Compliance Evidence Export

VeriProof can generate structured compliance evidence packages from your session data. Evidence packages are designed to be presented directly to auditors and regulators — they include session records, governance metrics, blockchain proofs, and a signed attestation that the records are complete and unaltered.

This guide covers the full evidence export workflow.

Supported Frameworks

Framework	Coverage	Relevant articles / functions
EU AI Act	Articles 9, 10, 11, 13, 17	Risk management, data governance, technical documentation, transparency, QMS
NIST AI RMF	All four functions	GOVERN, MAP, MEASURE, MANAGE
GDPR	Articles 17, 15	Erasure audit log, subject access record
Custom	Any custom label	Use for internal reviews, board reporting, or non-standard frameworks

What’s in a Package

Every evidence package includes:

Cover and metadata

Organisation name, system name, version, and deployment date
Report period (start date, end date)
Generation timestamp and generating user
Package ID (for version control)

Section A — System Description (from your organisation settings)

Section B — Monitoring Configuration

Governance scoring configuration as it existed at the end of the report period
Configuration change history for the period (if any changes were made)
Alert rule inventory

Section C — Session Data Summary

Total sessions captured in the period
Sessions per day (chart)
Governance score distribution (table: mean, p10, p50, p90, p99)
Sessions by alert severity distribution

Section D — Alert and Incident Log

All alert triggers in the period, with severity and dimension
Acknowledgement log (who, when, notes)
Corrective action records
Mean time to acknowledgement and resolution

Section E — Sample Records with Blockchain Proofs

Up to 100 randomly selected session records (adjustable)
Each record includes its Merkle root and the Solana transaction ID
Proof verification status for each included record

Section F — TEE Attestation

AMD SEV-SNP attestation token sample from the Notary service
Measurement hash for comparison against published release artifacts

Section G — Attestation Statement

Signed statement that the session records in the package are complete and unaltered for the report period, based on blockchain proof verification

Generating a Package

Python SDK


from veriproof import VeriproofClient
from datetime import date
 
client = VeriproofClient(api_key="vp_live_...")
 
package = client.compliance.export_evidence(
    framework="eu-ai-act",              # "eu-ai-act", "nist-ai-rmf", "gdpr", "custom"
    articles=["9", "10", "11", "13", "17"],   # EU AI Act articles (omit for other frameworks)
    start_date=date(2026, 1, 1),
    end_date=date(2026, 12, 31),
    format="pdf",                       # "pdf" or "json"
    include_proofs=True,
    include_attestation=True,
    include_raw_sessions=False,         # True to include full session content
    sample_size=100,                    # number of sessions in Section E
)
 
# Poll for completion (packages for large date ranges may take 1–2 minutes)
import time
while package.status == "generating":
    time.sleep(5)
    package = client.compliance.get_export(package.id)
 
print(f"Download: {package.download_url}")
print(f"Sessions: {package.session_count}")
print(f"Proof pass rate: {package.proof_verification_rate:.1%}")

TypeScript SDK


import { VeriproofClient } from '@veriproof/sdk';
 
const client = new VeriproofClient({ apiKey: 'vp_live_...' });
 
const pkg = await client.compliance.exportEvidence({
  framework: 'eu-ai-act',
  articles: ['9', '10', '11', '13', '17'],
  startDate: new Date('2026-01-01'),
  endDate: new Date('2026-12-31'),
  format: 'pdf',
  includeProofs: true,
  includeAttestation: true,
});
 
// Poll until complete
let result = pkg;
while (result.status === 'generating') {
  await new Promise(r => setTimeout(r, 5000));
  result = await client.compliance.getExport(pkg.id);
}
 
console.log('Download:', result.downloadUrl);

.NET SDK


using Veriproof.Sdk;
using Veriproof.Sdk.Compliance;
 
var client = new VeriproofClient("vp_live_...");
 
var request = new EvidenceExportRequest
{
    Framework = "eu-ai-act",
    Articles = new[] { "9", "10", "11", "13", "17" },
    StartDate = new DateOnly(2026, 1, 1),
    EndDate = new DateOnly(2026, 12, 31),
    Format = ExportFormat.Pdf,
    IncludeProofs = true,
    IncludeAttestation = true,
};
 
var package = await client.Compliance.ExportEvidenceAsync(request);
 
// Wait for generation
while (package.Status == ExportStatus.Generating)
{
    await Task.Delay(TimeSpan.FromSeconds(5));
    package = await client.Compliance.GetExportAsync(package.Id);
}
 
Console.WriteLine($"Download: {package.DownloadUrl}");

REST API


POST /v1/compliance/export
Authorization: Bearer vp_live_...
Content-Type: application/json
 
{
  "framework": "eu-ai-act",
  "articles": ["9", "10", "11", "13", "17"],
  "period": {
    "start": "2026-01-01",
    "end": "2026-12-31"
  },
  "options": {
    "format": "pdf",
    "include_proofs": true,
    "include_attestation": true,
    "include_raw_sessions": false,
    "sample_size": 100
  }
}
 
# Response:
# { "id": "exp_abc123", "status": "generating" }
 
# Poll:
GET /v1/compliance/export/exp_abc123
# { "id": "exp_abc123", "status": "complete", "download_url": "..." }

Large Date Ranges

For full-year reports with high session volumes (>1M sessions), export generation may take 2–5 minutes. The API and portal both provide status polling. You can also use webhooks to receive notification when generation completes:


# Register a webhook for export completion
client.webhooks.create(
    url="https://your-app.example.com/webhooks/veriproof",
    events=["compliance.export.completed"],
)

Retention of Generated Packages

VeriProof retains generated packages for the duration of your subscription plus 30 days. Packages are stored in Azure Blob WORM storage, making them immutable after generation.

Download and archive packages in your own document management system — do not rely on VeriProof retention as your sole copy for long-term regulatory obligations.

Next Steps

EU AI Act Evidence Walkthrough — step-by-step for Article 11
GDPR Cryptographic Erasure — GDPR-specific erasure audit log
Compliance Evidence guide — practical guide for common use cases