{"name":"The Leo King Business Intelligence API Compliance Map","version":"v1","status":"public-contract","contractVersion":"2026-07-07.enterprise-trust-console-audit-webhook-versioning-limits-examples-support-procurement-conformance-data-processing-launch-readiness-access-control-compliance-map-ai-governance-v1","lastReviewedAt":"2026-07-07","policy":{"status":"live","publicContact":"mailto:partners@theleokingai.com","scope":"Public compliance-readiness mapping for API buyers. It maps current public controls to common review areas and does not replace customer-specific legal, privacy, security, or audit review.","noCertificationClaim":"This public packet is a readiness and evidence map only. It does not claim SOC 2 or ISO 27001 certification, HIPAA or PCI eligibility, GDPR compliance determination, or regulated-data approval unless those artifacts are separately published in signed customer review materials.","mappedFrameworks":["SOC 2-style security, availability, confidentiality, and privacy review areas","GDPR/data-processing review readiness","OWASP API security review readiness","Enterprise procurement and vendor-risk review","Operational resilience, SLA, and incident-review readiness","AI output-quality and fallback-prevention governance"],"currentEvidence":["Public security, access-control, data-processing, conformance, observability, support, SLA, incident, and procurement metadata routes.","OpenAPI, Postman, SDK source, gateway rewrites, robots, sitemap, and llms discovery surfaces.","Production env gate, gateway smoke, buyer-path usage proof, SDK build, app build, and fresh AI output-quality sampling requirements.","Console audit trail visibility and visible capped CSV export for authenticated workspaces."],"requiresSignedTerms":["SOC 2 report or bridge letter sharing when available","customer-specific DPA or data-processing addendum","HIPAA, PCI, children data, regulated-data, or regional residency commitments","long-range audit export packages or private logs","IP allowlists, private endpoints, custom network controls, or dedicated security exhibits","contractual SLA/support response windows"],"reviewerGuidance":["Use the public evidence links as durable review sources instead of screenshots.","Treat status=enterprise items as signed-term scope, not live public commitments.","Request only sanitized operational evidence for normal review: request_id, endpoint, UTC timestamp, key prefix only, and payload shape.","Escalate AI output-quality gaps as product regressions rather than accepting fallback-shaped content as continuity."]},"frameworkMappings":[{"framework":"SOC 2-Style Security Review","status":"live","scope":"Security, confidentiality, access control, change evidence, and incident review areas.","mappedControls":["server-side API-key custody","scoped endpoint access","secret redaction boundaries","support packet minimization","security.txt vulnerability contact","incident publication policy"],"evidenceLinks":["/api/v1/security","/api/v1/access-control","/api/v1/support","/api/v1/incidents"],"reviewerAction":"Review public controls, confirm partner-side key custody, and move report sharing or private audit evidence into signed terms.","boundary":"Public docs are readiness evidence; formal SOC 2 report access requires separate availability and signed review terms."},{"framework":"SOC 2-Style Availability Review","status":"beta","scope":"Gateway availability, status publication, operational smoke, and support escalation readiness.","mappedControls":["public SLA targets","incident history policy","gateway smoke","production env gate","buyer-path usage proof","rollback and disable plan"],"evidenceLinks":["/api/v1/sla","/api/v1/status","/api/v1/observability","/api/v1/onboarding","/api/v1/conformance"],"reviewerAction":"Run the conformance suite and live smoke checks before any enterprise demo or production launch claim.","boundary":"Contractual availability targets require signed customer terms and dedicated monitoring."},{"framework":"GDPR/Data Processing Review Readiness","status":"live","scope":"Processing purposes, data minimization, restricted data, retention, subprocessors, and DSR support.","mappedControls":["published processing purposes","restricted-data list","data-minimization rules","subprocessor scope","DSR support packet","signed-DPA boundary"],"evidenceLinks":["/api/v1/data-processing","/api/v1/security","/api/v1/procurement"],"reviewerAction":"Confirm partner lawful basis, user notices, and whether customer-specific DPA terms are required before production traffic.","boundary":"Public packet does not create a DPA, residency promise, or regulated-data authorization."},{"framework":"OWASP API Security Review Readiness","status":"beta","scope":"Authentication, authorization, rate limiting, input validation, error handling, and secret exposure boundaries.","mappedControls":["x-api-key auth","endpoint scope checks","rate-limit policy","standard error envelope","idempotency conflict behavior","browser/CORS key-exposure boundary"],"evidenceLinks":["/api/v1/access-control","/api/v1/versioning","/api/v1/errors","/api/v1/openapi"],"reviewerAction":"Generate clients from OpenAPI, enforce server-side key storage, and verify 401/403/409/429 handling in partner code.","boundary":"Custom network controls, mTLS-style controls, and allowlists require signed enterprise terms."},{"framework":"Enterprise Procurement And Vendor Risk","status":"live","scope":"Buyer packet, legal/security/ops review, signed-term gates, support boundaries, and durable evidence links.","mappedControls":["buyer packet","review checklist","legal boundary","operational proof","support tiers","signed-term gates"],"evidenceLinks":["/api/v1/procurement","/api/v1/support","/api/v1/conformance","/api/v1/sdks","/api/v1/migrations"],"reviewerAction":"Use the public procurement packet first, then request signed artifacts for private retention, DPA, SLA, audit, or allowlist commitments.","boundary":"Public metadata accelerates vendor review but is not a master services agreement, DPA, or security exhibit."},{"framework":"AI Output Quality Governance","status":"beta","scope":"Generation quality, fallback prevention, output sampling, model/provider metadata, and incident escalation.","mappedControls":["no fallback success rule","fresh live output sampling","quality-gate failure handling","model/token visibility","AI incident severity policy","support escalation packet"],"evidenceLinks":["/api/v1/conformance","/api/v1/observability","/api/v1/errors","/api/v1/incidents"],"reviewerAction":"Inspect 1-3 fresh generated outputs created after deploy timestamps when generation logic, model, RAG, or provider settings change.","boundary":"Passing builds and HTTP status checks do not prove AI product quality."}],"evidence":[{"artifact":"Security Packet","status":"live","owner":"platform","evidence":"Security controls, retention policy, subprocessor scope, security.txt, and enterprise review notes.","publicLink":"/api/v1/security","reviewUse":"Security and confidentiality review starter evidence."},{"artifact":"Access-Control Packet","status":"live","owner":"shared","evidence":"API-key custody, scope model, environment separation, rotation, revocation, and allowlist boundary.","publicLink":"/api/v1/access-control","reviewUse":"Authentication, authorization, and key-management review."},{"artifact":"Data-Processing Packet","status":"live","owner":"shared","evidence":"Processing purposes, minimization, restricted data, DSR policy, retention, subprocessors, and DPA boundary.","publicLink":"/api/v1/data-processing","reviewUse":"Privacy, data-processing, and DPA scoping review."},{"artifact":"Conformance Contract","status":"live","owner":"platform","evidence":"Local contract tests, SDK build, app build, env gate, gateway smoke, buyer-path proof, and AI quality sampling.","publicLink":"/api/v1/conformance","reviewUse":"Production readiness and acceptance evidence."},{"artifact":"Observability Proof","status":"beta","owner":"platform","evidence":"Gateway smoke, production env gates, buyer-path proof, readiness boundary, and output-quality signals.","publicLink":"/api/v1/observability","reviewUse":"Operational readiness and smoke-evidence review."},{"artifact":"SLA And Incident Policy","status":"live","owner":"platform","evidence":"Availability targets, measurement boundary, incident fields, severity policy, and postmortem expectations.","publicLink":"/api/v1/sla","reviewUse":"Availability and resilience review."},{"artifact":"Procurement Packet","status":"live","owner":"shared","evidence":"Buyer checklist, legal/security/ops boundaries, signed-term gates, and durable trust links.","publicLink":"/api/v1/procurement","reviewUse":"Vendor-risk and legal handoff review."}],"links":{"docs":"/api-docs","openapi":"/api/v1/openapi","status":"/api/v1/status","sla":"/api/v1/sla","incidents":"/api/v1/incidents","security":"/api/v1/security","securityTxt":"/.well-known/security.txt","accessControl":"/api/v1/access-control","observability":"/api/v1/observability","onboarding":"/api/v1/onboarding","versioning":"/api/v1/versioning","procurement":"/api/v1/procurement","conformance":"/api/v1/conformance","dataProcessing":"/api/v1/data-processing","support":"/api/v1/support"}}