{"generated_at":"2026-05-07T19:10:23.532Z","period":{"from":"2026-04-07","to":"2026-05-07"},"framework":"all","evidence":{"soc2":{"agent_success_rate_pct":15,"total_agent_runs":167,"successful_agent_runs":25,"approval_chain_records":0,"ledger_event_count":3,"last_state_transitions":[],"controls_mapped":[{"ref":"CC6.1","description":"Logical and physical access controls","status":"IMPLEMENTED","evidence":"RLS + service role JWT segregation"},{"ref":"CC7.2","description":"System monitoring","evidence":"proc_agent_runs full reasoning audit + proc_stuck_events view","status":"IMPLEMENTED"},{"ref":"CC8.1","description":"Change management","evidence":"supabase/migrations/ immutable history + agent kill switch","status":"IMPLEMENTED"},{"ref":"CC9.2","description":"Vendor management","evidence":"proc_suppliers risk ratings + rfp evaluation scoring","status":"IMPLEMENTED"}]},"iso27001":{"access_control_events":0,"config_change_events":0,"controls_mapped":[{"ref":"A.9.1.1","description":"Access control policy","evidence":"proc_user_roles + proc_approver_cost_centers","status":"IMPLEMENTED"},{"ref":"A.9.4.1","description":"Information access restriction","evidence":"RLS policies per user role, service_role bypass only for agents","status":"IMPLEMENTED"},{"ref":"A.12.1.2","description":"Change management","evidence":"supabase/migrations — all schema changes version-controlled","status":"IMPLEMENTED"},{"ref":"A.12.4.1","description":"Event logging","evidence":"proc_agent_runs, tsm_state_transitions, tsm_ledger_events","status":"IMPLEMENTED"},{"ref":"A.14.2.2","description":"System change control procedures","evidence":"Agent kill switch + operator approval for config changes","status":"IMPLEMENTED"},{"ref":"A.16.1.2","description":"Reporting information security events","evidence":"proc_agent_health_check() + AGENT_HEALTH_ALERT events","status":"IMPLEMENTED"}],"recent_access_events":[]},"gdpr":{"data_subjects_count":8,"supplier_records_count":16,"invoice_records_count":0,"processing_activities":[{"activity":"Procurement requisition processing","data_subjects":"Employees (requestors)","personal_data":"Name, email, department, Telegram ID (optional)","legal_basis":"Contractual necessity (employment contract)","retention":"7 years (Dutch accounting law)","location":"Supabase EU (Frankfurt)"},{"activity":"Supplier management","data_subjects":"Supplier contacts","personal_data":"Name, email, phone, IBAN","legal_basis":"Contractual necessity","retention":"7 years post-relationship","location":"Supabase EU (Frankfurt)"},{"activity":"Invoice processing","data_subjects":"Vendor contacts","personal_data":"Invoice metadata (no PII in LLM prompts)","legal_basis":"Legal obligation (Dutch VAT law)","retention":"10 years (fiscal records)","location":"Supabase EU (Frankfurt)"},{"activity":"AI agent reasoning","data_subjects":"None (pseudonymised)","personal_data":"Procurement metadata only — no names or emails sent to LLM","legal_basis":"Legitimate interest","retention":"90 days rolling","location":"OpenRouter US (anonymised)"}],"data_residency":"EU (Supabase Frankfurt region)","dpo_contact":"peter.slakhorst@gmail.com","retention_policy":"Financial records 10 years per Dutch law; operational logs 90 days rolling; PII deleted on data subject request within 30 days"}}}