Skip to main content
When an auditor asks for evidence, they don’t want a dashboard login — they want a file. OrcaRouter lets a workspace Admin generate a compliance report in CSV, JSON, or PDF, where CSV is a flat, section-tagged row stream any auditor can open in a spreadsheet, sort, and grep. One file carries coverage, enforcement counts, consent, change history, and admin access for a single framework over a chosen period. This page covers the CSV evidence export specifically: who can generate it, what the columns mean, and how it ties back to the signed, verifiable report. For the broader catalog-to-go-live flow, start at the compliance overview.

1. Why export ai audit evidence as a CSV

A signed PDF is the artifact you hand a reviewer; a CSV is the artifact a reviewer actually works in. The same evidence bundle renders to either — CSV just flattens every section into one fixed-width table so an auditor can filter by section, sort by at_utc, or grep a control id without opening your console.

PDF

The presentable artifact. The first PDF is free to demo on any plan.

CSV

The flat, section-tagged table an auditor opens in a spreadsheet. Paid.

JSON

The same evidence as structured records for your own pipeline. Paid.
Every format is built from the same evidence bundle and the same content hash — CSV is a rendering, not a different report. Switching format doesn’t change what the evidence says, only how it reads.

2. Who can export, and what it costs

Browsing and reading your readiness posture is free for every member. Generating a report is an Admin action: the free plan includes one PDF report, while CSV/JSON export and additional reports require a paid plan. The check is enforced server-side, so a direct API call can’t bypass it.
ActionRolePlan
Browse catalog / readinessMemberFree
Generate first PDFAdminFree
Generate CSV / JSONAdminPaid
Free plans include one PDF report to demo the artifact. CSV and JSON export, plus any additional reports, require a paid plan — the server returns an upgrade prompt otherwise, regardless of how the call is made. See plan gating for the full free/paid map.

3. One concrete export

The export is a two-call flow from the console: an Admin generates the report (async — it returns pending immediately), then downloads the artifact once it is ready. Both routes use your console session (UserAuth), not a relay key.
1

Generate the report as CSV (Admin, paid)

Pick a framework and a period, choose CSV, and generate. The report is queued and rendered server-side from your real enforcement data for that window.
# Session-authenticated (UserAuth), Admin + paid plan. Driven from the console.
POST /api/compliance/reports
{
  "framework": "soc2",
  "format": "csv",
  "period_start": 1717200000,
  "period_end": 1719792000
}
PII (member and actor emails) is masked by default in every export. Opt into unredacted emails only when your auditor requires it — privacy is the default, not the exception.
2

Download the artifact (Admin)

Once the report is ready, download it. The file streams with an attachment header so it lands as a .csv ready to open in a spreadsheet.
GET /api/compliance/reports/{id}/download
# → text/csv attachment
A report is stamped with your workspace’s data-residency region at generation time. If you later change the region, the old artifact is withheld and you must regenerate it — cross-region reads are not served.

4. What the CSV contains

The CSV is one coherent table: a fixed seven-column header, and a section tag on every row so a single file carries all of its sections. Row order is deterministic — two renders of the same evidence produce byte-identical CSV. 
section, id, name, clause_or_action, status_or_value, detail, at_utc
Framework, jurisdiction, the reporting period, who mapped the controls, a disclaimer, and the stamped data-residency region.
One row per mapped control: its id, name, clause, status, and the plane (guardrails or firewall) that enforces it.
Period totals: guardrail violations, and firewall allowed / blocked / audited counts — the real enforcement record, not a claim.
Guardrail version changes (operation + author) and audit-log changes, each timestamped — the tamper-evident history of your policy edits.
Admin actor, action, and the resource touched — the privileged-access trail auditors look for.
Controls with no coverage, tagged gateway-enforceable or organizational so you know which gaps you close in policy versus process.
Your AI subprocessors, an access review of keys (status + expiry), and the admin user roster.
Every free-text cell is defused against spreadsheet formula injection — a value beginning with =, +, -, or @ is prefixed with a literal quote so opening the file never executes a payload that rode in on a matched substring.

5. The CSV is signed evidence, not a loose spreadsheet

A compliance report — in any format — is Ed25519-signed and carries a SHA-256 content hash over its canonical evidence. That makes the artifact publicly verifiable: anyone you hand it to can confirm it came from your workspace and hasn’t been altered, without an OrcaRouter account.

Verify a report

How a recipient checks the signature against the public key — no login required.

Signed reports

What gets signed, the content hash, and the auditor share link.
Need to send evidence to an external auditor without exporting a file at all? Issue a time-boxed auditor share link instead — it serves the same signed report read-only. See signed reports.

6. Exporting raw guardrail matches

The compliance CSV is the curated, framework-mapped evidence. If an auditor wants the raw match feed — every individual guardrail hit behind the counts — you can stream that out separately as CSV or JSON, filtered to your current view. 
# Session-authenticated (UserAuth). Streams your filtered matches as CSV.
GET /api/guardrail/match/export?format=csv
Each row is one match: time, guardrail, rule type and label, stage, action, model, token, detail, the matched substring, request id, and IP. Exports are capped per request and the matched substring only appears when Log raw content is enabled on the guardrail (off by default).
This export is row-per-match operational evidence, not a signed compliance artifact. For framework-mapped, signed evidence, generate a compliance report (Section 3). For what feeds the match records, see Guardrails.

7. Where to go next

Install a pack

Materialize a framework’s guardrail and firewall rules before you report on them.

Plan gating

Exactly which compliance actions are free versus paid and Admin-gated.

Data residency

The region a report’s evidence is stamped and served under.

Frameworks

Which frameworks you can generate evidence for.
A CSV is the format auditors live in. Generate one as an Admin, hand over a signed, verifiable file, and let them grep the evidence on their own terms.