Skip to main content
POST
/
v1
/
compliance
/
check
Create Compliance Check
curl --request POST \
  --url https://api.truthlocks.com/v1/compliance/check \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "agent_id": "550e8400-e29b-41d4-a716-446655440000",
  "framework": "soc2",
  "scope": {
    "controls": [
      "CC6.1",
      "CC6.2",
      "CC6.3"
    ]
  }
}
'
{
  "check_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "agent_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "framework": "soc2",
  "scope": {},
  "status": "pending",
  "findings": [
    {
      "finding_id": "<string>",
      "severity": "low",
      "title": "<string>",
      "description": "<string>"
    }
  ],
  "created_at": "2023-11-07T05:31:56Z"
}
Executes an automated compliance assessment for a specific entity (agent, model, dataset, or workflow) against a supported regulation. The check evaluates the entity’s configuration, access patterns, data handling, and audit trail against the regulation’s requirements and produces a compliance determination with detailed findings. Compliance checks are idempotent for the same entity-regulation pair within a 24-hour window. Repeated calls within that window return the cached result.

Authentication

Requires X-API-Key header or Bearer JWT token. Tenant-scoped via X-Tenant-ID.

Request Body

entity_type
string
required
The type of entity to assess. One of: - agent — a registered machine agent
  • model — an AI/ML model - dataset — a data asset or training dataset - workflow — an automated workflow or pipeline
entity_id
string
required
The unique identifier of the entity to assess. Must exist within the tenant.
regulation
string
required
The regulation or framework to assess against. Supported values: - SOC2 — SOC 2 Type II controls - ISO27001 — ISO 27001 information security management - GDPR — EU General Data Protection Regulation - HIPAA — US Health Insurance Portability and Accountability Act - EU_AI_ACT — EU Artificial Intelligence Act
scope
string
Optional scope qualifier to narrow the assessment. For example, access-control to assess only access-control-related controls, or data-handling for data processing controls. If omitted, a full-scope assessment is performed.

Response

id
string
Unique identifier for the compliance check record. Format: maip-cc:ULID.
entity_type
string
The type of entity that was assessed.
entity_id
string
The identifier of the assessed entity.
regulation
string
The regulation that was assessed.
scope
string
The scope of the assessment. full if no scope was specified.
status
string
The compliance determination. One of: - compliant — entity meets all assessed requirements - non_compliant — entity fails one or more critical requirements - partial — entity meets some but not all requirements
findings
object[]
Detailed list of individual findings from the assessment.
receipt_id
string
The MAIP receipt minted for this compliance check, providing an immutable audit record.
checked_at
string
ISO 8601 timestamp of when the assessment was performed.

Supported Regulations

RegulationControls AssessedTypical Duration
SOC2Trust Service Criteria (CC1-CC9)2-5 seconds
ISO27001Annex A controls (A.5-A.18)2-5 seconds
GDPRArticles 5, 6, 12-22, 25, 32-343-8 seconds
HIPAAAdministrative, Physical, Technical Safeguards3-8 seconds
EU_AI_ACTRisk classification, transparency, human oversight5-10 seconds

Authorizations

X-API-Key
string
header
required

API key for machine-to-machine authentication

Body

application/json
agent_id
string<uuid>
required

Agent to evaluate

framework
enum<string>
required

Compliance framework

Available options:
soc2,
iso27001,
hipaa,
gdpr
scope
object

Scope parameters for the check

Response

Compliance check created

check_id
string<uuid>
agent_id
string<uuid>
framework
enum<string>
Available options:
soc2,
iso27001,
hipaa,
gdpr
scope
object
status
enum<string>
Available options:
pending,
passed,
failed,
partial
findings
object[]
created_at
string<date-time>