/compliance/reports (owner / admin only) carries five pre-baked reports auditors, compliance officers, and security reviewers expect to see. Every row is backed by Kodori's hash-chained audit log — verifiable, tamper-evident, point-in-time.
**The five reports:**
1. **Retention disposal log** — every document tombstoned via /retention/review or by retention class disposal. Records the actor, the retention class assignment, the disposal reason, and the audit-event id. The artifact 21 CFR Part 11 + SEC 17a-4 reviewers ask for first. 2. **Legal hold log** — every hold ever opened or released. Per-hold record includes matter ref, custodian list, peak subject count, opened-by + opened-at, released-by + released-at + release reason. Subjects are preserved post-release as audit evidence. 3. **Audit-chain verification log** — every chain-integrity verification (weekly Sunday 02:00 UTC cron + on-demand /audit verifier). Records timestamp, events walked, chain head hash. The artifact SOC 2 + 21 CFR Part 11 reviewers ask for as proof of "we verify even when no one's watching." 4. **DSAR fulfillment log** — every per-tenant zip and per-user data-access export (GDPR Article 15 / 20). Records the requester, what was included (caps that tripped), the audit-event id. The artifact GDPR Article 30 audits cite back to. 5. **SOC 2 control evidence map** — AICPA Trust Services Criteria (CC2.2, CC4.2, CC6.1, CC6.6, CC6.8, CC7.2, CC7.3, CC8.1, C1.1, C1.2 — the 10 most-asked) mapped to the Kodori implementation + an evidence pointer (a URL inside Kodori where the auditor can verify the control is live). Full 30-control mapping is at /security/controls.
**One-click CSV export.** Each report's view page has an Export CSV button that returns RFC-4180 CSV with quoted-everywhere format — pastes cleanly into Excel locale-imports, ready for the auditor's working papers. Capped at 500 rows inline; for larger exports use /api/tenant/export.
**Live data, no batch snapshot.** Reports query the live audit log + projection tables at request time. The numbers match what's in the system right now — auditors don't have to ask "when was this snapshot taken?" or trust a batch-job timestamp. Incumbents (iManage, NetDocuments, FileHold) require auditors to hand-build SQL queries against backup snapshots; Kodori delivers the same data point-and-click.
**Where this fits.**
- /compliance is the live operational dashboard (active holds count, retention queue depth, sensitivity histogram, audit-chain tip). Use it for daily compliance state. - /compliance/reports is point-in-time evidence exports for auditor working papers. Use it before or during an audit. - /audit is the raw event log. Use it to drill into a specific event after a report row identifies it.
The three pages cross-link.