Compliance Evidence Generation

Replace screenshots in Word documents with cryptographically signed, machine-readable evidence that auditors can verify independently.

The Compliance-Reality Gap

Auditors are no longer accepting assertions. They want proof.

What auditors ask for	What most teams provide
Evidence of tested backups	A bucket listing in a PDF
Restore test results	"We tested it last quarter"
Tamper-proof documentation	Screenshots in a Word document
Repeatable validation	Manual, ad-hoc procedures
Signed evidence chain	Email attachments

Approximately 40% of organisations now receive requests for live backup restoration evidence during audits. The trend is accelerating under GDPR, SOX, and CMMC.

What Auditors Actually Ask For

Proof that backups exist and contain the expected data
Proof that backups can be restored — not just that they were taken
Tamper-evident documentation — checksums, signatures, chain of custody
Repeatable process — the same validation produces the same evidence
Framework-specific controls — which check satisfies which requirement

Supported Compliance Frameworks

SOX (Sarbanes-Oxley, Section 404)

IT General Controls require backup integrity monitoring, restore testing, and 7-year evidence retention. The validation suite satisfies these with SHA-256 checksums (accepted by SOX auditors as tamper-evident documentation) and configurable retention.

CMMC Level 2 (NIST SP 800-171, RE.3.139)

Requires organisations handling CUI to "regularly perform and test data back-ups" with documented evidence. Every validation check maps directly to RE.3.139.

Requires "regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures" for data protection. The evidence report demonstrates restore capability with performance metrics (RTO).

Also Satisfies

NIS2 — regular recovery tests with documented results
ISO 27001 — documented RTOs/RPOs and recovery test evidence
Cyber Insurance — monthly compliance reports on backup health

How It Works

Backup (existing)     Restore (existing)     Validate (new)
     │                      │                      │
     ▼                      ▼                      ▼
┌─────────┐          ┌──────────┐          ┌──────────────┐
│ S3/GCS/ │          │ Restored │          │  Validation  │
│ Azure   │─────────▶│  Kafka   │─────────▶│   Runner     │
│ Storage │ manifest │ Cluster  │ checks   │              │
└─────────┘          └──────────┘          └──────┬───────┘
                                                  │
                                    ┌─────────────┼─────────────┐
                                    ▼             ▼             ▼
                              ┌──────────┐  ┌─────────┐  ┌──────────┐
                              │   JSON   │  │   PDF   │  │   .sig   │
                              │  Report  │  │ Report  │  │Signature │
                              └──────────┘  └─────────┘  └──────────┘
                                    │
                              ┌─────┴──────┐
                              ▼            ▼
                         ┌────────┐  ┌──────────┐
                         │ Slack  │  │PagerDuty │
                         └────────┘  └──────────┘

Example: Weekly SOX Validation

Run every Sunday at 02:00 UTC via cron:

# /etc/cron.d/kafka-backup-validation
0 2 * * 0 kafka-backup validation run --config /etc/kafka-backup/sox-validation.yaml

The evidence report is automatically uploaded to S3 with 7-year retention. Your SOX auditor gets a URL to 52 weeks of uninterrupted evidence.

Example: Auditor-Triggered PITR Validation

When an auditor asks "prove you can restore data from March 15th":

$ kafka-backup validation run \
    --config validation.yaml \
    --pitr 1710460800000 \
    --triggered-by "External auditor KPMG - Q1 2026 review"

The --triggered-by string appears in the evidence report, establishing chain of custody.

Example: PagerDuty Alert on Failure

notifications:
  pagerduty:
    integration_key: "your-key"
    severity: critical

On failure, the SRE on-call receives a PagerDuty alert with the evidence report URL, enabling investigation before the next audit.

Comparison: OSO Kafka Backup vs Alternatives

Feature	OSO Kafka Backup	Kannika Armory	Confluent Platform	Velero
Automated restore-and-validate	Yes	Manual kubectl steps	No	Manual
Machine-readable evidence (JSON)	Yes, signed	No	No	No
Auditor-ready PDF report	Yes, branded	No	No	No
Cryptographic signing	ECDSA-P256-SHA256	No	No	No
SOX/CMMC/GDPR mapping	Explicit in report	No	No	No
Prometheus validation metrics	8 dedicated metrics	Backup progress only	Partial	Partial
Slack/PagerDuty on result	Yes	No	No	No
Evidence retention (7yr default)	Yes, configurable	No	No	No
OSS / free	MIT	Commercial	Commercial	Apache 2.0

Next Steps

Backup Validation Guide — step-by-step setup
Evidence Signing Guide — key management deep-dive
SOX Compliance Example — complete SOX scenario
GDPR Compliance Example — GDPR Article 32 scenario
Evidence Report Schema — JSON schema reference

The Compliance-Reality Gap​

What Auditors Actually Ask For​

Supported Compliance Frameworks​

SOX (Sarbanes-Oxley, Section 404)​

CMMC Level 2 (NIST SP 800-171, RE.3.139)​

GDPR Article 32​

Also Satisfies​

How It Works​

Example: Weekly SOX Validation​

Example: Auditor-Triggered PITR Validation​

Example: PagerDuty Alert on Failure​

Comparison: OSO Kafka Backup vs Alternatives​

Next Steps​