Compliance Evidence

TapPass generates compliance evidence from the audit trail. Every governed call is logged with full pipeline context, so evidence generation is a query — not a separate instrumentation effort.

GDPR Article 30 — Record of Processing Activities

Article 30 requires controllers to maintain a record of processing activities, including purposes, data categories, recipients, and safeguards.

For AI agents, this means documenting which agents process personal data, what PII types are handled, and which LLM providers receive data.

Generating the ROPA

curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit?event_type=pii_detected&limit=500" \
  | python -m json.tool

The response includes:

• Agent ID — which agent processed personal data
• PII types — EMAIL, PHONE_NUMBER, SSN, etc.
• Action taken — redacted, blocked, or allowed
• Timestamp — when the processing occurred
• Model — which LLM provider received the data (or did not, if redacted before forwarding)

Exporting for auditors

Export all audit events for a time period:

# Export last 90 days of PII-related events
curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit?event_type=pii_detected&limit=5000" \
  -o gdpr_ropa_evidence.json

# Also export redaction events
curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit?event_type=pii_redacted&limit=5000" \
  -o gdpr_redaction_evidence.json

What auditors look for

Art. 30 requirement	TapPass evidence
Purposes of processing	Agent registration metadata (agent name, description, owner)
Categories of personal data	pii_detected events with entity types
Categories of recipients	llm_call events showing which providers received data
Safeguards	Pipeline configuration showing which detection steps are enabled
Retention	Audit trail retention policy configuration

---

EU AI Act Article 14 — Human Oversight

Article 14 requires that high-risk AI systems are designed to allow effective human oversight during operation, including the ability to intervene and override.

Agent health monitoring

The /agents/{agent_id}/health endpoint provides real-time human oversight data:

curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/agents/agent-customer-support/health?period_days=30" \
  | python -m json.tool

Response:

{
  "agent_id": "agent-customer-support",
  "score": 82,
  "grade": "B",
  "dimensions": {
    "compliance": { "score": 90, "weight": 0.3 },
    "data_safety": { "score": 85, "weight": 0.25 },
    "security": { "score": 75, "weight": 0.2 },
    "stability": { "score": 78, "weight": 0.15 },
    "efficiency": { "score": 70, "weight": 0.1 }
  },
  "trend": "stable",
  "alerts": []
}

Break-glass override

TapPass provides a break-glass mechanism for emergency governance override. This satisfies Article 14’s requirement for human intervention capability.

curl -X POST -H "Authorization: Bearer tp_abc123..." \
  -H "Content-Type: application/json" \
  "https://tappass.example.com/breakglass" \
  -d '{
    "agent_id": "agent-customer-support",
    "reason": "Production incident — agent needs unrestricted access to resolve",
    "duration_minutes": 30
  }'

Every break-glass event is recorded in the audit trail with:

• Who requested it
• Why (mandatory reason field)
• Duration
• Whether it was granted or denied (OPA policy decides)

Evidence for auditors

# All break-glass events (granted + denied)
curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit?event_type=breakglass_granted&limit=500" \
  -o breakglass_granted.json

curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit?event_type=breakglass_denied&limit=500" \
  -o breakglass_denied.json

# Agent health history
curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/health/overview?period_days=90" \
  -o agent_health_overview.json

---

SOC 2 Type II — Audit Trail Integrity

SOC 2 Type II requires evidence that controls operated effectively over a period of time. TapPass provides cryptographic proof of audit trail integrity.

Hash chain verification

Every audit event is hash-chained: each event includes the SHA-256 hash of the previous event. If any event is modified, deleted, or reordered, the chain breaks.

curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit/integrity" \
  | python -m json.tool

Response when the chain is intact:

{
  "status": "intact",
  "chain_length": 15432,
  "current_head": "a1b2c3d4e5f6...",
  "events_verified": 15432,
  "broken_events": []
}

Response when tampering is detected:

{
  "status": "compromised",
  "chain_length": 15432,
  "events_verified": 15432,
  "broken_events": [
    {
      "event_id": "evt_7891",
      "expected_hash": "abc123...",
      "actual_hash": "def456...",
      "reason": "Hash mismatch — event may have been modified"
    }
  ]
}

Three layers of integrity

TapPass uses three independent layers to protect audit trail integrity:

Layer	Mechanism	Detects
Hash chain	SHA-256 chain linking each event to its predecessor	Insertions, deletions, reordering
Event signatures	Ed25519 signature on each event	Forged events (attacker cannot sign without the key)
Checkpoint anchoring	Signed checkpoints written to the database every N events	Full chain replacement

Verifying signatures independently

Fetch the server’s public signing key and verify event signatures without trusting the server:

# Get the audit signing public key
curl -s "https://tappass.example.com/audit/signing-key" | python -m json.tool

# Response:
# {
#   "algorithm": "Ed25519",
#   "public_key_pem": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
#   "usage": "Verify _sig field on audit events. sig = Ed25519.sign(event._hash)"
# }

Evidence for auditors

# Full integrity check
curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit/integrity" \
  -o soc2_integrity_evidence.json

# Signing key for independent verification
curl -s "https://tappass.example.com/audit/signing-key" \
  -o soc2_signing_key.json

# Audit event sample (last 1000 events)
curl -s -H "Authorization: Bearer tp_abc123..." \
  "https://tappass.example.com/audit?limit=1000" \
  -o soc2_audit_sample.json

---

Automating evidence collection

Combine the above into a script that runs on a schedule (e.g. weekly via cron or CI):

#!/bin/bash
set -euo pipefail

TAPPASS_URL="https://tappass.example.com"
API_KEY="tp_abc123..."
DATE=$(date +%Y-%m-%d)
OUTPUT_DIR="./compliance-evidence/${DATE}"
mkdir -p "${OUTPUT_DIR}"

AUTH="Authorization: Bearer ${API_KEY}"

# GDPR Art. 30 — PII processing records
curl -s -H "${AUTH}" \
  "${TAPPASS_URL}/audit?event_type=pii_detected&limit=5000" \
  -o "${OUTPUT_DIR}/gdpr_pii_detected.json"

curl -s -H "${AUTH}" \
  "${TAPPASS_URL}/audit?event_type=pii_redacted&limit=5000" \
  -o "${OUTPUT_DIR}/gdpr_pii_redacted.json"

# EU AI Act Art. 14 — Human oversight
curl -s -H "${AUTH}" \
  "${TAPPASS_URL}/health/overview?period_days=90" \
  -o "${OUTPUT_DIR}/aiact_health_overview.json"

curl -s -H "${AUTH}" \
  "${TAPPASS_URL}/audit?event_type=breakglass_granted&limit=500" \
  -o "${OUTPUT_DIR}/aiact_breakglass.json"

# SOC 2 — Audit integrity
curl -s -H "${AUTH}" \
  "${TAPPASS_URL}/audit/integrity" \
  -o "${OUTPUT_DIR}/soc2_integrity.json"

curl -s "${TAPPASS_URL}/audit/signing-key" \
  -o "${OUTPUT_DIR}/soc2_signing_key.json"

echo "Evidence collected in ${OUTPUT_DIR}"

Run this weekly and store the output in your compliance evidence repository. Each run creates a dated snapshot that auditors can review.