Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.responsibleailabs.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview: Compliance API | Credits: 0.3 per call
Called before an action to get an allow/block/require_action verdict. Fast enough to sit in the critical path of application logic.

Parameters

action
string
required
The action to evaluate. Options: process_data, make_decision, share_data, transfer_cross_border, serve_ad, track_user.
session_id
string
Links to a compliance session for stateful context.
context.user_id
string
required
Pseudonymized user identifier.
context.purpose
string
required
Processing purpose (e.g., "credit_scoring", "marketing").
context.data_categories
string[]
Data types involved (e.g., ["pan", "aadhaar", "income"]). Triggers enhanced safeguard checks when sensitive types are present.
context.user_age
integer
If known, triggers S.9 child protection rules for users under 18.
context.jurisdiction
string
Indian state/UT code (e.g., "IN-KA").
context.recipient_jurisdiction
string
For cross-border transfer checks. Country code of the data recipient (e.g., "us", "cn").
context.consent_id
string
Links to a previously emitted consent event.

Rule evaluation order

Rules are evaluated in strict order. The first matching block rule stops evaluation.

Block rules (hard stops)

RuleSectionPenaltyTrigger
No tracking/ads for childrenS.9(3)200 croreuser_age < 18 AND action is serve_ad or track_user
No profiling of minorsS.9(3)200 croreuser_age < 18 AND action is make_decision with profiling purpose
Cross-border restrictionS.16250 croretransfer_cross_border to restricted jurisdiction
Restricted jurisdictions (S.16): cn, pk, kp, ir, iq, af, mm, by, ru, sy Profiling purposes (blocked for minors): credit_scoring, behavioral_analysis, profiling, risk_scoring, predictive_analytics, personality_assessment

Require-action rules (soft stops)

RuleSectionTrigger
Consent requiredS.6No active consent for the stated purpose
Notice requiredS.5Notice not yet shown in session
Parental consent requiredS.9Child session without parental consent

Allow with conditions

ConditionSectionTrigger
Accuracy checkS.8(3)Action is make_decision
Security safeguardsS.8(5)Data categories include sensitive types
Processor contractS.8(2)Action is share_data
Sensitive data categories: aadhaar, pan, medical, biometric, genetic, financial, health, sexual_orientation, political_opinion, religious_belief, caste, transgender_status

Request

curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/dpdp/evaluate \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -d '{
    "action": "process_data",
    "session_id": "sess_abc123def456",
    "context": {
      "user_id": "u_hashed_abc",
      "purpose": "credit_scoring",
      "data_categories": ["pan", "aadhaar", "income"],
      "user_age": 25,
      "jurisdiction": "IN-KA"
    }
  }'

Response: allow

{
  "result": {
    "verdict": "allow",
    "violations": [],
    "conditions": [
      {
        "type": "security_safeguards_required",
        "reason": "S.8(5): Sensitive data categories detected. Implement appropriate technical and organizational safeguards.",
        "action": "Ensure encryption, access controls, and audit logging are in place for aadhaar, pan, income data."
      }
    ],
    "required_actions": [],
    "required_before_proceed": [],
    "session_state": {
      "consent_valid": true,
      "notice_shown": true,
      "child_session": false,
      "open_timers": []
    }
  },
  "credits_consumed": 0.3
}

Response: block

{
  "result": {
    "verdict": "block",
    "violations": [
      {
        "rule": "DPDP.S9.minor_profiling",
        "section": "Section 9(3)",
        "severity": "critical",
        "penalty_crore": 200,
        "description": "Section 9(3) prohibits profiling, behavioral analysis, and automated decision-making that produces legal or similarly significant effects on children.",
        "remediation": "Do not use a child's personal data for profiling or automated scoring. If the purpose is legitimate, collect and process only aggregated, non-identifiable data."
      }
    ],
    "conditions": [],
    "required_actions": [],
    "required_before_proceed": [
      {
        "type": "age_verification",
        "reason": "Confirm the Data Principal is 18+ before proceeding with this action."
      }
    ],
    "session_state": {
      "consent_valid": false,
      "notice_shown": false,
      "child_session": true,
      "open_timers": []
    }
  },
  "credits_consumed": 0.3
}

Response: require_action

{
  "result": {
    "verdict": "require_action",
    "violations": [],
    "conditions": [],
    "required_actions": [
      {
        "type": "show_notice",
        "reason": "S.5: A clear and plain-language notice must be provided to the Data Principal before collecting personal data."
      },
      {
        "type": "obtain_consent",
        "reason": "S.6: Valid consent is required before processing personal data for purpose 'credit_scoring'."
      }
    ],
    "required_before_proceed": [],
    "session_state": {
      "consent_valid": false,
      "notice_shown": false,
      "child_session": false,
      "open_timers": []
    }
  },
  "credits_consumed": 0.3
}
result.verdict
string
"allow", "block", or "require_action". Block verdicts must not be overridden. Require-action verdicts indicate prerequisites that must be fulfilled before proceeding.
result.violations
array
Hard violations that triggered a block. Each entry includes rule, section, severity, penalty_crore, description, and remediation.
result.conditions
array
Conditions attached to an allow verdict. These are advisory but strongly recommended.
result.required_actions
array
Actions that must be completed before proceeding. Each has a type and reason.
result.session_state
object
Current compliance state of the session: consent validity, notice status, child flag, and open timers.