Compliance
Read compliance posture, generate Annex IV reports, and verify Flare attestations.
These endpoints expose the compliance engine: framework-by-framework readiness, exportable evidence, and public attestation verification.
Palveron is not itself certified under SOC 2, ISO 27001, ISO 42001, or HIPAA. The platform provides controls, evidence, and reporting so that your project can pursue and maintain those certifications — the framework listings below describe what Palveron supports, not certifications Palveron holds.
GET /api/v1/compliance/dashboard
Returns the current readiness state for every framework that customers can enable on the project — Palveron supports controls for EU AI Act, DORA, NIST AI RMF, GDPR, HIPAA, SOC 2, ISO 27001, ISO 42001, OWASP Agentic, Singapore PDPA, and Colorado AI.
{
"frameworks": [
{
"id": "eu_ai_act",
"name": "EU AI Act",
"readiness_pct": 0.87,
"missing_controls": 2,
"implemented_controls": 18,
"enforced_controls": 14
}
],
"controls": [
{
"id": "ctrl.shadow_ai.asset_inventory",
"status": "enforced",
"frameworks": ["eu_ai_act", "dora", "nist_ai_rmf"]
}
]
}Statuses: missing, documented, partial, implemented, enforced. Use enforced to drive your "audit-ready" gauge.
GET /api/v1/compliance/report
GET /api/v1/compliance/report?from=2026-01-01&to=2026-03-31| Query | Default | Values |
|---|---|---|
from | — (optional) | ISO 8601 date (e.g. 2026-01-01) — start of the trace date range |
to | — (optional) | ISO 8601 date — end of the trace date range |
Generates the full compliance evidence report as a PDF (application/pdf, download attachment). The report always covers all frameworks active on the project and includes: project metadata, the compliance score with its per-dimension breakdown (same calculation as the dashboard), trace statistics, agent inventory, policy catalogue, recent traces, Flare anchoring configuration, the project's resolved data-retention posture, and the NGE analysis architecture. from/to scope the trace statistics; omitting both produces an all-time report.
Invalid from/to values return 400 with {"error": "Invalid date filter", "detail": "..."} — date filters are never silently dropped.
Requires the compliance_report_pdf entitlement; unentitled tiers receive 403 with {"error": "feature_not_entitled"}.
POST /api/v1/verify-proof
Public endpoint — no authentication required. Given a trace ID or integrity hash, returns its Flare anchor proof and the verification result.
{
"trace_id": "cktrace...",
"integrity_hash": "sha256:...",
"flare_tx_hash": "0x...",
"merkle_proof": ["0x...", "0x..."],
"verified": true,
"network": "flare_mainnet"
}Use this to let external auditors independently confirm a governance decision against the blockchain without an account on your project.
POST /api/v1/compliance/incidents
Report a compliance incident (EU AI Act Art. 73 — serious incident reporting).
{
"title": "Biased output in HR screening",
"description": "Agent produced biased output in HR screening.",
"severity": "HIGH",
"incident_type": "fundamental_rights",
"agent_id": "ckagent...",
"affected_users": 12,
"immediate_action": "Agent paused pending review."
}| Field | Required | Description |
|---|---|---|
title | ✅ | Short incident title |
description | ✅ | What happened |
severity | — | e.g. HIGH |
incident_type | — | Free-form category (e.g. fundamental_rights) |
ai_system_id | — | Related registered AI system |
agent_id | — | Related agent |
affected_users | — | Number of affected persons |
immediate_action | — | Mitigation already taken |
The endpoint creates an incident record; incidents are part of the mandatory Flare attestation events. Use GET /api/v1/compliance/incidents to list incidents (filters: status, severity, limit, offset).