> ## Documentation Index
> Fetch the complete documentation index at: https://docs.responsibleailabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance API

> Regulatory compliance API for AI systems. Dedicated India DPDP endpoints with PII scanning, consent management, and breach notification. GDPR, HIPAA, CCPA, and EU AI Act support.

The Compliance API provides two tiers of integration:

1. **General compliance check** (`/compliance/check`) works across all supported frameworks and returns a pass/fail verdict with flagged clauses.
2. **Framework-specific endpoints** offer deep, stateful compliance automation tailored to a specific regulation's lifecycle.

<Info>
  India DPDP is the first framework with dedicated endpoints. GDPR, CCPA, HIPAA, and EU AI Act dedicated endpoints are under active development.
</Info>

***

## General compliance check (all frameworks)

A single endpoint that evaluates content against one or more regulatory frameworks and returns clause-level findings.

| Framework                                           | Code           | Region          | Dedicated API |
| --------------------------------------------------- | -------------- | --------------- | ------------- |
| General Data Protection Regulation                  | `gdpr`         | EU              | Coming soon   |
| California Consumer Privacy Act                     | `ccpa`         | US (California) | Coming soon   |
| Health Insurance Portability and Accountability Act | `hipaa`        | US              | Coming soon   |
| EU Artificial Intelligence Act                      | `eu_ai_act`    | EU              | Coming soon   |
| India Digital Personal Data Protection Act          | `india_dpdp`   | India           | **Available** |
| India AI Governance Guidelines                      | `india_ai_gov` | India           | Coming soon   |

<Card title="POST /compliance/check" icon="code" href="/api-reference/compliance">
  Point-in-time compliance check against any supported framework.
</Card>

***

## India DPDP: dedicated endpoints

The India DPDP API provides 7 endpoints that cover the full compliance lifecycle for the Digital Personal Data Protection Act, 2023. These go beyond point-in-time checks to offer stateful session tracking, event-driven evidence collection, and proactive workflow guidance.

**Base URL:** `https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp`

| Method | Endpoint                                    | Purpose                                                |
| ------ | ------------------------------------------- | ------------------------------------------------------ |
| POST   | [`/scan`](/api-reference/dpdp-scan)         | Scan text for Indian PII, child signals, purpose drift |
| POST   | [`/evaluate`](/api-reference/dpdp-evaluate) | Synchronous allow/block gate before an action          |
| POST   | [`/emit`](/api-reference/dpdp-emit)         | Record compliance events for audit evidence            |
| POST   | [`/require`](/api-reference/dpdp-require)   | Get required actions for current workflow step         |
| POST   | [`/evidence`](/api-reference/dpdp-evidence) | Generate audit-grade evidence packets (Pro+)           |
| POST   | [`/session`](/api-reference/dpdp-session)   | Create or retrieve a compliance session                |
| GET    | [`/timers`](/api-reference/dpdp-timers)     | List active compliance timers                          |

### Enhanced existing endpoints

The existing `/railscore/v1/eval` and `/railscore/v1/agent/tool-result` endpoints also accept optional DPDP parameters. Pass `"dpdp": { "enabled": true }` in your eval request to get Indian PII scanning alongside RAIL dimension scores. The agent tool-result endpoint automatically detects Indian PII and returns `dpdp_flags` when found.

### Typical integration flow

```
1. POST /session       Create a compliance session for the user journey
2. POST /emit          Record notice.shown and consent.granted events
3. POST /evaluate      Gate check before processing data
4. POST /scan          Scan every LLM output for PII (mask or block)
5. POST /require       Check what's needed before communicating a decision
6. POST /evidence      Generate audit packets on demand (Pro+)
7. GET  /timers        Monitor DSR SLAs, breach deadlines, retention windows
```

### DPDP sections covered

| Section    | Description                | Endpoints                                            |
| ---------- | -------------------------- | ---------------------------------------------------- |
| S.4        | Purpose limitation         | `/scan` (purpose drift), `/evaluate`                 |
| S.5        | Notice requirements        | `/require`, `/emit`                                  |
| S.6        | Consent                    | `/evaluate`, `/emit`, `/evidence`                    |
| S.8        | Data fiduciary obligations | `/evaluate`, `/scan`, `/require`                     |
| S.9        | Children's data            | `/scan` (child detection), `/evaluate` (block rules) |
| S.11-14    | Data principal rights      | `/require`, `/evidence`, `/timers`                   |
| S.16       | Cross-border transfer      | `/evaluate` (block rules)                            |
| Rule 7     | Breach notification        | `/emit` (auto-timers), `/evidence`                   |
| Rule 13    | SDF annual report          | `/evidence`                                          |
| Rule 14(3) | DSR SLA                    | `/timers`, `/evidence`                               |

***

## GDPR

Currently supported through the [general compliance check](/api-reference/compliance) endpoint with `framework: "gdpr"`. Returns clause-level findings for Articles 5-22 covering lawful basis, data subject rights, DPO requirements, and cross-border transfer rules.

<Note>
  Dedicated GDPR endpoints (consent lifecycle, DPIA automation, DPO dashboard, cross-border transfer assessment) are under development.
</Note>

***

## CCPA

Currently supported through the [general compliance check](/api-reference/compliance) endpoint with `framework: "ccpa"`. Covers consumer rights (right to know, delete, opt-out), sale of personal information, and financial incentive disclosures.

<Note>
  Dedicated CCPA endpoints (opt-out signal handling, CPRA amendments, privacy notice generation) are under development.
</Note>

***

## HIPAA

Currently supported through the [general compliance check](/api-reference/compliance) endpoint with `framework: "hipaa"`. Evaluates PHI handling, minimum necessary standard, BAA requirements, and breach notification obligations.

<Note>
  Dedicated HIPAA endpoints (PHI detection, de-identification verification, BAA compliance tracking) are under development.
</Note>

***

## EU AI Act

Currently supported through the [general compliance check](/api-reference/compliance) endpoint with `framework: "eu_ai_act"`. Covers risk classification, transparency obligations, high-risk system requirements, and prohibited practices.

<Note>
  Dedicated EU AI Act endpoints (risk classification engine, conformity assessment, post-market monitoring) are under development. Aligned with the August 2026 enforcement timeline.
</Note>

***

## India AI Governance

Currently supported through the [general compliance check](/api-reference/compliance) endpoint with `framework: "india_ai_gov"`. Evaluates alignment with India's AI governance guidelines covering fairness, transparency, accountability, and safety.

<Note>
  Dedicated endpoints for India AI governance (model card generation, fairness audit, sector-specific compliance) are under development.
</Note>