> ## Documentation Index
> Fetch the complete documentation index at: https://docs.precipiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance and forensic export with Precipiq

> How Precipiq supports EU AI Act Article 12 record-keeping, U.S. discovery requests, and cryptographically sealed forensic exports.

Precipiq is an evidentiary layer, not a compliance product. It gives you the records a compliance program needs — what the AI decided, when, with what confidence, and what happened afterward — and leaves the legal interpretation to qualified professionals.

<Warning>
  **Nothing on this page is legal advice.** Compliance requirements depend on your jurisdiction, your product, your contracts, and facts we don't have. Treat the content below as implementation guidance that your counsel will need to review before you rely on it in a regulated context.
</Warning>

## EU AI Act — Article 12 record-keeping

The EU AI Act's Article 12 requires providers of high-risk AI systems to keep automatic logs of events throughout the system's lifetime. Specifically:

* **(a)** period of each use
* **(b)** the reference database against which input data was checked
* **(c)** the input data for which the search led to a match
* **(d)** identification of the natural persons involved in verification

Precipiq's decision records map onto these requirements directly:

| Article 12 item | Precipiq field                                        |
| --------------- | ----------------------------------------------------- |
| Period of use   | `timestamp` + `created_at`                            |
| Input data      | `inputs` (JSON blob)                                  |
| Outputs         | `outputs` (JSON blob)                                 |
| Confidence      | `confidence` + `alternatives` (competing actions)     |
| Verifier        | `human_in_loop` + `metadata.reviewer_id` (caller-set) |
| Tamper-evidence | `hash` + `prev_hash` (the chain)                      |

Organisations subject to Article 12 typically also need to retain logs for the full lifetime of the AI system and surrender them on request. The forensic export flow below handles that.

## U.S. discovery

A typical U.S. class-action or FTC action demands evidence of what an automated system did to named plaintiffs. Precipiq's discovery-friendly surface area:

* Per-decision queryable by `agent_id`, `action_type`, time range, and `metadata.customer_id` (or whatever key you chose).
* Hash chain proves no record was added, removed, or altered after the fact.
* Soft-deleted records — such as rejected suggested links — remain in the forensic export, so a party cannot claim you scrubbed the log.

## Forensic export flow

Precipiq's forensic export endpoint produces a cryptographically sealed evidence bundle suitable for handoff to an auditor, regulator, or opposing counsel.

### What's in the bundle

| File                      | Contents                                                                                    |
| ------------------------- | ------------------------------------------------------------------------------------------- |
| `decisions.json`          | Every decision in the requested range, full fields, in chronological order.                 |
| `events.json`             | Every financial event in the requested range.                                               |
| `links.json`              | Every consequence link, including soft-deleted ones. Forensic exports preserve retractions. |
| `chain_verification.json` | A re-run of `verify_chain` at export time, with the starting and ending hashes pinned.      |
| `manifest.json`           | File names, SHA-256 checksums, and byte sizes for every file in the bundle.                 |
| `manifest.sig`            | An RSA-2048 signature over `manifest.json` using your org's signing key.                    |
| `precipiq-pubkey.pem`     | The public half of your org's signing key, so the recipient can verify independently.       |

Your org's signing key is generated at your first export, stored Fernet-encrypted at rest, and never leaves the API process in plaintext.

### Generating an export

Exports are asynchronous. The first request creates the export job and returns an `export_id`. Poll the status endpoint until `status` equals `"complete"`, then download the bundle.

<CodeGroup>
  ```bash REST theme={null}
  curl -X POST https://api.precipiq.dev/api/v1/exports \
    -H 'X-Precipiq-Key: pq_test_demo_key_REPLACE_ME' \
    -H 'Content-Type: application/json' \
    -d '{
          "export_type": "forensic",
          "start_date": "2026-01-01T00:00:00Z",
          "end_date":   "2026-03-31T23:59:59Z"
        }'
  ```

  ```python Python theme={null}
  # Exports are async.  Poll until ``status == "complete"``.
  import time
  import httpx

  h = {"X-Precipiq-Key": "pq_test_demo_key_REPLACE_ME"}
  r = httpx.post(
      "https://api.precipiq.dev/api/v1/exports",
      json={
          "export_type": "forensic",
          "start_date": "2026-01-01T00:00:00Z",
          "end_date": "2026-03-31T23:59:59Z",
      },
      headers=h,
  )
  export_id = r.json()["data"]["export_id"]

  while True:
      s = httpx.get(
          f"https://api.precipiq.dev/api/v1/exports/{export_id}", headers=h,
      ).json()["data"]
      if s["status"] == "complete":
          break
      time.sleep(5)

  # Download the bundle.
  with httpx.stream(
      "GET",
      f"https://api.precipiq.dev/api/v1/exports/{export_id}/download",
      headers=h,
  ) as stream:
      with open("precipiq-export.zip", "wb") as f:
          for chunk in stream.iter_bytes():
              f.write(chunk)
  ```
</CodeGroup>

### Verifying a received bundle

Any third party holding the bundle can verify its integrity without contacting Precipiq:

```bash theme={null}
# 1. Recompute each file's SHA-256 and check against the manifest.
# 2. Verify the RSA-2048 signature on manifest.json:
openssl dgst -sha256 -verify precipiq-pubkey.pem \
    -signature manifest.sig manifest.json
```

A `Verified OK` response is proof the bundle was produced by Precipiq's signing key and has not been altered since export time.

## Export types

| Type         | Contents                                                                           | Typical use                                     |
| ------------ | ---------------------------------------------------------------------------------- | ----------------------------------------------- |
| `forensic`   | Full evidence bundle described above.                                              | Legal proceedings, regulatory handoff.          |
| `compliance` | Subset tailored to EU AI Act Article 12 record structure. JSON + CSV summary.      | Audit submissions, internal compliance reviews. |
| `insurance`  | Anonymised, aggregate-only view for underwriters. No PII; decision IDs are hashed. | Cyber insurance applications and renewals.      |

## Rate limit

Exports are rate-limited to **one per hour per org**. A forensic bundle over 50,000 decisions is expensive to produce; if you need to generate exports more frequently, contact support.

## Compliance roadmap

<Info>
  These are planning targets, not commitments. Contact sales for the current status of any specific attestation.

  * **SOC 2 Type II** — planned; target window Q3 2026 subject to audit scheduling.
  * **FedRAMP Moderate** — being scoped for 2027.
  * **HIPAA BAA** — available on the Business plan and above. Contact sales for the signed BAA template.
</Info>
