Sample Evidence

This is what your auditor receives

Every API call through ACAI generates compliance evidence automatically. Below are real report formats — the same outputs your team downloads after signing up.

Sample HIPAA Compliance Report

Period: 2026-01-01 — 2026-03-31 · Generated: 4/1/2026

Overall Compliance Score

96%

9 controls evaluated · 8 passed · 1 advisory

§164.312(a)Access Control

PASS

All API keys scoped to individual users. MFA enforced via Entra ID. No shared credentials detected.

§164.312(c)Integrity Controls

PASS

SHA-256 checksums on all audit log entries. Tamper detection enabled. Zero integrity violations.

§164.312(e)Transmission Security

PASS

TLS 1.3 enforced on all endpoints. HSTS enabled. No plaintext transmissions detected.

§164.530(j)Audit & Retention

PASS

90-day audit log retention. 142,847 events captured. Export available in JSON/CSV.

§164.312(d)Authentication

PASS

Bearer token auth with per-key rate limits. Entra ID MFA for dashboard. Token rotation every 90 days enforced by policy.

§164.502(b)Minimum Necessary

WARN

PII detection enabled (14 patterns). 3 requests flagged with unredacted SSN — auto-redacted before model. Recommend client-side input validation.

§164.404Breach Notification

PASS

Zero breaches. Incident response runbook verified and tested (last: 2026-02-15). Notification timeline: 60 days.

§164.502(e)BAA Chain

PASS

BAA executed with Microsoft (Azure AI Foundry). Sub-processor list documented. ACAI BAA available for customer execution.

Audit Trail (last 5 requests)

Every API request is logged with model, token count, PII detection result, data classification, and compliance verdict.

Time	Model	Tokens	PII	Classification	Verdict
14:31:42Z	gpt-4.1-mini	847	none	internal	PASS
14:31:38Z	claude-sonnet-4-5	1,203	SSN (redacted)	confidential	PASS
14:31:35Z	deepseek-r1	2,104	none	public	PASS
14:31:29Z	gpt-4.1-mini	512	email (redacted)	confidential	PASS
14:31:22Z	phi-4	384	none	internal	PASS

What’s in an Evidence Pack

One ZIP file your auditor can review offline — generated automatically from your API usage.

Compliance Report

Framework-specific control mapping with pass/warn/fail verdicts and remediation guidance.

Audit Trail Export

Every API request: model, tokens, PII status, data classification, timestamp, correlation ID.

PII Detection Summary

Aggregate stats: patterns detected, redaction actions taken, false positive rate.

Encryption Attestation

TLS version, cipher suites, key rotation schedule, certificate chain.

Usage Analytics

Token consumption by model, cost breakdown, rate limit utilization, error budgets.

Policy Configuration

Active guardrails, content safety settings, data classification rules, retention policy.

Ready to generate your own?

Download Sample HIPAA Evidence Pack

Sample HIPAA Compliance Report

Period: 2026-01-01 — 2026-03-31 · Generated: 4/1/2026

Overall Compliance Score

96%

9 controls evaluated · 8 passed · 1 advisory

§164.312(a)Access Control

PASS

All API keys scoped to individual users. MFA enforced via Entra ID. No shared credentials detected.

§164.312(c)Integrity Controls

PASS

SHA-256 checksums on all audit log entries. Tamper detection enabled. Zero integrity violations.

§164.312(e)Transmission Security

PASS

TLS 1.3 enforced on all endpoints. HSTS enabled. No plaintext transmissions detected.

§164.530(j)Audit & Retention

PASS

90-day audit log retention. 142,847 events captured. Export available in JSON/CSV.

§164.312(d)Authentication

PASS

Bearer token auth with per-key rate limits. Entra ID MFA for dashboard. Token rotation every 90 days enforced by policy.

§164.502(b)Minimum Necessary

WARN

PII detection enabled (14 patterns). 3 requests flagged with unredacted SSN — auto-redacted before model. Recommend client-side input validation.

§164.404Breach Notification

PASS

Zero breaches. Incident response runbook verified and tested (last: 2026-02-15). Notification timeline: 60 days.

§164.502(e)BAA Chain

PASS

BAA executed with Microsoft (Azure AI Foundry). Sub-processor list documented. ACAI BAA available for customer execution.

Audit Trail (last 5 requests)

Every API request is logged with model, token count, PII detection result, data classification, and compliance verdict.

Time	Model	Tokens	PII	Classification	Verdict
14:31:42Z	gpt-4.1-mini	847	none	internal	PASS
14:31:38Z	claude-sonnet-4-5	1,203	SSN (redacted)	confidential	PASS
14:31:35Z	deepseek-r1	2,104	none	public	PASS
14:31:29Z	gpt-4.1-mini	512	email (redacted)	confidential	PASS
14:31:22Z	phi-4	384	none	internal	PASS

What’s in an Evidence Pack

One ZIP file your auditor can review offline — generated automatically from your API usage.

Compliance Report

Framework-specific control mapping with pass/warn/fail verdicts and remediation guidance.

Audit Trail Export

Every API request: model, tokens, PII status, data classification, timestamp, correlation ID.

PII Detection Summary

Aggregate stats: patterns detected, redaction actions taken, false positive rate.

Encryption Attestation

TLS version, cipher suites, key rotation schedule, certificate chain.

Usage Analytics

Token consumption by model, cost breakdown, rate limit utilization, error budgets.

Policy Configuration

Active guardrails, content safety settings, data classification rules, retention policy.