Compliance API
GDPR, audit, and compliance
REST API endpoints for Compliance. 7 operations.
Query the audit log
GET /v1/compliance/auditReturns audit events for the caller's tenant, filterable by action and time range. The tenant scope is always taken from the token, never the query.
Auth: Bearer API key
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
action | query | string | No | Filter by audit action (e.g. auth_login, data_access) |
from | query | string | No | Start of time range (RFC 3339) |
to | query | string | No | End of time range (RFC 3339) |
limit | query | integer | No | Max number of events to return |
Responses
| Status | Description |
|---|---|
200 | Audit events for the caller's tenant |
401 | Missing or invalid credentials |
403 | Token lacks the compliance:read scope |
500 | Internal error |
operationId: queryAuditLog
Export the audit log
GET /v1/compliance/audit/exportReturns the full audit trail for the caller's tenant for compliance export (JSON by default, CSV with ?format=csv).
Auth: Bearer API key
Responses
| Status | Description |
|---|---|
200 | Full audit trail export for the caller's tenant |
401 | Missing or invalid credentials |
403 | Token lacks the compliance:read scope |
500 | Internal error |
operationId: exportAuditLog
List GDPR requests
GET /v1/compliance/gdpr/requestsReturns the data-subject requests for the caller's tenant.
Auth: Bearer API key
Responses
| Status | Description |
|---|---|
200 | Data-subject requests for the caller's tenant |
401 | Missing or invalid credentials |
403 | Token lacks the compliance:read scope |
500 | Internal error |
operationId: listGdprRequests
Create a GDPR request
POST /v1/compliance/gdpr/requestsFiles a GDPR data-subject request (access / erasure / rectification). This is intake only: the request is persisted with status pending; export and erasure are fulfilled out of band.
Auth: Bearer API key
Request body
application/json (required) — schema CreateGdprRequest.
Responses
| Status | Description |
|---|---|
201 | Data-subject request created |
401 | Missing or invalid credentials |
403 | Token lacks the compliance:write scope |
500 | Internal error |
operationId: createGdprRequest
Get a GDPR request
GET /v1/compliance/gdpr/requests/{id}Returns a single GDPR data-subject request by id.
Auth: Bearer API key
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Data-subject request id (UUID) |
Responses
| Status | Description |
|---|---|
200 | The data-subject request |
401 | Missing or invalid credentials |
403 | Token lacks the compliance:read scope |
404 | GDPR request not found |
500 | Internal error |
operationId: getGdprRequest
Advance a GDPR data-subject request through its lifecycle
POST /v1/compliance/gdpr/requests/{id}/statusSEC-1: the DSR flow was intake-only — requests sat pending forever with no way to fulfill them, while the compliance status implied a working workflow. A data-protection officer (compliance:write) now moves each request through pending → in_progress → completed/rejected; terminal states stamp completed_at, giving an auditable fulfillment record within the GDPR Art. 12(3) one-month window. Tenant-scoped.
Auth: Bearer API key
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
id | path | string | Yes | Data-subject request id (UUID) |
Request body
application/json (required) — schema UpdateGdprStatusBody.
Responses
| Status | Description |
|---|---|
200 | Updated data-subject request |
401 | Missing or invalid credentials |
403 | Token lacks the compliance:write scope |
404 | GDPR request not found |
500 | Internal error |
operationId: updateGdprRequestStatus
Get compliance status
GET /v1/compliance/statusRuns the compliance checks (encryption, audit, access controls) and returns each check's result plus an overall score.
Auth: Bearer API key
Responses
| Status | Description |
|---|---|
200 | Compliance checks and overall score |
401 | Missing or invalid credentials |
403 | Token lacks the compliance:read scope |
500 | Internal error |
operationId: getComplianceStatus