PalveronPalveronDocs

Compliance

Read compliance posture, generate Annex IV reports, and verify Flare attestations.

These endpoints expose the compliance engine: framework-by-framework readiness, exportable evidence, and public attestation verification.

Palveron is not itself certified under SOC 2, ISO 27001, ISO 42001, or HIPAA. The platform provides controls, evidence, and reporting so that your project can pursue and maintain those certifications — the framework listings below describe what Palveron supports, not certifications Palveron holds.

GET /api/v1/compliance/dashboard

Returns the current readiness state for every framework that customers can enable on the project — Palveron supports controls for EU AI Act, DORA, NIST AI RMF, GDPR, HIPAA, SOC 2, ISO 27001, ISO 42001, OWASP Agentic, Singapore PDPA, and Colorado AI.

{
  "frameworks": [
    {
      "id": "eu_ai_act",
      "name": "EU AI Act",
      "readiness_pct": 0.87,
      "missing_controls": 2,
      "implemented_controls": 18,
      "enforced_controls": 14
    }
  ],
  "controls": [
    {
      "id": "ctrl.shadow_ai.asset_inventory",
      "status": "enforced",
      "frameworks": ["eu_ai_act", "dora", "nist_ai_rmf"]
    }
  ]
}

Statuses: missing, documented, partial, implemented, enforced. Use enforced to drive your "audit-ready" gauge.

GET /api/v1/compliance/report

GET /api/v1/compliance/report?from=2026-01-01&to=2026-03-31
QueryDefaultValues
from— (optional)ISO 8601 date (e.g. 2026-01-01) — start of the trace date range
to— (optional)ISO 8601 date — end of the trace date range

Generates the full compliance evidence report as a PDF (application/pdf, download attachment). The report always covers all frameworks active on the project and includes: project metadata, the compliance score with its per-dimension breakdown (same calculation as the dashboard), trace statistics, agent inventory, policy catalogue, recent traces, Flare anchoring configuration, the project's resolved data-retention posture, and the NGE analysis architecture. from/to scope the trace statistics; omitting both produces an all-time report.

Invalid from/to values return 400 with {"error": "Invalid date filter", "detail": "..."} — date filters are never silently dropped.

Requires the compliance_report_pdf entitlement; unentitled tiers receive 403 with {"error": "feature_not_entitled"}.

POST /api/v1/verify-proof

Public endpoint — no authentication required. Given a trace ID or integrity hash, returns its Flare anchor proof and the verification result.

{
  "trace_id": "cktrace...",
  "integrity_hash": "sha256:...",
  "flare_tx_hash": "0x...",
  "merkle_proof": ["0x...", "0x..."],
  "verified": true,
  "network": "flare_mainnet"
}

Use this to let external auditors independently confirm a governance decision against the blockchain without an account on your project.

POST /api/v1/compliance/incidents

Report a compliance incident (EU AI Act Art. 73 — serious incident reporting).

{
  "title": "Biased output in HR screening",
  "description": "Agent produced biased output in HR screening.",
  "severity": "HIGH",
  "incident_type": "fundamental_rights",
  "agent_id": "ckagent...",
  "affected_users": 12,
  "immediate_action": "Agent paused pending review."
}
FieldRequiredDescription
titleShort incident title
descriptionWhat happened
severitye.g. HIGH
incident_typeFree-form category (e.g. fundamental_rights)
ai_system_idRelated registered AI system
agent_idRelated agent
affected_usersNumber of affected persons
immediate_actionMitigation already taken

The endpoint creates an incident record; incidents are part of the mandatory Flare attestation events. Use GET /api/v1/compliance/incidents to list incidents (filters: status, severity, limit, offset).

On this page