Skip to content
VeraFrame Docs

Compliance profiles

A compliance profile is a tenant-wide policy setting that defines the default compliance posture for review, audit, and blocking behavior. Instead of toggling every policy rule by hand, you choose a profile that matches your regulatory position and VeraFrame applies the corresponding defaults.

The profile is not the same thing as enabling the review workflow itself. In current VeraFrame deployments:

  • the profile defines the default policy posture
  • workflow settings determine whether review cases are actually created
  • the trust report remains independent and can still show needs review findings even when workflow is off

There are three profiles.

none — no compliance enforcement

Default for SaaS Cloud. No policy-driven review is required, no blocking behavior is in place, and review cases are not created unless workflow is explicitly enabled.

Suitable for:

  • Exploration, prototyping, and internal productivity use
  • Teams that do not operate under AI-specific regulation
  • Cases where AI output is internal-facing and human review is informal

Not suitable for:

  • Any use case subject to the EU AI Act as a high-risk system
  • Outputs that are legally binding or published externally without review

compliance_ready — review defaults defined, audit logged

On workflow-enabled tenants, review is required for configured modes and audit events are written for generation, review, and correction activity.

Specifically:

  • review_required_for_modes defaults to the core validation modes if not explicitly configured.
  • Review cases can be created for policy-matched modes.
  • Reviewers with a role listed in required_reviewer_roles can approve, reject, or edit those cases.
  • Rejection requires a note (require_decision_note_on_reject).
  • Edits require a note (require_decision_note_on_edit).
  • All actions are logged in the audit trail with actor, timestamp, and note.

compliance_ready does not by itself force audit export on. That remains a separate tenant setting unless your deployment policy enables it.

Suitable for:

  • Regulated industries where AI output is reviewed internally before use, but not legally gated
  • Organizations that want defensible records of AI-assisted decisions
  • A stepping stone toward high_risk_ready as a program matures

high_risk_ready — output blocked until reviewed

Everything compliance_ready includes, plus:

  • Final output is blocked from export or downstream integration until a reviewer has approved a created review case. Users can still generate and view the output, but PDF/Word/Excel export and API consumption require an approved state when the workflow has created a review case.
  • Audit export is always enabled (audit_export_enabled).
  • Audit retention defaults to 365 days (configurable upward, not below regulatory minimums).

Suitable for:

  • EU AI Act Annex III high-risk systems (health, recruitment, finance, education, critical infrastructure, public administration)
  • External-facing content in regulated contexts where a mistake has material consequences
  • Any case where an auditor may later ask “who approved this specific output, on what basis?”

Choosing reviewer roles

Under any profile above none, a required_reviewer_roles setting controls who can approve review cases. Default is admin. In the current product role model, the available user roles are admin, user, and viewer.

The reviewer roles are referenced in the approve/reject workflow UI — only users with a matching role see the approve/reject controls for validations that are pending review.

Changing the profile

Compliance profiles are tenant configuration. They are set at provisioning (automatic for Compliance Edition) or changed by the VeraFrame operations team on request.

Changing the profile takes effect from the point of change forward. Historical validations keep the status they had when they were created — for example, increasing the profile from compliance_ready to high_risk_ready does not retroactively block already-finalized outputs.

How profiles relate to workflow

The clean mental model is:

  • Trust report — always generated; can say needs review regardless of workflow.
  • Workflow off — no review case is created. VeraFrame remains in “create and forget” mode.
  • Workflow on — review cases can be created from policy rules, validation findings, or both.

This separation matters because a report-level needs review finding is not automatically the same thing as a workflow review case.