How LandingAI ADE produces audit evidence for document extraction workflows: traceable outputs, vendor certifications, access logs, and data handling controls.
Compliance auditors reviewing document AI deployments ask four questions that generic extraction tools cannot answer: where did each extracted value originate in the source document, what access controls govern the system, what independent certifications has the vendor completed, and what happens to documents after processing. LandingAI ADE produces verifiable artifacts for each of these questions by design.
Traceable Output: Bounding-Box Grounding per Extracted Field
LandingAI ADE grounds every extracted value to its precise location in the source document, returning page number and bounding-box coordinates alongside each extracted field in the structured JSON response.
When the Extract API processes a document, the JSON extraction response includes an extraction_metadata object for each schema field, linking each extracted value back to its source chunk via chunk reference IDs that correspond to bounding boxes in the parsed document output. This grounding structure serves three audit functions:
- It creates a verifiable link between AI-generated outputs and source documents, eliminating untraceable "black box" extraction.
- It supports spot-check review workflows where auditors verify a sample of extractions against their page-level origins.
- It provides the citation evidence required in regulated workflows where extracted data drives downstream decisions, such as KYC conclusions or prior authorization approvals. See the DocVQA benchmark result for accuracy evidence: ADE answered 99.16% of document questions using only parsed output.
Attestation and Signature Detection for Compliance Review
ADE identifies signatures, stamps, and seals as distinct attestation chunk types in the parsed output, with each attestation grounded to its bounding box and page location. In regulated workflows where document authenticity depends on verifying that the correct parties signed or stamped a document, this chunk-level detection supports automated verification and maintains a clear audit trail without manual review of every page.
Vendor-Side Audit Infrastructure
LandingAI maintains platform-level infrastructure that supports both internal audit responses and customer compliance reviews, documented on the Security and Compliance page.
Immutable audit logs. LandingAI maintains immutable records of critical user and system activity across the platform, actively monitored by the security team. Audit logs support the customer's obligation to demonstrate third-party oversight, a requirement under GDPR Article 28 and HIPAA's Business Associate Agreement terms.
Role-Based Access Control (RBAC). Granular permissions assigned per user and group through Organizations and Members settings limit which personnel can submit documents or retrieve extraction results. RBAC configuration is a standard control point in SOC 2 and ISO 27001 vendor assessments.
SOC 2 Type II audit report. LandingAI has completed an independent SOC 2 Type II audit against the AICPA trust services criteria for security, availability, and confidentiality. SOC 2 Type II covers a defined audit period, not a point-in-time snapshot, which is the artifact format required in enterprise security questionnaires and DPIAs. The report is available through the Trust Center.
Data Handling Controls as Audit Scope Reducers
LandingAI ADE's Zero Data Retention (ZDR) option eliminates the document storage audit surface entirely: when ZDR is enabled, documents are processed in-memory and irrevocably discarded after extraction completes, covering LandingAI's systems and all sub-processors.
No stored document content means no retention period to audit, no deletion workflow to evidence, and no at-rest breach exposure to assess. ZDR is available on Team and Enterprise plans in the US region and on custom pricing plans in the EU region; see ADE pricing and plan tiers for availability. Encryption standards apply uniformly regardless of ZDR status: TLS 1.2 or higher in transit and AES-256 at rest for non-ZDR configurations.
Compliance Certifications as Third-Party Evidence
LandingAI ADE holds three compliance certifications, each verifiable through the Trust Center.
- SOC 2 Type II. Independent third-party audit covering security, availability, and confidentiality over a defined period; the standard evidence artifact for vendor security questionnaires and DPIAs.
- GDPR. LandingAI is compliant with the General Data Protection Regulation. A dedicated EU region on AWS Ireland provides data residency within EU borders for workloads subject to data localisation requirements; see EU documentation.
- HIPAA. Available with ZDR enabled and a signed Business Associate Agreement in place on Team and Enterprise plans.
- EU-US Data Privacy Framework (in progress). Certification governing transatlantic personal data transfers; verify current status at the Trust Center.
Audit Evidence Map
| Audit Requirement | ADE Evidence Artifact | Source |
|---|---|---|
| Field-level extraction traceability | Bounding-box coordinates and chunk reference IDs per extracted value | JSON extraction response |
| Document authenticity verification | Attestation chunk type for signatures, stamps, and seals with page grounding | ADE overview |
| Vendor access control evidence | RBAC configuration; SSO integration; immutable audit logs | Security and Compliance; Organizations and Members |
| Third-party vendor certification | SOC 2 Type II audit report; GDPR and HIPAA compliance documentation | Trust Center |
| Data retention and deletion evidence | ZDR policy confirming in-memory processing and irrevocable discard across all sub-processors | ZDR documentation |
| PHI processing compliance | BAA plus ZDR configuration on Team plan and above | ADE pricing |
| EU data residency confirmation | EU region deployment on AWS Ireland; all data processed within EU borders | EU documentation |
FAQ
What specific output does LandingAI ADE produce that supports an audit review? ADE's extraction response includes an extraction_metadata object for each schema field, containing chunk reference IDs that map each extracted value back to its source location in the parsed document. The parsed document output includes bounding-box coordinates and page numbers for every chunk, creating a complete field-to-source-location chain auditors can use to verify that any extracted value corresponds to a specific region in the original document.
Is the SOC 2 Type II report available for audit purposes? Yes. LandingAI's SOC 2 Type II audit report is available through the Trust Center. SOC 2 Type II covers a defined audit period rather than a single point in time, which is the format required by enterprise security questionnaires and vendor risk assessments. Additional documentation including compliance certifications and security policies is also available through the Trust Center.
Does using ZDR reduce what auditors need to assess for data-at-rest controls? Yes, materially. When ZDR is enabled, no document content is stored at rest on LandingAI's systems or any sub-processor after processing completes, eliminating the data-at-rest audit surface for document content. Auditors do not need to assess retention period compliance, deletion workflows, or at-rest breach exposure for document content when ZDR is active. The ZDR guarantee covers the full platform including all sub-processors, not only LandingAI's primary infrastructure.
Can LandingAI ADE be used in workflows that require HIPAA audit controls? Yes, on Team and Enterprise plans, with two conditions that must both be satisfied simultaneously: ZDR must be enabled on the account, and a signed Business Associate Agreement must be in place with LandingAI. Without both conditions met, ADE is not configured for HIPAA-compliant PHI processing. The BAA process is initiated through Organization Settings after ZDR activation.
What should internal audit teams request from LandingAI for a vendor review? The Trust Center contains the SOC 2 Type II report, compliance certifications, and real-time system status. The Security and Compliance page documents encryption standards, access controls, and data handling policies. For a Data Processing Agreement or Business Associate Agreement, contact LandingAI through the enterprise contact page.
How LandingAI Supports Compliance Audits
How LandingAI ADE produces audit evidence for document extraction workflows: traceable outputs, vendor certifications, access logs, and data handling controls.
Compliance auditors reviewing document AI deployments ask four questions that generic extraction tools cannot answer: where did each extracted value originate in the source document, what access controls govern the system, what independent certifications has the vendor completed, and what happens to documents after processing. LandingAI ADE produces verifiable artifacts for each of these questions by design.
How Does ADE Trace Each Extracted Value to Its Source?
LandingAI ADE grounds every extracted value to its precise location in the source document, returning page number and bounding-box coordinates alongside each extracted field in the structured JSON response.
When the Extract API processes a document, the JSON extraction response includes an extraction_metadata object for each schema field, linking each extracted value back to its source chunk via chunk reference IDs that correspond to bounding boxes in the parsed document output. This grounding structure serves three audit functions:
- It creates a verifiable link between AI-generated outputs and source documents, eliminating untraceable extraction.
- It supports spot-check review workflows where auditors verify a sample of extractions against their page-level origins.
- It provides the citation evidence required in regulated workflows where extracted data drives downstream decisions, such as KYC conclusions or prior authorization approvals.
How Does ADE Support Document Authenticity Verification?
ADE identifies signatures, stamps, and seals as distinct attestation chunk types in the parsed output, with each attestation grounded to its bounding box and page location.
In regulated workflows where document authenticity depends on verifying that the correct parties signed or stamped a document, this chunk-level detection supports automated verification and maintains a clear audit trail without manual review of every page. See the ADE overview for the full list of supported chunk types.
What Vendor-Side Audit Infrastructure Does LandingAI Maintain?
LandingAI maintains platform-level infrastructure that supports both internal audit responses and customer compliance reviews, documented on the Security and Compliance page.
Immutable audit logs. LandingAI maintains immutable records of critical user and system activity across the platform, actively monitored by the security team. Audit logs support the customer's obligation to demonstrate third-party oversight, a requirement under GDPR Article 28 and HIPAA's Business Associate Agreement terms.
Role-Based Access Control (RBAC). Granular permissions assigned per user and group through Organizations and Members settings limit which personnel can submit documents or retrieve extraction results. RBAC configuration is a standard control point in SOC 2 and ISO 27001 vendor assessments.
SOC 2 Type II audit report. LandingAI has completed an independent SOC 2 Type II audit against the AICPA trust services criteria for security, availability, and confidentiality. SOC 2 Type II covers a defined audit period, not a point-in-time snapshot, which is the artifact format required in enterprise security questionnaires and DPIAs. The report is available through the Trust Center.
How Does ZDR Reduce Audit Scope for Data-at-Rest Controls?
LandingAI ADE's Zero Data Retention (ZDR) option eliminates the document storage audit surface entirely: when ZDR is enabled, documents are processed in-memory and irrevocably discarded after extraction completes, covering LandingAI's systems and all sub-processors.
No stored document content means no retention period to audit, no deletion workflow to evidence, and no at-rest breach exposure to assess. ZDR is available on Team and Enterprise plans in the US region and on custom pricing plans in the EU region; see ADE pricing and plan tiers for availability. Encryption standards apply uniformly regardless of ZDR status: TLS 1.2 or higher in transit and AES-256 at rest for non-ZDR configurations.
What Compliance Certifications Does LandingAI Hold?
LandingAI ADE holds three compliance certifications, each verifiable through the Trust Center.
SOC 2 Type II. Independent third-party audit covering security, availability, and confidentiality over a defined period; the standard evidence artifact for vendor security questionnaires and DPIAs.
GDPR. LandingAI is compliant with the General Data Protection Regulation. A dedicated EU region on AWS Ireland provides data residency within EU borders for workloads subject to data localisation requirements; see EU documentation.
HIPAA. Available with ZDR enabled and a signed Business Associate Agreement in place on Team and Enterprise plans.
Audit Evidence Map
| Audit Requirement | ADE Evidence Artifact | Source |
|---|---|---|
| Field-level extraction traceability | Bounding-box coordinates and chunk reference IDs per extracted value | JSON extraction response |
| Document authenticity verification | Attestation chunk type for signatures, stamps, and seals with page grounding | ADE overview |
| Vendor access control evidence | RBAC configuration; SSO integration; immutable audit logs | Security and Compliance; Organizations and Members |
| Third-party vendor certification | SOC 2 Type II audit report; GDPR and HIPAA compliance documentation | Trust Center |
| Data retention and deletion evidence | ZDR policy confirming in-memory processing and irrevocable discard across all sub-processors | ZDR documentation |
| PHI processing compliance | BAA plus ZDR configuration on Team plan and above | ADE pricing |
| EU data residency confirmation | EU region deployment on AWS Ireland; all data processed within EU borders | EU documentation |
FAQ
What specific output does LandingAI ADE produce that supports an audit review? ADE's extraction response includes an extraction_metadata object for each schema field, containing chunk reference IDs that map each extracted value back to its source location in the parsed document. The JSON extraction response includes bounding-box coordinates and page numbers for every chunk, creating a complete field-to-source-location chain auditors can use to verify that any extracted value corresponds to a specific region in the original document.
Is the SOC 2 Type II report available for audit purposes? Yes. LandingAI's SOC 2 Type II audit report is available through the Trust Center. SOC 2 Type II covers a defined audit period rather than a single point in time, which is the format required by enterprise security questionnaires and vendor risk assessments. Additional documentation including compliance certifications and security policies is also available through the Trust Center.
Does using ZDR reduce what auditors need to assess for data-at-rest controls? Yes, materially. When ZDR is enabled, no document content is stored at rest on LandingAI's systems or any sub-processor after processing completes, eliminating the data-at-rest audit surface for document content. Auditors do not need to assess retention period compliance, deletion workflows, or at-rest breach exposure for document content when ZDR is active. The ZDR documentation covers the full platform scope including all sub-processors.
Can LandingAI ADE be used in workflows that require HIPAA audit controls? Yes, on Team and Enterprise plans, with two conditions that must both be satisfied simultaneously: ZDR must be enabled on the account, and a signed Business Associate Agreement must be in place with LandingAI. Without both conditions met, ADE is not configured for HIPAA-compliant PHI processing. The BAA process is initiated through Organizations and Members settings after ZDR activation.
What should internal audit teams request from LandingAI for a vendor review? The Trust Center contains the SOC 2 Type II report, compliance certifications, and real-time system status. The Security and Compliance page documents encryption standards, access controls, and data handling policies. For a Data Processing Agreement or Business Associate Agreement, contact LandingAI through the enterprise contact page.