Compliance & Trust

SOC 2 posture, audit trail, governance, and the runbooks that operate them

SOC 2 Ready
Tamper-evident audit
Envelope-encrypted
Continuous evaluation. Signed evidence. Auditable lifecycle.
NexusRAG ships compliance as automation rather than as paperwork. A SOC 2 control catalog runs in continuous evaluation, evidence bundles are persisted and signed, and every privileged action lands in a tamper-evident audit log. The runbook library below is the operational counterpart — each procedure is exercised in CI, not stashed in a wiki.
SOC 2 control catalog
ongoing
Continuous evaluation engine over a SOC 2 control catalog. Snapshots persist evidence under var/evidence with signed bundles.
  • Continuous evaluation engine
  • Signed evidence bundles with verification
  • Persisted artifact paths in artifact_paths_json
  • Compliance ops posture endpoint + scheduling tasks
POST /v1/admin/compliance/snapshotsCOMPLIANCE_ENABLED
Audit log
shipped
Tamper-evident audit log persisted in audit_events. Auth, security, and data mutation events recorded with metadata redaction.
  • Central audit service across the API surface
  • Admin-only audit query endpoints (tenant-scoped)
  • Metadata redaction policy for sensitive fields
  • Retention proof workflows + 24h ops summaries
always on
DSAR + data governance
shipped
Data subject access requests with auditable lifecycle. Retention pipeline supports legal hold supersession and anonymize/hard-delete.
  • Export, delete, anonymize APIs with artifact generation
  • Retention runs persisted with proof exports
  • Legal hold supersession on the retention pipeline
  • Policy-as-code engine for deterministic rule evaluation
POST /v1/admin/governance/retention/runGOVERNANCE_POLICY_ENGINE_ENABLED
Envelope encryption
shipped
AES-256-GCM with pluggable KMS providers. Tenant key registry + encrypted blob store. Resumable re-encryption jobs with telemetry.
  • Pluggable KMS providers with crypto error contracts
  • Key rotation APIs with resumable jobs
  • KEYRING_MASTER_KEY_REQUIRED required-only mode
  • Crypto posture surfaced in governance status
/v1/admin/keyringCRYPTO_ENABLED + CRYPTO_PROVIDER
API key lifecycle
shipped
Hashed key storage; admin lifecycle endpoints (expiration / reactivation / revocation). Inactive key denial with deterministic codes.
  • Optional per-key expiration + expiry enforcement
  • Inactivity reporting with admin reactivation
  • Rotation helper script + auditable lifecycle events
  • AUTH_INACTIVE_KEY denial path in the auth pipeline
/v1/admin/api-keysAUTH_ENABLED
DR backup + restore
shipped
DR backup tooling with signed manifests; readiness/backups/restore-drill ops endpoints. Encrypted + signed backups with retention pruning.
  • Signed backup manifests + drill reporting
  • Backup retention pruning
  • Restore-drill checklist runbook
  • Multi-region failover control plane (FAILOVER_ENABLED)
BACKUP_ENABLED
Authorization model
RBAC + ABAC + document ACLs with default-deny. See the architecture page for the full request authorization pipeline.

RBAC

reader / editor / admin

Endpoint-level role matrix; tenant-bound principals.

ABAC

deny-first / allow-then

Priority-aware DSL with simulation API.

Doc ACL

creator-owner default

Expiring grants ignored; AUTHZ_DEFAULT_DENY in prod.

Operational runbooks
21 compliance + crypto + DR runbooks live in docs/runbooks/. Every procedure has a deterministic execution path; most are exercised in CI.
soc2-audit-prep.mdevidence-bundles.mdevidence-bundle-verification.mdcompliance-control-failure-response.mdcompliance-scheduling-and-retention.mdcompliance-snapshot.mdaudit-evidence-export.mdretention-and-anonymization.mdretention-proof.mddsar-handling.mdkey-rotation.mdkey-rotation-execution.mdkey-rotation-for-backups.mdkey-compromise-response.mdkms-outage-procedure.mdencrypted-artifact-access.mdlegal-hold-procedure.mddr-backup-restore.mdrestore-drill-checklist.mdfailover-execution.mdfailover-rollback.md
Trace the journey
The compliance posture wasn't bolted on. Audit log shipped in 0.8.0; envelope encryption in 1.9.0; SOC 2 catalog in 2.0.0; ABAC in 2.2.0. See the release timeline for the full trajectory.