Signed Compliance Reports
A signed compliance report is a single, tamper-evident document that summarizes the security and data residency posture of every service in your organization. It is assembled from live platform records at the moment you request it, then signed so that you (or an auditor) can prove it has not been altered.
Typical uses:
- Answering GDPR and vendor security questionnaires.
- Providing evidence for recurring audits.
- Demonstrating EU data residency for your services.
Requesting a Report
Any member of an organization can request the report:
curl -u user:password \
https://api.foundrydb.com/organizations/{orgId}/compliance-report
The response is a JSON object with two top-level fields, report and signature:
{
"report": {
"organization_id": "org_xxx",
"organization_name": "Acme GmbH",
"generated_at": "2026-06-07T10:15:00Z",
"service_count": 2,
"all_services_eu_residency": true,
"services": [
{
"service_id": "svc_xxx",
"name": "orders-db",
"database_type": "postgresql",
"version": "17",
"status": "running",
"zones": ["de-fra1"],
"region": "europe",
"eu_residency": true,
"storage_region": "de-fra1",
"storage_encrypted": true,
"backup_encryption_enabled": true,
"tls_enabled": true,
"backups": {
"last_completed_at": "2026-06-07T02:00:00Z",
"last_backup_type": "full",
"encryption_enabled": true,
"encryption_algorithm": "AES-256-GCM",
"schedule_enabled": true,
"schedule_cron": "0 2 * * *",
"retention_days": 7
}
}
],
"audit_log": {
"retention_policy": "90 days",
"oldest_entry_at": "2026-03-09T08:00:00Z",
"entry_count": 14823
}
},
"signature": {
"algorithm": "HMAC-SHA256",
"value": "9f2c1a..."
}
}
What the Report Contains
Report
| Field | Meaning |
|---|---|
organization_id | Identifier of the organization |
organization_name | Display name of the organization |
generated_at | Timestamp the report was produced |
service_count | Number of services covered |
all_services_eu_residency | true when every service resides in the EU |
services[] | Per-service security and residency details |
audit_log | Audit log retention and coverage summary |
Each entry in services[] includes service_id, name, database_type, version, status, zones[], region, eu_residency, storage_region, storage_encrypted, backup_encryption_enabled, tls_enabled, and a backups object with last_completed_at, last_backup_type, encryption_enabled, encryption_algorithm, schedule_enabled, schedule_cron, and retention_days.
The audit_log object reports retention_policy, oldest_entry_at, and entry_count.
Signature
| Field | Meaning |
|---|---|
algorithm | Always HMAC-SHA256 |
value | Hex-encoded HMAC of the report |
The signature is computed over the exact raw bytes of the report JSON object as it appears in the response body. To verify it, you must hash those bytes exactly as received, without re-serializing the parsed object (key ordering and whitespace must match the original).
Verifying the Signature
Request your verification key from FoundryDB support, then recompute the HMAC and compare it to the value field using a constant-time comparison:
import hmac
import hashlib
# The raw HTTP response body as bytes (do not parse and re-serialize).
raw = response_bytes
# Extract the exact bytes of the report object: everything between
# the "report": marker and the trailing ,"signature" marker.
start = raw.index(b'"report":') + len(b'"report":')
end = raw.index(b',"signature"')
report_bytes = raw[start:end]
verification_key = b"your-verification-key"
expected = hmac.new(verification_key, report_bytes, hashlib.sha256).hexdigest()
# signature.value from the parsed response
actual = "9f2c1a..."
if hmac.compare_digest(expected, actual):
print("Signature valid")
else:
print("Signature mismatch")
If the comparison succeeds, the report is authentic and unmodified.
Dashboard
The organization page includes a Compliance tab that renders the report in a readable layout and offers a one-click download of the signed JSON. The downloaded file contains both the report and signature, so it can be archived as audit evidence or forwarded to a reviewer for independent verification.