Contract Skill — A ready-to-use MOVA HITL workflow. Requires the openclaw-mova plugin.

MOVA Compliance Audit

Submit an organization's documents to MOVA for automated regulatory compliance audit — with framework-specific rule matching, a structured findings report, and a mandatory human sign-off gate backed by a tamper-proof audit trail.

What it does

1. 1. Document ingestion — OCR extraction and structure parsing from uploaded file or URL
2. Rules engine check — automated evaluation against the selected regulatory framework (GDPR, PCI-DSS, ISO 27001, SOC 2)
3. Findings report — checklist with pass/fail items, severity codes, and recommended remediation actions
4. Human gate — compliance officer reviews findings and chooses: approve / approve with conditions / reject / request corrections
5. Audit receipt — every check, source, and decision is signed, timestamped, and stored in an immutable MOVA audit trail for regulatory inspection

Mandatory escalation rules enforced by policy:

• - Critical findings present → mandatory human review, cannot auto-approve
• Regulated framework (GDPR, PCI-DSS) → full audit report artifact required
• Rejection or conditions → remediation items must be recorded with reason

Requirements

Plugin: MOVA OpenClaw plugin must be installed in your OpenClaw workspace.

Data flows:

• - Document URL/ID + org metadata → api.mova-lab.eu (MOVA platform, EU-hosted)
• Document content → OCR extraction connector (read-only, no data stored)
• Extracted structure → compliance rules engine (framework-specific, read-only)
• Audit journal → MOVA R2 storage, cryptographically signed
• No data sent to third parties beyond the above

Demo

Step 1 — Document submitted for GDPR audit

Step 2 — AI findings: 3 critical violations, missing DPIA, reject recommended

Step 3 — Audit receipt + signed decision log

Quick start

Say "run GDPR compliance audit on this document" and provide a document URL or ID:

CODEBLOCK0

The agent submits the document, shows the AI findings checklist with pass/fail items and severity, then asks for your compliance decision.

Why contract execution matters

• - Framework rules are policy, not prompts — GDPR and PCI-DSS checks trigger mandatory gates that cannot be bypassed by the AI
• Full checklist traceability — every pass/fail item is linked to a specific rule ID and source citation
• Immutable audit trail — when a regulator asks "who signed off this audit and what did they see?" — the answer is in the system with an exact timestamp
• EU AI Act / GDPR Article 22 ready — automated compliance decisions require human oversight, full explainability, and a documented decision chain

What the user receives

Output	Description
Framework	Selected regulatory standard (GDPR, PCI-DSS, ISO 27001, SOC 2)
Checklist score

Pass / fail count per framework section | | Critical findings | Count and list of critical violations | | Findings list | Per-item: rule ID, description, severity (critical / high / medium / low) | | Remediation hints | Recommended corrective actions per finding | | Recommended action | AI-suggested compliance decision | | Decision options | approve / approvewithconditions / reject / request_corrections | | Audit receipt ID | Permanent signed record of the compliance decision | | Compact journal | Full event log: ingest → rules check → human decision |

When to trigger

Activate when the user:

• - Uploads a document and mentions compliance, regulation, or audit
• Says "check GDPR compliance", "run PCI-DSS audit", "validate ISO 27001", "SOC 2 check"
• Asks to prepare for a regulatory inspection

Before starting, confirm: "Run compliance audit on [document] — framework: [FRAMEWORK]?"

If framework is not specified — ask once: GDPR, PCI-DSS, ISO 27001, or SOC 2.
If document URL is missing — ask once for a direct HTTPS link or document ID.

Step 1 — Submit document for audit

Call tool mova_hitl_start_compliance with:

• - document_url: direct HTTPS link to the document
• INLINECODE4: unique identifier (e.g. DOC-2026-001)
• INLINECODE5: one of gdpr / pci_dss / iso_27001 / INLINECODE9
• INLINECODE10: organization name

Step 2 — Show findings and decision options

If status = "waiting_human" — show the audit findings summary:

CODEBLOCK1

Then ask compliance officer to choose:

Option	Description
INLINECODE12	Sign off audit report as compliant
INLINECODE13

Approve with listed remediation items |
| reject | Document fails compliance — block processing |
| request_corrections | Return document for corrections |

Call tool mova_hitl_decide with:

• - contract_id: from the response above — this is ctr-cau-xxxxxxxx, NOT the document ID
• INLINECODE19: chosen decision
• INLINECODE20: officer reasoning (required for reject and request_corrections)

Step 3 — Show audit receipt

Call tool mova_hitl_audit with contract_id.
Call tool mova_hitl_audit_compact with contract_id for the full signed event chain.

Connect your real compliance systems

By default MOVA uses a sandbox mock. To route checks against your live infrastructure, call mova_list_connectors with keyword: "compliance".

Relevant connectors:

Connector ID	What it covers
INLINECODE27	Document OCR and structure extraction
INLINECODE28

Framework-specific compliance rule evaluation |

Call mova_register_connector with connector_id, endpoint, optional auth_header and auth_value.

Rules

• - NEVER make HTTP requests manually
• NEVER invent or simulate compliance results — if a tool call fails, show the exact error
• Use MOVA plugin tools directly — do NOT use exec or shell
• CONTRACTID is ctr-cau-xxxxxxxx from the movahitlstartcompliance response — NOT the document ID