Compliance
Query compliance posture, control evidence, and audit-ready reports for any tenant across ISO 27001, Essential Eight, NIST CSF, SOC 2, and other supported frameworks.
Supported frameworks
| Name | Type | Required | Description |
|---|---|---|---|
| iso_27001 | string | No | ISO/IEC 27001:2022 Information Security Management. |
| essential_eight | string | No | ACSC Essential Eight Maturity Model. |
| nist_csf | string | No | NIST Cybersecurity Framework 2.0. |
| soc2 | string | No | SOC 2 Trust Services Criteria. |
| pci_dss | string | No | PCI DSS v4.0. |
| hipaa | string | No | HIPAA Security Rule. |
| nist_800_171 | string | No | NIST SP 800-171 (CUI protection). |
Get posture for a tenant
bash
GET /v1/compliance/:tenant_id/posture?framework=essential_eightjson
{
"tenant_id": "ten_01hxyz",
"framework": "essential_eight",
"assessed_at": "2025-06-01T00:00:00Z",
"overall_maturity": 2,
"controls": [
{
"id": "e8.patch_applications",
"name": "Patch Applications",
"maturity": 3,
"status": "compliant",
"evidence_count": 14,
"last_assessed_at": "2025-05-30T00:00:00Z"
},
{
"id": "e8.application_control",
"name": "Application Control",
"maturity": 1,
"status": "gap",
"evidence_count": 3,
"last_assessed_at": "2025-05-28T00:00:00Z"
}
]
}List evidence
bash
GET /v1/compliance/:tenant_id/evidence?filter[control_id]=e8.patch_applicationsExport audit report
bash
POST /v1/compliance/:tenant_id/reports
{
"framework": "iso_27001",
"format": "pdf",
"period_start": "2025-01-01",
"period_end": "2025-06-30"
}Returns a signed URL valid for 15 minutes pointing to the generated PDF report.
Note:Reports are generated asynchronously. Poll
GET /v1/compliance/reports/:report_id for status, or subscribe to the compliance.report.ready webhook event.