TorkTORK
Docs/Compliance
Enterprise Compliance

Compliance Documentation

How Tork helps you meet regulatory requirements for AI governance across SOX, PCI-DSS, HIPAA, GDPR, and the EU AI Act.

SOX
PCI-DSS
HIPAA
GDPR
EU AI Act

Why AI Compliance Matters

As AI systems increasingly make or influence business decisions, regulators are extending existing compliance frameworks to cover AI. Organizations using AI for financial reporting, payment processing, healthcare, or personal data processing must demonstrate that their AI systems are governed, auditable, and compliant.

Tork provides the infrastructure to enforce policies, generate audit trails, require human oversight, and protect sensitive data—all mapped to specific regulatory requirements.

SOX (Sarbanes-Oxley)

Internal controls over financial reporting for public companies.

What SOX Requires for AI Systems

When AI systems influence financial reporting, SOX Sections 302 and 404 require documented internal controls, management certification, and auditable processes. AI decisions affecting revenue recognition, expense classification, or fraud detection must have proper oversight.

SOX Requirement → Tork Feature Mapping

RequirementTork FeatureHow It Helps
Section 302 - Management CertificationHITL EnforcementRequire executive sign-off on AI decisions affecting financial statements.
Section 404 - Internal ControlsPolicy Engine + Audit TrailsEnforce documented policies with blockchain-anchored audit logs for every AI decision.
Control DocumentationCompliance ReceiptsGenerate blockchain-verified receipts with timestamps, hashes, and decision rationale.
Segregation of DutiesAgent PermissionsDefine separate permissions for AI agents handling different financial functions.
Change ManagementPolicy VersioningTrack all policy changes with version history and approval workflows.
Audit Trail Retention7-Year Log RetentionConfigurable retention periods meeting SOX 7-year requirement.

Example: SOX-Compliant HITL Policy

yamlsox-hitl-policy.tork.yaml
# sox-hitl-policy.tork.yaml
version: "1.0"
name: sox-financial-controls
description: SOX-compliant HITL for financial AI decisions

rules:
  - name: require-approval-high-value
    action: escalate
    condition: transaction_value > 10000
    hitl:
      required: true
      approvers:
        - role: finance_manager
        - role: compliance_officer
      timeout_hours: 24
      audit_reason: "SOX Section 302 management certification"

  - name: flag-material-changes
    action: warn
    condition: affects_financial_statements
    hitl:
      required: true
      approvers:
        - role: cfo
      audit_reason: "Material change requires executive sign-off"

audit:
  retention_days: 2555  # 7 years for SOX
  immutable: true
  include_approver_identity: true

Example: Generating Audit Trails

python
from tork import TorkClient

client = TorkClient(api_key="tork_live_xxx")

# Every evaluation generates a blockchain-anchored audit trail
result = client.evaluate(
    prompt="Process financial transaction",
    response="Transaction approved for $50,000",
    metadata={
        "user_id": "finance_admin_001",
        "transaction_id": "TXN-2024-001234",
        "department": "accounts_payable",
        "sox_control": "AP-001"
    }
)

# Access the compliance receipt
receipt = result.compliance_receipt
print(f"Receipt ID: {receipt.id}")
print(f"Timestamp: {receipt.timestamp}")  # ISO 8601, cryptographically verifiable
print(f"Hash: {receipt.content_hash}")     # SHA-256 integrity hash
print(f"Decision: {receipt.decision}")

PCI-DSS

Payment Card Industry Data Security Standard for cardholder data protection.

What PCI-DSS Requires

PCI-DSS v4.0 has 12 requirements covering cardholder data protection. AI systems that process, store, or transmit card data must protect it, restrict access, encrypt transmissions, and maintain detailed audit logs.

PCI-DSS Requirement → Tork Feature Mapping

RequirementTork FeatureHow It Helps
Req 3 - Protect Stored DataPII/Card Detection + RedactionAutomatically detect and redact PANs, CVVs, and expiry dates in AI interactions.
Req 4 - Encrypt TransmissionsTLS 1.3 + E2E EncryptionAll API communications encrypted with TLS 1.3. Optional E2E encryption for content.
Req 7 - Restrict AccessAgent Permissions + RBACDefine which agents can access card data, with IP allowlists and rate limits.
Req 8 - Identify UsersAPI Key AuthenticationUnique API keys per agent with full audit trail of all actions.
Req 10 - Track AccessImmutable Audit LogsLog all access to cardholder data with timestamps, user IDs, and actions.
Req 11 - Test SecurityPolicy Testing + TORKING-XTest policies before deployment. Continuous security scoring.
Req 12 - Security PoliciesPolicy EngineEnforce documented security policies for all AI interactions.

Example: Detecting and Redacting Card Data

python
from tork import TorkClient

client = TorkClient(api_key="tork_live_xxx")

# Detect and redact cardholder data (PCI-DSS Requirement 3)
result = client.evaluate(
    prompt="Customer payment info: 4111-1111-1111-1111, exp 12/25",
    checks=["pii", "credit_card"],
    redact=True
)

if result.has_pii:
    print("Cardholder data detected!")
    print(f"Types found: {result.pii_types}")  # ['credit_card', 'expiry_date']
    print(f"Redacted: {result.redacted_content}")
    # Output: "Customer payment info: [CREDIT_CARD], exp [EXPIRY_DATE]"

# Log for PCI-DSS audit trail (Requirement 10)
audit_log = {
    "event": "cardholder_data_detected",
    "action": "redacted",
    "timestamp": result.timestamp,
    "receipt_id": result.compliance_receipt.id,
    "pci_requirement": "3.4"
}

Example: PCI-DSS Access Control Policy

yamlpci-access-control.tork.yaml
# pci-access-control.tork.yaml
version: "1.0"
name: pci-access-controls
description: PCI-DSS Requirement 7 - Restrict access to cardholder data

agents:
  - id: payment-processor
    permissions:
      - read_card_data
      - process_transactions
    allowed_ips:
      - "10.0.0.0/8"
    rate_limit: 1000
    pci_scope: true

  - id: customer-service
    permissions:
      - read_masked_card  # Last 4 digits only
    pci_scope: false

rules:
  - name: block-unauthorized-card-access
    action: block
    condition: |
      agent.pci_scope == false AND
      content.contains_full_card_number
    log_level: critical
    alert:
      - security_team
      - pci_qsa

encryption:
  at_rest: AES-256
  in_transit: TLS-1.3
  key_rotation_days: 90

HIPAA

Health Insurance Portability and Accountability Act for protected health information.

HIPAA requires covered entities and business associates to protect PHI (Protected Health Information). AI systems handling patient data, medical records, or healthcare communications must implement appropriate safeguards.

HIPAA Requirement → Tork Feature Mapping

RequirementTork FeatureHow It Helps
Privacy Rule - PHI ProtectionPHI Detection + RedactionDetect and redact 18 HIPAA identifiers including MRNs, SSNs, and health conditions.
Security Rule - Access ControlsAgent Permissions + HITLRestrict PHI access to authorized agents with required human approval.
Security Rule - Audit ControlsCompliance ReceiptsGenerate audit logs for all PHI access with 6-year retention.
Breach NotificationAlerting + WebhooksImmediate alerts when PHI exposure is detected in AI outputs.

HIPAA Business Associate Agreement

Enterprise customers can sign a BAA with Tork. View BAA template →

GDPR

EU General Data Protection Regulation for personal data protection.

GDPR applies to any organization processing EU residents' personal data. AI systems must implement data minimization, purpose limitation, and support data subject rights including access, rectification, and erasure.

GDPR Requirement → Tork Feature Mapping

RequirementTork FeatureHow It Helps
Article 5 - Data MinimizationPII Detection + RedactionAutomatically minimize personal data in AI interactions.
Article 17 - Right to ErasureData Retention PoliciesConfigure automatic deletion of personal data after retention period.
Article 22 - Automated DecisionsHITL EnforcementRequire human oversight for AI decisions with significant effects.
Article 30 - Records of ProcessingAudit TrailsMaintain records of all AI processing activities.

Example: GDPR-Compliant Policy

yamlgdpr-policy.tork.yaml
# gdpr-policy.tork.yaml
version: "1.0"
name: gdpr-data-protection
description: GDPR Article 5 - Data minimization and purpose limitation

rules:
  - name: minimize-personal-data
    action: redact
    condition: personal_data_detected
    redact_types:
      - name
      - email
      - address
      - phone
    log_purpose: true

  - name: enforce-retention
    action: delete
    condition: data_age > retention_period
    audit_reason: "GDPR Article 17 - Right to erasure"

  - name: require-consent-context
    action: block
    condition: |
      processing_personal_data AND
      NOT consent_verified
    message: "Processing requires valid consent"

data_subject_rights:
  access_request: enabled
  rectification: enabled
  erasure: enabled
  portability: enabled

Data Processing Agreement

GDPR-compliant DPA with Standard Contractual Clauses available. View DPA →

EU AI Act

EU regulation on artificial intelligence systems and risk classification.

The EU AI Act classifies AI systems by risk level and imposes requirements including human oversight, transparency, and documentation. High-risk AI systems (including those used in employment, credit, and critical infrastructure) face the strictest requirements.

EU AI Act Requirement → Tork Feature Mapping

RequirementTork FeatureHow It Helps
Article 14 - Human OversightHITL EnforcementConfigurable human-in-the-loop for high-risk AI decisions.
Article 9 - Risk ManagementTORKING-X MetricsContinuous risk assessment and scoring across multiple dimensions.
Article 12 - Record KeepingAudit Trails + ReceiptsAutomatic logging of all AI system operations.
Article 13 - TransparencyDecision ExplanationsExplain AI decisions with policy violations and confidence scores.
Article 10 - Data GovernancePolicy EngineEnforce data quality and governance rules for AI training/inference.

EU AI Act Timeline

The EU AI Act enters into force in stages from 2024-2027. High-risk AI systems must comply by August 2026. Start implementing governance now to ensure readiness.

TORKING-X Compliance Scoring

Continuous compliance monitoring and risk assessment.

TORKING-X provides a unified compliance score across all frameworks, helping you identify gaps and track improvement over time.

python
from tork import TorkClient

client = TorkClient(api_key="tork_live_xxx")

# Get TORKING-X compliance score for risk assessment
metrics = client.get_torking_x_score(
    evaluation_id="eval_abc123",
    frameworks=["sox", "pci_dss", "hipaa"]
)

print(f"Overall Score: {metrics.overall_score}/100")
print(f"SOX Compliance: {metrics.frameworks.sox.score}")
print(f"PCI-DSS Compliance: {metrics.frameworks.pci_dss.score}")

# Dimensions breakdown
print(f"Audit Trail Coverage: {metrics.dimensions.audit_trail}")
print(f"Access Control Score: {metrics.dimensions.access_control}")
print(f"Data Protection: {metrics.dimensions.data_protection}")
print(f"Human Oversight: {metrics.dimensions.human_oversight}")

# Export for compliance reporting
report = client.generate_compliance_report(
    period="Q4-2024",
    frameworks=["sox", "pci_dss"],
    format="pdf"
)

Scoring Dimensions

Audit Trail Coverage

Completeness of logging

Access Control

Permission enforcement

Data Protection

PII/PHI handling

Human Oversight

HITL implementation

Policy Enforcement

Rule compliance rate

Incident Response

Alert handling speed

Compliance Implementation Checklist

Steps to achieve compliance with Tork

Enable audit logging with appropriate retention period (7 years for SOX, 6 years for HIPAA)
Configure PII detection for relevant data types (PAN, PHI, personal data)
Define HITL policies for high-risk decisions
Set up agent permissions with least-privilege access
Enable TLS 1.3 and configure encryption settings
Create alerting webhooks for compliance violations
Implement data retention and deletion policies
Generate initial TORKING-X compliance report
Schedule quarterly compliance reviews

Need Help with Compliance?

Our compliance team can help you map Tork features to your specific regulatory requirements and audit preparations.

Documentation

Learn to integrate TORK

Upgrade Plan

Current: free

Support

Get help from our team