Understanding compliance posture
The bottom of the Settings — Workspaces — Identity & Verification page shows a live Compliance posture summary. Each row corresponds to one of the standards the platform implements, with a status badge that reflects your current configuration.
This page explains what each status means and how to read the summary.
The four statuses
Section titled “The four statuses”| Status | Meaning |
|---|---|
| Follows | Your current configuration matches the standard’s default requirement. No flagging in the footer. |
| Aligned with | Your configuration differs from the default but still respects the standard’s principles. The platform is willing to support this; auditors will see a deviation from default but no compliance gap. |
| Restricted | The standard explicitly classifies the chosen mechanism as restricted (for example, PSTN OOB under NIST 800-63B §5.2.10). The platform supports it but flags it. |
| Reduced | Your configuration falls below what the standard expects. Use with intent — this row appears red in the footer. |
| Not configured | A prerequisite is missing — typically no lookup tool has been attached, so the verification specialist cannot run. |
How a row gets each status
Section titled “How a row gets each status”Each row in the footer is computed live from your current settings. Some examples:
- NIST SP 800-63A §5.3.2 (KBV procedure) — “Follows” when you have 4 questions, all-correct pass rule, and a 3-attempt cap. Any deviation flips this to “Aligned with.”
- GDPR Art. 12(2) personal-data verification — “Follows” when every PII-returning tool requires
identifiedor higher. If you lowered a PII tool toanonymous, the row flips to “Reduced” and lists how many tools fell below the floor. - NIST 800-63B §5.2.10 PSTN OOB — “Restricted” by default (the standard classifies PSTN attestation as a Restricted Authenticator) but flips to “Deviation” if you mark caller ID as standalone identification.
- GDPR Art. 5(1)(e) storage limitation — “Follows” at 12+ months retention. Below 12 it flips to “Aligned with”; below 6 to “Reduced.”
If you change a setting, the corresponding row in the posture footer updates immediately. There is no need to reload the page or save manually.
What auditors see
Section titled “What auditors see”The posture footer is operator-facing — it is the workspace owner’s view of their own configuration. The platform’s external compliance posture (DPA addendum, sub-processor list, sec questionnaire answers) lives in the legal documentation centre and is unaffected by individual workspace knobs.
The audit log — Settings — Workspaces — (your workspace) — Identity events — is the evidentiary record auditors usually request. Every change to the verification configuration, every verification attempt, every lockout, and every successful identification is recorded there with a timestamp and the operator (or system) that triggered it.