Compliance & Audit Trail

Certexi is designed from the ground up for regulatory compliance. The immutable event ledger, cryptographic verification, and comprehensive evidence capture provide the foundation for ISO 9001, ISO 27001, and GDPR compliance.

Standards Support

ISO 9001 — Quality Management

Certexi supports ISO 9001 requirements through:

• Document control — All procedures versioned and tracked in Nextcloud
• Record keeping — Immutable event ledger with complete audit trail
• Process monitoring — Real-time KPIs and workflow metrics
• Nonconformity management — Incident tracking with corrective actions
• Management review — Automated compliance reports and dashboards

ISO 27001 — Information Security

Information security controls implemented:

• Access control — Role-based access with least-privilege defaults (see RBAC)
• Cryptography — SHA-256 hashing, Merkle tree anchoring, TLS 1.3
• Operations security — Structured logging, vulnerability scanning, change management
• Communications security — HTTPS enforced, API rate limiting, input validation
• Supplier relationships — Nextcloud integration audit logging

GDPR — Data Protection

• Data minimization — Only collect what's necessary for operations
• Purpose limitation — Data used only for customs workflow management
• Storage limitation — Configurable data retention policies
• Right to access — Data export in standard formats
• Right to erasure — Soft-delete with audit trail preservation
• Data portability — Full export via API or bulk download

Compliance UI Components

Audit Log Entry

<Card className="w-full">
  <CardContent className="p-3">
    <div className="flex items-center gap-3">
      <Badge className="bg-blue-500 text-white text-[10px] shrink-0">CREATE</Badge>
      <div className="flex-1 min-w-0">
        <div className="text-sm font-medium">Transport Unit Created</div>
        <div className="text-xs text-muted-foreground">TU-2025-00042 — operator: carlos.mendez</div>
      </div>
      <div className="text-right shrink-0">
        <div className="text-xs font-mono">14:32:07 UTC</div>
        <div className="text-[10px] text-muted-foreground font-mono">sha256:a4f2e8...</div>
      </div>
    </div>
  </CardContent>
</Card>

ISO Compliance Checklist

<Card className="w-80">
  <CardHeader className="pb-2">
    <CardTitle className="text-sm">ISO 9001 Checklist</CardTitle>
    <CardDescription>Transport Unit TU-2025-00042</CardDescription>
  </CardHeader>
  <CardContent className="space-y-2">
    <div className="flex items-center gap-2 text-sm">
      <div className="w-4 h-4 rounded-full border-2 bg-green-500 border-green-500 text-white flex items-center justify-center text-[10px]">✓</div>
      <span>Entry documentation</span>
    </div>
    <div className="flex items-center gap-2 text-sm">
      <div className="w-4 h-4 rounded-full border-2 bg-green-500 border-green-500 text-white flex items-center justify-center text-[10px]">✓</div>
      <span>Weight verification</span>
    </div>
    <div className="flex items-center gap-2 text-sm">
      <div className="w-4 h-4 rounded-full border-2 bg-green-500 border-green-500 text-white flex items-center justify-center text-[10px]">✓</div>
      <span>Visual inspection</span>
    </div>
    <div className="flex items-center gap-2 text-sm">
      <div className="w-4 h-4 rounded-full border-2 border-muted-foreground/30 flex items-center justify-center text-[10px]" />
      <span className="text-muted-foreground">Supervisor approval</span>
    </div>
    <div className="flex items-center gap-2 text-sm">
      <div className="w-4 h-4 rounded-full border-2 border-muted-foreground/30 flex items-center justify-center text-[10px]" />
      <span className="text-muted-foreground">Exit seal verification</span>
    </div>
    <Progress value={60} className="h-1.5 mt-2" />
    <div className="text-xs text-muted-foreground text-right">3/5 complete</div>
  </CardContent>
</Card>

Audit Trail

Every action in Certexi creates an immutable audit record:

Tamper Detection

The cryptographic chain ensures audit trail integrity:

1. Each event is hashed individually (SHA-256)
2. Daily events are combined into a Merkle tree
3. Merkle roots are anchored via Flowhash Core
4. Any modification to historical events breaks the hash chain
5. Verification can be performed offline using the proof data

Compliance Reports

Automated Report Generation

Certexi generates compliance reports on demand or on schedule:

• Daily operations summary — Throughput, incidents, approvals
• Weekly compliance digest — Non-conformities, corrective actions, KPIs
• Monthly management review — Trend analysis, SLA compliance, risk assessment
• Annual audit package — Full evidence bundle for external auditors

Report Formats

• PDF with digital signatures
• CSV/Excel for data analysis
• JSON for system integration
• Structured archive (.zip) with evidence files

Incident Management

When non-conformities are detected:

1. Detect — Automated alerts or manual reporting
2. Record — Incident logged with severity, category, and evidence
3. Investigate — Root cause analysis using the Time Machine
4. Correct — Corrective action assigned and tracked
5. Verify — Follow-up verification with evidence
6. Close — Incident closed with lessons learned

Data Retention

Configurable retention policies per data category:

Related

• Security Architecture
• RBAC
• Evidence Capture
• Time Machine