Contract Skill — A ready-to-use MOVA HITL workflow. Requires the openclaw-mova plugin.

MOVA Compliance Audit

Submit an organization's documents to MOVA for automated regulatory compliance audit — with framework-specific rule matching, a structured findings report, and a mandatory human sign-off gate backed by a tamper-proof audit trail.

What it does

Document ingestion — OCR extraction and structure parsing from uploaded file or URL
Rules engine check — automated evaluation against the selected regulatory framework (GDPR, PCI-DSS, ISO 27001, SOC 2)
Findings report — checklist with pass/fail items, severity codes, and recommended remediation actions
Human gate — compliance officer reviews findings and chooses: approve / approve with conditions / reject / request corrections
Audit receipt — every check, source, and decision is signed, timestamped, and stored in an immutable MOVA audit trail for regulatory inspection

Mandatory escalation rules enforced by policy:

Critical findings present → mandatory human review, cannot auto-approve
Regulated framework (GDPR, PCI-DSS) → full audit report artifact required
Rejection or conditions → remediation items must be recorded with reason

Requirements

Plugin: MOVA OpenClaw plugin must be installed in your OpenClaw workspace.

Data flows:

Document URL/ID + org metadata → api.mova-lab.eu (MOVA platform, EU-hosted)
Document content → OCR extraction connector (read-only, no data stored)
Extracted structure → compliance rules engine (framework-specific, read-only)
Audit journal → MOVA R2 storage, cryptographically signed
No data sent to third parties beyond the above

Demo

Step 1 — Document submitted for GDPR audit Step 1

Step 2 — AI findings: 3 critical violations, missing DPIA, reject recommended Step 2

Step 3 — Audit receipt + signed decision log Step 3

Quick start

Say "run GDPR compliance audit on this document" and provide a document URL or ID:

document_url: https://example.com/privacy-policy.pdf
framework: gdpr
org_name: Acme Corp

The agent submits the document, shows the AI findings checklist with pass/fail items and severity, then asks for your compliance decision.

Why contract execution matters

Framework rules are policy, not prompts — GDPR and PCI-DSS checks trigger mandatory gates that cannot be bypassed by the AI
Full checklist traceability — every pass/fail item is linked to a specific rule ID and source citation
Immutable audit trail — when a regulator asks "who signed off this audit and what did they see?" — the answer is in the system with an exact timestamp
EU AI Act / GDPR Article 22 ready — automated compliance decisions require human oversight, full explainability, and a documented decision chain

What the user receives

| Output | Description | |--------|-------------| | Framework | Selected regulatory standard (GDPR, PCI-DSS, ISO 27001, SOC 2) | | Checklist score | Pass / fail count per framework section | | Critical findings | Count and list of critical violations | | Findings list | Per-item: rule ID, description, severity (critical / high / medium / low) | | Remediation hints | Recommended corrective actions per finding | | Recommended action | AI-suggested compliance decision | | Decision options | approve / approve_with_conditions / reject / request_corrections | | Audit receipt ID | Permanent signed record of the compliance decision | | Compact journal | Full event log: ingest → rules check → human decision |

When to trigger

Activate when the user:

Uploads a document and mentions compliance, regulation, or audit
Says "check GDPR compliance", "run PCI-DSS audit", "validate ISO 27001", "SOC 2 check"
Asks to prepare for a regulatory inspection

Before starting, confirm: "Run compliance audit on [document] — framework: [FRAMEWORK]?"

If framework is not specified — ask once: GDPR, PCI-DSS, ISO 27001, or SOC 2. If document URL is missing — ask once for a direct HTTPS link or document ID.

Step 1 — Submit document for audit

Call tool mova_hitl_start_compliance with:

document_url: direct HTTPS link to the document
document_id: unique identifier (e.g. DOC-2026-001)
framework: one of gdpr / pci_dss / iso_27001 / soc2
org_name: organization name

Step 2 — Show findings and decision options

If status = "waiting_human" — show the audit findings summary:

Document:   document_id
Framework:  FRAMEWORK
Score:      PASS_COUNT / TOTAL_CHECKS passed
Critical:   CRITICAL_COUNT critical findings
Findings:   [list top findings with rule ID and severity]
Recommended action: ACTION ← RECOMMENDED

Then ask compliance officer to choose:

| Option | Description | |---|---| | approve | Sign off audit report as compliant | | approve_with_conditions | Approve with listed remediation items | | reject | Document fails compliance — block processing | | request_corrections | Return document for corrections |

Call tool mova_hitl_decide with:

contract_id: from the response above — this is ctr-cau-xxxxxxxx, NOT the document ID
option: chosen decision
reason: officer reasoning (required for reject and request_corrections)

Step 3 — Show audit receipt

Call tool mova_hitl_audit with contract_id. Call tool mova_hitl_audit_compact with contract_id for the full signed event chain.

Connect your real compliance systems

By default MOVA uses a sandbox mock. To route checks against your live infrastructure, call mova_list_connectors with keyword: "compliance".

Relevant connectors:

| Connector ID | What it covers | |---|---| | connector.ocr.document_extract_v1 | Document OCR and structure extraction | | connector.compliance.rules_engine_v1 | Framework-specific compliance rule evaluation |

Call mova_register_connector with connector_id, endpoint, optional auth_header and auth_value.

Rules

NEVER make HTTP requests manually
NEVER invent or simulate compliance results — if a tool call fails, show the exact error
Use MOVA plugin tools directly — do NOT use exec or shell
CONTRACT_ID is ctr-cau-xxxxxxxx from the mova_hitl_start_compliance response — NOT the document ID