FeaturesDiscussionsPreviewSkillsMobileOrchestrationDocs
Theme
Get Started
Sophon Docs
Administration

Compliance

Compliance reports, retention policies, data-handling configurations, and export for auditors.

The Compliance module collects Sophon's compliance-relevant surfaces — retention, audit, user access reviews, data export, PII handling — in one place. It's where you generate reports for SOC 2 / ISO 27001 / HIPAA / GDPR audits, where you configure retention, and where you run user access reviews on a schedule.

Available on Enterprise licenses with the compliance feature flag.

Reports

Built-in report types

Admin → Compliance → Reports → New.

ReportWhat it showsFormat
User access reviewAll users, their roles, tenants, last login, 2FA statusCSV / JSON
Permission matrixUsers × permissions grid — who can do whatCSV
Data inventoryPer-tenant document list, memory entry counts, cron jobs, workflowsJSON
Audit summaryAudit log aggregated by action, outcome, and periodCSV / JSON
Approval historyAll High/Critical approvals, outcomes, approversCSV
Credential accessVault access log — who accessed which credentials whenCSV
Retention complianceEntries older than retention, pruning schedule, last pruneJSON
PII touchpointsData fields potentially containing PII, retention, encryption statusJSON

Each report can be parameterized by date range, tenant, user subset.

Generating

Dashboard, CLI, or API:

sophon admin compliance report user-access --since 2026-01-01 --out report.csv
sophon admin compliance report audit-summary --since 2026-01-01 --until 2026-04-01 --format json
sophon admin compliance report data-inventory --tenant acme --out acme-inventory.json

Reports are deterministic — the same parameters always yield the same output (within data mutability). Useful for point-in-time audits.

Scheduled reports

Create a cron entry that generates and delivers a report:

sophon admin compliance schedule create \
  --report user-access \
  --cron "0 9 1 * *" \
  --deliver email \
  --to compliance@example.com

Delivery options: email, S3, SFTP, webhook.

Retention

Retention policies

Per-resource retention:

{
  "Sophon": {
    "Retention": {
      "AuditLog": "3650.00:00:00",         // 10 years
      "DailyLogs": "365.00:00:00",         // 1 year
      "ChatSessions": "180.00:00:00",      // 6 months
      "Documents": "1825.00:00:00",        // 5 years (compliance default)
      "WorkflowRuns": "365.00:00:00",
      "TaskHistory": "90.00:00:00",
      "ApprovalHistory": "2555.00:00:00"   // 7 years (SOX)
    }
  }
}

Defaults vary by tier and resource. Enterprise lets you override everything — including setting infinite retention ("Indefinite") for audit on deployments where compliance requires it.

Pruning schedule

A daily job (runs at 03:00 server time by default) prunes entries older than policy. Each prune run:

  • Logs the count pruned per resource
  • Optionally archives to cold storage (S3, Azure Blob) before deletion
  • Writes an audit entry compliance.prune with the summary

Archival

Instead of deleting, configure archival:

{
  "Sophon": {
    "Retention": {
      "Archive": {
        "Enabled": true,
        "Backend": "S3",
        "S3": {
          "Bucket": "sophon-cold-storage",
          "Region": "us-east-1",
          "Prefix": "archive/"
        }
      }
    }
  }
}

Archived entries are queryable via sophon admin compliance archive search but not via the normal Dashboard.

User access reviews

Periodic review that every user still needs their current access:

Admin → Compliance → Access Reviews → New.

  • Scope — all users or a subset
  • Reviewer — who approves / rejects each user's access
  • Deadline — how long the review runs
  • Action on no-response — suspend, extend, reject-default

The reviewer gets a list of all users in scope. For each, they choose:

  • Keep — access unchanged
  • Modify — change role / tenant assignment
  • Remove — suspend or delete the user

Outcomes are logged. Scheduled reviews (quarterly / semi-annually) are a common SOC 2 control.

PII handling

Sophon treats the following fields as potentially PII:

  • User email, display name, avatar
  • Memory entry content (user-scoped)
  • Document content and metadata
  • Chat message text
  • Session titles
  • Connection labels (may contain names)

Protections

  • Encryption at rest — database encrypted at the storage layer; vault secrets encrypted per-entry.
  • TLS in transit — all Gateway endpoints enforce TLS.
  • Redaction in audit — PII-sensitive fields are hashed in audit entries by default; raw values accessible only with ViewAuditLogs permission.
  • Right to erasure (GDPR) — a deleted user's PII is redacted across all data with [deleted] tombstones. Audit entries retained with identity redacted.

Data subject access requests

The CLI can compile a "what does Sophon know about this user" bundle:

sophon admin compliance dsar --user <user-id> --out dsar-report.zip

Bundle includes: user record, all sessions, all memory entries, all documents (metadata + extracted text), all approvals, all audit entries where the user is actor or subject.

Generate and email to the requester within your policy's SLA (GDPR: 30 days).

Encryption

At rest

  • Database — TDE / encryption on SQLite (SQLCipher) and Postgres (pgcrypto / transparent).
  • Vault — AES-GCM with machine-bound key (local backend); service-managed encryption for cloud backends.
  • Archive storage — server-side encryption (SSE-S3, Azure SSE, etc.).

In transit

  • TLS 1.2+ enforced on all Gateway HTTP endpoints and SignalR hubs.
  • MCP server transports (SSE / StreamableHTTP) require TLS except on localhost.
  • Sophon Node connections require TLS.

Key management

  • Local backend uses OS-bound key material (DPAPI on Windows, Keychain on macOS, libsecret on Linux).
  • External backends delegate to the vault service (HashiCorp / AWS KMS / Azure Key Vault).

Data residency

For Enterprise deployments with residency constraints, pick a single region for:

  • Database (Postgres / Qdrant / Redis)
  • Archive storage
  • Vault backend
  • Insights engine (computes stay near the data)

All Sophon components operate entirely within the region you configure — no cross-region calls.

Immutability

  • Audit log — append-only table; pruning only removes entries older than retention, auditable itself.
  • Hash-chain mode — each audit entry includes the SHA-256 of the previous entry. sophon admin audit verify-chain detects tampering.
  • Config diff log — every appsettings.json change is captured with before/after diff and operator identity.

Certifications

Sophon the software is a codebase; certifications apply to deployments. Enterprise customers have used Sophon as the basis for:

  • SOC 2 Type 2
  • ISO 27001
  • HIPAA (with appropriate BAA configuration — contact Sales)
  • GDPR / UK GDPR

Sophon itself ships with the technical controls (encryption, audit, RBAC, DSAR) that these frameworks require. The deployment-specific controls (physical security, employee training, incident response) remain with you.

Where to go next

Audit Logging

Immutable action trail — who did what, when, on what, with what outcome. Filterable, exportable, retention-aware.

Licensing

License key installation, tier gating, feature flags, max-users, expiration tracking.

On this page

ReportsBuilt-in report typesGeneratingScheduled reportsRetentionRetention policiesPruning scheduleArchivalUser access reviewsPII handlingProtectionsData subject access requestsEncryptionAt restIn transitKey managementData residencyImmutabilityCertificationsWhere to go next