  https://api.foundrydb.com/organizations/{orgId}/compliance-subscriptions

Returns all four frameworks with their enabled status, monthly price in EUR, and subscription timestamps.

Subscribing to a Framework

Requires owner or admin role:

curl -u user:password -X PUT \
  https://api.foundrydb.com/organizations/{orgId}/compliance-subscriptions/soc2

Unsubscribing

Existing packets remain available after cancellation. New generation is blocked until the subscription is reinstated.

curl -u user:password -X DELETE \
  https://api.foundrydb.com/organizations/{orgId}/compliance-subscriptions/soc2

Generating a Packet

Any member of the organization can trigger generation. The platform assembles the packet from current records, signs it, persists it, and returns the full signed packet inline.

curl -u user:password -X POST \
  https://api.foundrydb.com/organizations/{orgId}/compliance-reports \
  -H "Content-Type: application/json" \
  -d '{ "framework": "soc2" }'

A 201 Created response contains:

{
  "report_id": "r1000000-0000-0000-0000-000000000001",
  "packet": {
    "schema_version": "1.0",
    "framework": "soc2",
    "generated_at": "2026-06-22T10:00:00Z",
    "period_start": "2026-05-22T10:00:00Z",
    "period_end": "2026-06-22T10:00:00Z",
    "organization": {
      "id": "o1000000-0000-0000-0000-000000000001",
      "name": "Acme Engineering",
      "billing_email": "billing@acme.com"
    },
    "scope_boundary": "All managed database services operated by the platform on behalf of the organization.",
    "controls": [
      {
        "control_id": "CC6.1",
        "title": "Logical and Physical Access Controls",
        "assertion": "All database connections require TLS and authenticated credentials.",
        "status": "attested",
        "evidence_refs": ["services[*].tls_enabled", "services[*].storage_encrypted"]
      }
    ],
    "summary": {
      "service_count": 3,
      "all_services_eu_residency": true,
      "audit_log": {
        "retention_policy": "indefinite",
        "oldest_entry_at": "2026-03-01T08:00:00Z",
        "entry_count": 14823
      }
    }
  },
  "signature": {
    "algorithm": "Ed25519",
    "key_id": "key-2026-01",
    "value": "MEUCIQDexampleSignatureBase64==",
    "canonical_sha256": "a3f1b2c4d5e6f7081920a1b2c3d4e5f607080910..."
  }
}

A 503 response means the platform's signing key is not configured. Contact support if you see this on production.

Listing Past Packets

curl -u user:password \
  https://api.foundrydb.com/organizations/{orgId}/compliance-reports

Returns packet records ordered most-recent first. Each record shows the report_id, framework, schema version, assessment period, generation timestamp, signing key ID, status (complete or failed), and whether a PDF rendition is available.

Downloading a Packet

JSON

curl -u user:password \
  https://api.foundrydb.com/organizations/{orgId}/compliance-reports/{reportId}

Returns the full packet and signature fields, identical to the generation response. Archive this file as your audit evidence.

PDF

curl -u user:password \
  https://api.foundrydb.com/organizations/{orgId}/compliance-reports/{reportId}/pdf \
  -o compliance-report.pdf

The PDF is generated from the same signed data. The cover page includes the signature metadata so an auditor can cross-check it against the JSON.

Verifying a Packet

The platform publishes its current and retired Ed25519 public keys at a well-known endpoint. No authentication is required:

curl https://api.foundrydb.com/.well-known/compliance-signing-keys

{
  "algorithm": "Ed25519",
  "keys": [
    {
      "key_id": "key-2026-01",
      "algorithm": "Ed25519",
      "public_key": "MCowBQYDK2VdAyEA...",
      "active": true,
      "retired_at": null
    }
  ]
}

To verify a packet independently:

Locate the key entry whose key_id matches signature.key_id in the packet.
Decode the public_key (base64-encoded raw Ed25519 key bytes, 32 bytes).
Recompute the SHA-256 of the canonical JSON bytes of the packet object. The result must match signature.canonical_sha256.
Verify the signature.value (base64-encoded Ed25519 signature) over those bytes using the public key.

import base64
import hashlib
import json
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey

# packet_bytes: the exact bytes of the "packet" value from the JSON response.
# Use the canonical_sha256 as a cross-check before verifying the signature.
canonical_sha256 = hashlib.sha256(packet_bytes).hexdigest()
assert canonical_sha256 == signature["canonical_sha256"]

pub_key = Ed25519PublicKey.from_public_bytes(
    base64.b64decode(key_entry["public_key"])
)
pub_key.verify(
    base64.b64decode(signature["value"]),
    packet_bytes,
)
# Raises InvalidSignature if verification fails.
print("Packet is authentic")

Retired keys remain in the well-known endpoint indefinitely so packets signed before a rotation remain verifiable.

Legacy Compliance Report (Quick Posture Summary)

The GET /organizations/{orgId}/compliance-report endpoint (singular, no s) returns a simpler, HMAC-SHA256-signed summary of the organization's current posture: EU residency per service, encryption status, backup coverage, and audit log stats. It does not require a subscription and is available to any member. See Signed Compliance Reports for full details on that response and how to verify the HMAC signature.

The evidence packet endpoints (/compliance-reports, plural) are the newer, auditor-grade artifacts with per-control structure, framework targeting, and Ed25519 signing.

Dashboard

The organization's Compliance tab lets you:

View and manage framework subscriptions.
Generate new packets with a single click.
Download past packets as JSON or PDF.
See the current posture summary (the quick report).

Supported Frameworks​

Subscriptions​

Listing Subscription Status​

Subscribing to a Framework​

Unsubscribing​

Generating a Packet​

Listing Past Packets​

Downloading a Packet​

JSON​

PDF​

Verifying a Packet​

Legacy Compliance Report (Quick Posture Summary)​

Dashboard​