Locke, by Sonomos · Coming Soon

COMPLIANCE

Compliance evidence that never leaves your device.

Locke turns local detection into exportable reports — for regulators, auditors, and your own records — without sending a single byte anywhere to produce them.

COMPLIANCE REPORTS

Reports mapped to the regimes you answer to

The dashboard already maps detection activity to regulatory frameworks (see Methodology). A compliance report packages that mapping into an export you can hand to counsel, a DPO, or an auditor — organized by regime, not raw event logs.

CCPA / CPRA

California, US

Personal and sensitive-information transmissions to third-party AI tools, organized by CCPA's disclosure categories.

Learn more

UK GDPR

United Kingdom

Personal data transmissions assessed against the UK's post-Brexit data-protection principles.

EU GDPR

European Union

Personal data processing events relevant to lawful-basis, cross-border transfer, and data-subject-rights questions.

Learn more

HIPAA

United States · Healthcare

Transmissions matching Protected Health Information patterns sent to an AI tool without a Business Associate Agreement on file.

Learn more

And more

GLBA, PCI-DSS, and others

The same regulatory mapping the dashboard already uses — see Methodology for the full list of frameworks Locke tracks.

Learn more
A compliance report documents what Locke observed and how it maps to a regulatory framework. It's evidence to support your compliance work — not a certification, an audit, or legal advice. Applicability always depends on facts only you and your counsel can assess.

TECHNICAL REPORTS

Evidence for the people who have to sign off

Compliance officers aren't the only audience. Locke also exports technical reports built for infosec teams, IT regulators, and auditors who need the underlying evidence, not just the regulatory summary.

What was detected

Detection type, category, and confidence — every pattern Locke flagged, not just the ones that led to action.

What was masked or blocked

The outcome of each event: masked, blocked, remediated, or sent unprotected — and why.

When it happened

Full timestamped event history, in the order it occurred, for anyone reconstructing a timeline.

Configuration state

Which detectors were enabled and how sensitivity was set at the time of each event — the settings that produced the report.

Planned for Pro and Teams: PDF export with SHA-256 integrity verification, so a report's contents can be checked against its fingerprint without asking Sonomos to vouch for it. Not available yet — generated locally once it ships, same as everything else here.

RULES SANDBOX

Trust, but verify — locally

Before you rely on a detector — built-in or your own — test it. Write a detection rule in a simple format, or run any of Locke's built-in categories, against sample text of your choosing. Nothing you type into the sandbox goes anywhere.

Your ruleCUSTOM
name: "Internal Project Code"
match: PROJ-####
Test input
"Don't mention PROJ-4471 until the board call Thursday."
Result1 MATCH

PROJ-4471 matched "Internal Project Code" — custom rule, tested before it protects anything.

The same sandbox works with any of Locke's 36 checksum-validated regex detectors and 70+ semantic categories — see how they behave before deciding what to enable.

Reports and sandbox ship with Locke. Request early access and we'll be in touch as soon as builds are available.

Request early access