Compliance
MeetLoyd provides enterprise-grade compliance features to help you meet regulatory requirements and maintain strong governance over your AI operations.
Enterprise customers have access to the Compliance Cockpit - a dedicated command center with advanced features including:
- Real-time compliance scoring across all frameworks
- Evidence vault with cryptographic verification
- AI risk registry and impact assessments
- External auditor portal
- Scheduled report generation
- Policy lifecycle management
Access it from the Compliance button in the top navigation bar.
Supported Frameworks
MeetLoyd supports 9 major regulatory compliance frameworks with real-time control monitoring and automated evidence collection.
SOC 2 Type II
MeetLoyd maintains SOC 2 Type II compliance with 19 Trust Services Criteria controls:
| Category | Controls | Examples |
|---|---|---|
| Security (CC) | 12 | SSO, MFA, access reviews, encryption, incident response |
| Availability (A) | 2 | System monitoring, recovery planning |
| Processing Integrity (PI) | 1 | Data integrity controls |
| Confidentiality (C) | 1 | Data retention policies |
| Risk & Change (CC3, CC8) | 3 | Risk assessment, change management |
GDPR
Comprehensive GDPR compliance with 19 controls covering all key articles:
| Category | Articles | Controls |
|---|---|---|
| Principles | Art. 5 | Purpose limitation, storage limitation |
| Lawfulness | Art. 6, 7 | Legal basis, consent management |
| Data Subject Rights | Art. 15-22 | Access, erasure, portability, rectification, automated decision-making |
| Transparency | Art. 12, 13 | Privacy notices, information disclosure |
| Security | Art. 25, 32 | Privacy by design, security measures |
| Accountability | Art. 30, 33, 35 | Processing records, breach notification, DPIA |
AI-Specific: Article 22 controls for automated decision-making safeguards and human intervention rights.
HIPAA
Healthcare compliance with 18 controls across all safeguard types:
| Safeguard | Sections | Controls |
|---|---|---|
| Administrative | 164.308 | Security management, workforce security, incident procedures |
| Physical | 164.310 | Facility controls, device/media controls |
| Technical | 164.312 | Access control, audit controls, transmission security |
EU AI Act (Enterprise)
First-to-market EU AI Act compliance with 12 controls:
| Category | Articles | Controls |
|---|---|---|
| Classification | Art. 6, 8 | High-risk AI classification, compliance requirements |
| Risk & Quality | Art. 9, 17 | Risk management, quality management system |
| Data & Docs | Art. 10, 11, 12 | Data governance, documentation, record-keeping |
| Transparency | Art. 13, 50 | User information, AI content marking |
| Oversight | Art. 14, 26 | Human oversight, deployer obligations |
| Security | Art. 15 | Accuracy, robustness, cybersecurity |
ISO 42001 (Enterprise)
AI Management System standard with 9 controls:
- Organizational context and leadership commitment
- AI risk assessment and AI impact assessment
- AI competence and system design
- Human oversight mechanisms
- Monitoring and continual improvement
ISO 27001
Information security management with 7 control domains:
- Security policies (A.5)
- Security organization (A.6)
- Access control (A.9)
- Cryptography (A.10)
- Operations security (A.12)
- Incident management (A.16)
- Compliance (A.18)
Additional Enterprise Frameworks
| Framework | Focus | Controls |
|---|---|---|
| SOX | Financial controls | Audit trails, access controls |
| DORA | EU financial ICT resilience | Operational resilience |
| NIS2 | EU cybersecurity | Critical infrastructure |
| PCI-DSS | Payment card security | Data protection |
| AMF/CIF | French wealth management | Regulatory compliance |
Data Handling
Encryption
All data is encrypted:
| Data State | Encryption |
|---|---|
| At Rest | AES-256 |
| In Transit | TLS 1.3 |
| Backups | AES-256 |
| API Keys | Hashed (bcrypt) |
Data Residency
Choose where your data is stored:
| Region | Location |
|---|---|
| US | AWS us-east-1 (N. Virginia) |
| EU | AWS eu-west-1 (Ireland) |
| APAC | AWS ap-southeast-1 (Singapore) |
Enterprise customers can request additional regions.
Data Isolation
Multi-tenant architecture with strict isolation:
- Tenant-level database isolation
- Separate encryption keys per tenant
- Network-level segmentation
- No cross-tenant data access
Audit Logging
What's Logged
All sensitive operations are logged:
| Category | Events |
|---|---|
| Authentication | Login, logout, MFA events |
| Agents | Create, update, delete, execute |
| Data Access | Memory reads/writes, API calls |
| Admin Actions | User management, settings changes |
| Security Events | Failed logins, permission changes |
Log Format
{
"id": "log_abc123",
"timestamp": "2024-01-15T10:00:00Z",
"tenantId": "tenant_xyz",
"userId": "user_456",
"action": "agent.execute",
"resourceType": "agent",
"resourceId": "agent_789",
"ipAddress": "192.168.1.100",
"userAgent": "Mozilla/5.0...",
"success": true,
"metadata": {
"agentName": "Support Agent",
"executionTime": 1500
}
}
Log Access
const logs = await client.audit.list({
startDate: '2024-01-01',
endDate: '2024-01-31',
action: 'agent.execute',
userId: 'user-123'
});
Log Export
Export logs to external SIEM systems:
- Splunk
- Datadog
- Sumo Logic
- AWS CloudWatch
- Custom webhook
Access Controls
Role-Based Access Control (RBAC)
| Role | Permissions |
|---|---|
| Viewer | Read agents, view conversations |
| Developer | Create/edit agents, run tasks |
| Admin | Manage users, settings, billing |
| Owner | Full access, transfer ownership |
Custom Roles
Create custom roles for fine-grained control:
await client.roles.create({
name: 'Support Manager',
permissions: [
'agents:read',
'agents:execute',
'conversations:read',
'conversations:write',
'tasks:read'
]
});
IP Allowlisting
Restrict access to specific IP ranges:
await client.security.setIpAllowlist({
enabled: true,
ranges: [
'192.168.1.0/24',
'10.0.0.0/8'
]
});
Retention
Data Retention Policies
Configure how long data is retained:
| Data Type | Default Retention | Configurable |
|---|---|---|
| Conversation Messages | 90 days | Yes |
| Agent Memory | Indefinite | Yes |
| Audit Logs | 1 year | Yes (min 90 days) |
| Task Runs | 30 days | Yes |
| Analytics | 2 years | Yes |
Configure Retention
await client.compliance.setRetentionPolicy({
conversationMessages: {
retentionDays: 365,
deleteAfterExpiry: true
},
auditLogs: {
retentionDays: 730, // 2 years
archiveAfterDays: 365
},
taskRuns: {
retentionDays: 90
}
});
Automated Deletion
Enable automatic data deletion:
await client.compliance.enableAutoDeletion({
enabled: true,
gracePeriodDays: 7, // Warning before deletion
notifyAdmins: true
});
Data Export Before Deletion
Export data before automatic deletion:
await client.compliance.setPreDeletionExport({
enabled: true,
destination: 's3://your-bucket/exports',
format: 'json'
});
Legal Hold
Prevent deletion for compliance/legal reasons:
// Place data on legal hold
await client.compliance.createLegalHold({
name: 'Investigation 2024-001',
scope: {
userIds: ['user-123'],
dateRange: {
start: '2024-01-01',
end: '2024-03-31'
}
}
});
// Data under hold won't be deleted
Privacy Controls
Data Minimization
Control what data agents can access:
await client.agents.update('agent-123', {
dataAccess: {
piiAccess: false,
allowedFields: ['name', 'email'],
blockedFields: ['ssn', 'credit_card']
}
});
Consent Management
Track user consent:
await client.privacy.recordConsent({
userId: 'user-123',
consentType: 'data_processing',
granted: true,
timestamp: new Date().toISOString(),
source: 'web_form'
});
Data Subject Requests
Handle GDPR/CCPA requests:
// Right to access
const data = await client.privacy.exportUserData('user-123');
// Right to erasure
await client.privacy.deleteUserData('user-123', {
includeConversations: true,
includeMemory: true,
retainAuditLogs: true // May be required for compliance
});
// Right to portability
const export = await client.privacy.exportPortable('user-123', {
format: 'json',
includeAgentInteractions: true
});
Compliance Reports API
Generate Reports
Generate compliance reports for SOC 2, GDPR, HIPAA, or combined frameworks:
POST /api/compliance/reports/generate
{
"reportType": "combined",
"reportName": "Q1 2026 Compliance Report",
"frameworks": ["soc2", "gdpr", "hipaa"],
"periodStart": "2026-01-01",
"periodEnd": "2026-03-31",
"format": "pdf",
"includeEvidence": true,
"includeRecommendations": true
}
Report Types
| Type | Description |
|---|---|
soc2 | SOC 2 Type II controls |
gdpr | GDPR data protection |
hipaa | HIPAA healthcare compliance |
combined | Multiple frameworks in one report |
custom | Custom framework selection |
Check Framework Controls
View real-time compliance status for any framework:
GET /api/compliance/frameworks/soc2/controls
Response:
{
"framework": "soc2",
"score": 87,
"summary": {
"total": 18,
"passing": 14,
"failing": 1,
"warning": 2,
"notConfigured": 1
},
"controls": [
{
"id": "CC1.1",
"name": "Single Sign-On (SSO)",
"category": "security",
"status": "passing",
"details": "2 active SSO connections"
}
]
}
List Generated Reports
GET /api/compliance/reports?reportType=soc2&status=completed
Download Report
GET /api/compliance/reports/{reportId}
Returns the full report with evidence and recommendations.
Scheduled Reports
Automate compliance reporting on a schedule:
POST /api/compliance/schedules
{
"name": "Monthly SOC 2 Report",
"reportType": "soc2",
"frequency": "monthly",
"dayOfMonth": 1,
"timeOfDay": "09:00",
"timezone": "America/New_York",
"emailRecipients": ["compliance@company.com", "ciso@company.com"],
"webhookUrl": "https://your-system.com/compliance-webhook"
}
Schedule Frequencies
| Frequency | Options |
|---|---|
weekly | dayOfWeek (0-6, Sunday=0) |
monthly | dayOfMonth (1-31) |
quarterly | dayOfMonth, monthOfYear |
annually | dayOfMonth, monthOfYear |
Manage Schedules
# List schedules
GET /api/compliance/schedules
# Toggle schedule
PATCH /api/compliance/schedules/{id}/toggle
{ "enabled": false }
# Delete schedule
DELETE /api/compliance/schedules/{id}
Certifications & Reports
Available Documents
| Document | Availability |
|---|---|
| SOC 2 Type II Report | On request (NDA) |
| Penetration Test Summary | On request |
| Privacy Policy | Public |
| Terms of Service | Public |
| DPA | On request |
| BAA (HIPAA) | Enterprise only |
Request Documents
Contact compliance@meetloyd.com or through the Dashboard:
- Go to Settings → Security
- Click Compliance Documents
- Request specific documents
Compliance Dashboard
Monitor your compliance posture:
- Go to Settings → Compliance
- View compliance score
- See outstanding items
- Download reports
Compliance Score
Your compliance score is based on:
- MFA adoption rate
- SSO configuration
- Audit log retention
- Data retention policies
- IP allowlisting
- Role configuration
- Access review completion
Best Practices
1. Enable MFA
Require MFA for all users, especially admins.
2. Use SSO
Integrate with your identity provider for centralized access control.
3. Configure Retention
Set appropriate retention policies for your compliance needs.
4. Monitor Audit Logs
Regularly review audit logs for suspicious activity.
5. Limit Permissions
Follow the principle of least privilege for user roles.
6. Regular Access Reviews
Periodically review who has access to what.
Next: Learn about Audit Logs for detailed activity tracking.