Compliance Reports
Generate automated compliance reports for SOC 2, GDPR, HIPAA, and other regulatory frameworks
Compliance Reports Enterprise
Automated compliance reporting helps your organization demonstrate adherence to regulatory frameworks including SOC 2, GDPR, HIPAA, PCI DSS, and ISO 27001.
Overview
MongoDash generates comprehensive compliance reports by analyzing:
- Audit log data
- Security configurations
- Access control policies
- Data retention settings
- Encryption status
- User activity patterns
Compliance reports are available exclusively on Enterprise plans and are generated from your audit logs and security settings.
Supported Frameworks
SOC 2 Type II
System and Organization Controls 2 (SOC 2) reports cover five trust service principles:
- Security - Protection against unauthorized access
- Availability - System uptime and operational performance
- Processing Integrity - Accurate and timely processing
- Confidentiality - Protection of confidential information
- Privacy - Collection, use, retention, and disposal of personal information
MongoDash provides evidence for:
- Access control implementation (CC6.1, CC6.2, CC6.3)
- Logical and physical access controls (CC6.6, CC6.7)
- System monitoring (CC7.2)
- Change management (CC8.1)
GDPR (General Data Protection Regulation)
Reports demonstrate compliance with:
- Article 30: Records of processing activities
- Article 32: Security of processing
- Article 33: Breach notification
- Article 15-17: Data subject rights (access, rectification, erasure)
HIPAA (Health Insurance Portability and Accountability Act)
Evidence for HIPAA Security Rule requirements:
- 164.308(a)(1): Security management process
- 164.308(a)(3): Workforce security
- 164.308(a)(4): Information access management
- 164.312(a)(1): Access control
- 164.312(b): Audit controls
- 164.312(d): Person or entity authentication
PCI DSS
Payment Card Industry Data Security Standard compliance:
- Requirement 8: Identify and authenticate access
- Requirement 10: Track and monitor all access to network resources
- Requirement 11: Regularly test security systems

Generating Reports
Navigate to Workspace Settings > Audit & Compliance > Compliance Reports.
Click Generate New Report and select your compliance framework.
Configure report parameters:
- Reporting period (monthly, quarterly, annually)
- Specific controls or articles to include
- Additional context or custom sections
Click Generate Report. Processing typically takes 2-5 minutes depending on data volume.
Download the completed report in your preferred format (PDF, DOCX, or JSON).

Report Contents
Executive Summary
Each report includes:
- Compliance Status: Overall pass/fail/partial for each control
- Period Covered: Date range for the assessment
- Scope: Systems and data covered by the report
- Key Findings: Summary of compliance gaps or issues
- Recommendations: Actions to address identified gaps
Detailed Control Evidence
For each control requirement:
{
"control": "SOC2-CC6.1",
"description": "Logical and Physical Access Controls",
"status": "compliant",
"evidence": [
{
"type": "configuration",
"description": "Role-based access control enabled",
"verified": "2024-02-24T10:00:00Z"
},
{
"type": "audit_log",
"description": "1,247 access control events logged",
"period": "2024-01-01 to 2024-01-31",
"sample_events": 10
},
{
"type": "policy",
"description": "Minimum password requirements enforced",
"settings": {
"minLength": 12,
"requireNumbers": true,
"requireSymbols": true,
"require2FA": true
}
}
],
"gaps": [],
"testing_performed": "Reviewed access logs, verified RBAC configuration, tested authentication controls"
}
Audit Trail Analysis
Statistical analysis of audit logs:
-
Authentication Events
- Total login attempts: 15,234
- Failed login attempts: 89 (0.58%)
- Unique users: 127
- 2FA enforcement rate: 100%
-
Data Access Events
- Document reads: 1,245,678
- Document writes: 23,456
- Unauthorized access attempts: 0
- Average query execution time: 45ms
-
Administrative Events
- User role changes: 12
- Permission modifications: 34
- Configuration changes: 8
- All changes authorized and logged
Security Configuration
Current security posture:
| Control | Status | Details |
|---|---|---|
| Data Encryption at Rest | Enabled | AES-256 encryption |
| Data Encryption in Transit | Enabled | TLS 1.3 |
| Multi-Factor Authentication | Required | All users enrolled |
| Session Timeout | Configured | 30 minutes inactive |
| Password Policy | Enforced | 12+ chars, complexity required |
| IP Allowlisting | Optional | Available but not enabled |
| Audit Logging | Enabled | 90-day retention |
Maintain consistent security configurations across reporting periods to simplify compliance audits.
Scheduled Reporting
Automated Report Generation
Configure automatic report generation on a schedule:
Go to Compliance Reports > Scheduled Reports.
Click New Schedule and configure:
- Framework (SOC 2, GDPR, HIPAA, etc.)
- Frequency (monthly, quarterly, annually)
- Report format (PDF, DOCX, JSON)
- Delivery method (email, webhook, S3)
Add recipients or delivery endpoints.
Click Create Schedule to activate automated reporting.
Example Schedule Configuration
{
"name": "Monthly SOC 2 Report",
"framework": "SOC2",
"frequency": "monthly",
"schedule": {
"dayOfMonth": 1,
"time": "09:00 UTC"
},
"format": "pdf",
"delivery": {
"method": "email",
"recipients": [
"compliance@company.com",
"security@company.com"
],
"subject": "Monthly SOC 2 Compliance Report - {{period}}",
"includeAttachment": true
},
"options": {
"includeExecutiveSummary": true,
"includeDetailedEvidence": true,
"includeRemediationPlan": false
}
}
Custom Report Templates
Creating Custom Templates
Tailor reports to your organization's specific requirements:
- Start with a framework template - Use SOC 2, GDPR, or HIPAA as a base
- Add custom controls - Include organization-specific requirements
- Configure sections - Choose which evidence types to include
- Customize branding - Add logos, headers, and footers
- Define mappings - Map MongoDash controls to your internal control framework
Template Example
template:
name: "Custom SOC 2 + Internal Controls"
based_on: "SOC2-TypeII"
sections:
- executive_summary
- scope_and_methodology
- control_environment
- detailed_evidence
- gap_analysis
- remediation_plan
custom_controls:
- id: "INT-001"
category: "Data Classification"
description: "Verify data classification labels applied to collections"
evidence_sources:
- collection_metadata
- audit_logs
- id: "INT-002"
category: "Vendor Management"
description: "Document third-party integrations and data sharing"
evidence_sources:
- webhook_configurations
- api_key_usage
branding:
logo_url: "https://company.com/logo.png"
header_text: "Company Name - Internal Audit Report"
footer_text: "Confidential - For Internal Use Only"
primary_color: "#1a73e8"

Gap Analysis and Remediation
Identifying Gaps
Reports automatically identify compliance gaps:
- Configuration Gaps: Required security settings not enabled
- Process Gaps: Insufficient audit trail or documentation
- Coverage Gaps: Areas without adequate monitoring
- Policy Gaps: Missing or outdated security policies
Remediation Tracking
Review the Gap Analysis section of your report.
Click Create Remediation Plan for any identified gaps.
Assign remediation tasks to team members:
- Description of the gap
- Required actions
- Assigned owner
- Due date
- Priority level
Track progress in the Remediation Dashboard.
Re-run the compliance report to verify gaps are closed.
Example Gap and Remediation
{
"gap": {
"id": "GAP-2024-001",
"control": "GDPR-Article-32",
"severity": "medium",
"description": "Audit log retention period (90 days) may be insufficient for some data breach investigations",
"detected": "2024-02-24T10:00:00Z"
},
"remediation": {
"action": "Extend audit log retention to 1 year",
"assigned_to": "security-team@company.com",
"due_date": "2024-03-15",
"status": "in_progress",
"steps": [
"Review regulatory retention requirements",
"Evaluate storage costs for extended retention",
"Update retention policy in MongoDash",
"Document change in compliance procedures"
]
}
}
Evidence Collection
Supporting Documentation
Attach additional evidence to strengthen reports:
- Policies and Procedures: Upload security policies, incident response plans
- Training Records: Document user security training completion
- Penetration Test Results: Include external security assessments
- Vendor Certifications: Attach AWS, MongoDB Atlas SOC 2 reports
- Risk Assessments: Include organizational risk assessment documentation
Evidence Repository
Store all compliance documentation in the integrated evidence repository:
- Navigate to Audit & Compliance > Evidence Repository
- Upload documents organized by framework and control
- Tag evidence with relevant controls and reporting periods
- Link evidence to compliance reports automatically
The evidence repository supports version control, ensuring historical evidence remains accessible for multi-year audits.
Auditor Access
Granting Auditor Permissions
Provide read-only access to external auditors:
Go to Workspace Settings > Team Members.
Click Invite Member and enter auditor email address.
Assign the Auditor role, which provides:
- Read-only access to audit logs
- Access to compliance reports
- View-only access to security configurations
- No ability to modify data or settings
Set an expiration date for auditor access (e.g., 30 days).
Click Send Invitation.
Audit Trail for Auditors
All auditor access is logged:
{
"timestamp": "2024-02-24T14:32:10Z",
"action": "audit.report.viewed",
"actor": {
"type": "auditor",
"email": "auditor@audit-firm.com",
"role": "auditor"
},
"resource": {
"type": "compliance_report",
"id": "rpt_soc2_2024_q1",
"framework": "SOC2"
},
"metadata": {
"ipAddress": "198.51.100.42",
"duration": "15 minutes"
}
}
API Access
Generate and retrieve reports programmatically:
# Generate a new SOC 2 report
curl -X POST https://api.mongodash.com/v1/compliance/reports \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"framework": "SOC2",
"period": {
"start": "2024-01-01",
"end": "2024-03-31"
},
"format": "json",
"options": {
"includeEvidence": true,
"includeGapAnalysis": true
}
}'
# Download an existing report
curl -X GET https://api.mongodash.com/v1/compliance/reports/rpt_soc2_2024_q1 \
-H "Authorization: Bearer YOUR_API_KEY" \
--output soc2-report-q1-2024.pdf
Best Practices
Continuous Compliance
- Generate reports regularly - Don't wait until audit season
- Review gaps promptly - Address compliance issues as they're identified
- Maintain documentation - Keep evidence current and organized
- Train your team - Ensure everyone understands compliance requirements
Audit Preparation
- Run preliminary reports - Generate draft reports 30 days before audit
- Address gaps early - Fix issues before auditors arrive
- Organize evidence - Prepare supporting documentation in advance
- Test auditor access - Verify guest access works correctly
Documentation Standards
- Version control - Track changes to policies and procedures
- Change logging - Document why security configurations changed
- Review schedules - Establish regular review cycles for policies
- Approval workflows - Maintain records of policy approvals
What's Next?
- Audit Logs - Configure detailed activity logging
- Data Retention - Set up data lifecycle policies
- Role Management - Configure access controls for compliance