Compliance map
Machine-checked mappings from Nolixan controls to OWASP Agentic Top-10 and SOC 2 — plus tenant data export, deletion, audit retention, and SIEM forwarding.
Nolixan ships a machine-checked compliance map: every control is tied to an exact source anchor in the codebase, and CI fails the moment an anchor moves — so the mapping can't silently rot. It's a self-assessment, not a certification, but the evidence is real and verifiable.
Frameworks
Returns the control mappings for:
- OWASP Agentic Top-10 — e.g. ASI-01 control hijacking (fail-closed policy gate), ASI-02 tool misuse (per-action policy + SoD), ASI-04 audit tampering (hash-chain + signed receipts), ASI-05 runaway cost (spend governor), ASI-06 sensitive-information disclosure (content redaction + encryption), ASI-08 identity/RBAC.
- SOC 2 (Trust Services Criteria) — CC6.x access/encryption, CC7.x monitoring/audit integrity, CC8.1 change management (approvals + SoD), A1.1 SLOs, C1.x confidentiality (data minimization + redaction), PI1.1 signed receipts.
Each control carries a status (covered / partial / gap), a summary, and file:line evidence anchors. The same data powers the in-app Compliance page.
Evidence snapshot
Produce a point-in-time evidence bundle for an auditor:
Tenant data rights (GDPR/CCPA)
| Method | Path | Purpose |
|---|---|---|
GET | /compliance/data-export | Machine-readable export of all tenant data |
POST | /compliance/account-deletion | Schedule tenant offboarding — body { "confirm_email": "…" } (canManageBilling) |
Audit retention
Control how long audit events are kept and when older entries are redacted:
| Method | Path | Purpose |
|---|---|---|
GET | /compliance/audit-retention | Current retention policy |
PUT | /compliance/audit-retention | Set { retention_days, redaction_after_days, enabled } |
Retention is capped by your plan; the response reports both your requested and the effective values.
SIEM forwarding
Stream audit events to your SIEM (Splunk, Datadog, etc.). Requires a Business/Enterprise plan and canManageBilling.
| Method | Path | Purpose |
|---|---|---|
GET | /compliance/siem-destinations | List destinations (URLs masked) |
POST | /compliance/siem-destinations | Add a destination { endpoint_url, signing_secret?, event_filter? } |
PATCH | /compliance/siem-destinations/{id} | Update |
DELETE | /compliance/siem-destinations/{id} | Remove |
POST | /compliance/siem-destinations/{id}/test | Send a test event |
See also: Audit log, Receipts, and the standards crosswalks in docs/REDACTION_COMPLIANCE.md and docs/SOC2_READINESS.md.