Ledger Compliance Guide
How to use SoftQCOS Ledger to meet regulatory and audit requirements.
Supported Compliance Frameworks
SoftQCOS Ledger's quantum-anchored immutable records support evidence requirements for:
| Framework | Applicability |
|---|---|
| SOC 2 Type II | Audit trail for system operations and access |
| ISO 27001 | Information security event logging |
| GDPR | Data processing activity records |
| HIPAA | Healthcare data access audit logs |
| NIS2 | Cybersecurity incident reporting |
| eIDAS 2.0 | Electronic signature and trust service evidence |
Creating Compliant Audit Records
Record Structure
A compliant ledger record must include:
from softqcos.ledger import LedgerClient
client = LedgerClient(api_key="your-api-key")
record = client.append({
"event_type": "data_access",
"subject": "patient_record_12345",
"actor": "dr.smith@hospital.com",
"action": "read",
"outcome": "success",
"ip_address": "192.168.1.100",
"timestamp": "2026-03-23T11:32:04Z",
"data_classification": "PHI", # HIPAA
"legal_basis": "legitimate_interest" # GDPR
})
print(record.record_id) # rec_abc123
print(record.anchored_at) # Immutable timestamp
Required Fields by Framework
| Field | SOC 2 | GDPR | HIPAA | ISO 27001 |
|---|---|---|---|---|
timestamp | ✅ | ✅ | ✅ | ✅ |
actor | ✅ | ✅ | ✅ | ✅ |
action | ✅ | ✅ | ✅ | ✅ |
outcome | ✅ | — | ✅ | ✅ |
data_classification | — | ✅ | ✅ | ✅ |
legal_basis | — | ✅ | ✅ | — |
subject | ✅ | ✅ | ✅ | ✅ |
Generating Compliance Reports
Audit Report Export
# Export all records for a time range (SOC 2 annual audit)
softqcos ledger export \
--from 2026-01-01 \
--to 2026-12-31 \
--format pdf \
--output audit-report-2026.pdf
Programmatic Report Generation
from softqcos.ledger import LedgerClient, ComplianceReporter
client = LedgerClient(api_key="your-api-key")
reporter = ComplianceReporter(client)
# Generate SOC 2 report
report = reporter.generate(
framework="soc2",
period_start="2026-01-01",
period_end="2026-12-31"
)
report.save("soc2-audit-2026.pdf")
print(f"Records included: {report.record_count}")
print(f"Integrity verified: {report.all_valid}")
Data Retention
Configure retention policies to comply with regulatory requirements:
client.set_retention_policy(
policy_name="hipaa-6-years",
retention_years=6,
applies_to={"data_classification": "PHI"},
deletion_method="cryptographic_erasure" # GDPR-compliant deletion
)
| Regulation | Minimum Retention |
|---|---|
| HIPAA | 6 years |
| SOC 2 | 1 year |
| GDPR | As long as processing purpose exists |
| ISO 27001 | 3 years (recommended) |
Providing Evidence to Auditors
Share tamper-proof evidence bundles with auditors without granting API access:
# Export verifiable evidence bundle for a specific incident
bundle = client.export_evidence_bundle(
record_ids=["rec_abc123", "rec_def456"],
include_merkle_proofs=True,
include_quantum_attestation=True
)
bundle.save("incident-evidence-2026-03-23.zip")
Auditors can verify this bundle independently using the open-source softqcos-verify tool:
softqcos-verify --bundle incident-evidence-2026-03-23.zip