ScalixScalix Docs

Compliance API

GDPR, audit, and compliance

REST API endpoints for Compliance. 7 operations.

Query the audit log

plaintext
GET /v1/compliance/audit

Returns audit events for the caller's tenant, filterable by action and time range. The tenant scope is always taken from the token, never the query.

Auth: Bearer API key

Parameters

NameInTypeRequiredDescription
actionquerystringNoFilter by audit action (e.g. auth_login, data_access)
fromquerystringNoStart of time range (RFC 3339)
toquerystringNoEnd of time range (RFC 3339)
limitqueryintegerNoMax number of events to return

Responses

StatusDescription
200Audit events for the caller's tenant
401Missing or invalid credentials
403Token lacks the compliance:read scope
500Internal error

operationId: queryAuditLog

Export the audit log

plaintext
GET /v1/compliance/audit/export

Returns the full audit trail for the caller's tenant for compliance export (JSON by default, CSV with ?format=csv).

Auth: Bearer API key

Responses

StatusDescription
200Full audit trail export for the caller's tenant
401Missing or invalid credentials
403Token lacks the compliance:read scope
500Internal error

operationId: exportAuditLog

List GDPR requests

plaintext
GET /v1/compliance/gdpr/requests

Returns the data-subject requests for the caller's tenant.

Auth: Bearer API key

Responses

StatusDescription
200Data-subject requests for the caller's tenant
401Missing or invalid credentials
403Token lacks the compliance:read scope
500Internal error

operationId: listGdprRequests

Create a GDPR request

plaintext
POST /v1/compliance/gdpr/requests

Files a GDPR data-subject request (access / erasure / rectification). This is intake only: the request is persisted with status pending; export and erasure are fulfilled out of band.

Auth: Bearer API key

Request body

application/json (required) — schema CreateGdprRequest.

Responses

StatusDescription
201Data-subject request created
401Missing or invalid credentials
403Token lacks the compliance:write scope
500Internal error

operationId: createGdprRequest

Get a GDPR request

plaintext
GET /v1/compliance/gdpr/requests/{id}

Returns a single GDPR data-subject request by id.

Auth: Bearer API key

Parameters

NameInTypeRequiredDescription
idpathstringYesData-subject request id (UUID)

Responses

StatusDescription
200The data-subject request
401Missing or invalid credentials
403Token lacks the compliance:read scope
404GDPR request not found
500Internal error

operationId: getGdprRequest

Advance a GDPR data-subject request through its lifecycle

plaintext
POST /v1/compliance/gdpr/requests/{id}/status

SEC-1: the DSR flow was intake-only — requests sat pending forever with no way to fulfill them, while the compliance status implied a working workflow. A data-protection officer (compliance:write) now moves each request through pending → in_progress → completed/rejected; terminal states stamp completed_at, giving an auditable fulfillment record within the GDPR Art. 12(3) one-month window. Tenant-scoped.

Auth: Bearer API key

Parameters

NameInTypeRequiredDescription
idpathstringYesData-subject request id (UUID)

Request body

application/json (required) — schema UpdateGdprStatusBody.

Responses

StatusDescription
200Updated data-subject request
401Missing or invalid credentials
403Token lacks the compliance:write scope
404GDPR request not found
500Internal error

operationId: updateGdprRequestStatus

Get compliance status

plaintext
GET /v1/compliance/status

Runs the compliance checks (encryption, audit, access controls) and returns each check's result plus an overall score.

Auth: Bearer API key

Responses

StatusDescription
200Compliance checks and overall score
401Missing or invalid credentials
403Token lacks the compliance:read scope
500Internal error

operationId: getComplianceStatus