Authentication
All API endpoints require authentication via a Supabase Auth bearer token. Include the token in the Authorization header of every request. Tokens are scoped to your organization via Row Level Security (RLS) policies.
curl -X GET https://complixo.com/api/controls \
-H "Authorization: Bearer YOUR_SUPABASE_TOKEN" \
-H "Content-Type: application/json"Full API access requires the Consultant plan. Professional plan includes integrations API. All plans have read access to their own data.
Error Responses
All errors return a JSON object with an error field and an appropriate HTTP status code.
| Status | Meaning |
|---|---|
| 400 | Bad Request -- invalid or missing parameters |
| 401 | Unauthorized -- invalid or missing token |
| 403 | Forbidden -- insufficient plan or role |
| 404 | Not Found -- resource does not exist or is not accessible |
| 409 | Conflict -- duplicate resource (e.g. link already exists) |
| 429 | Rate Limited -- too many requests (draft auto-save: 1 per 5s) |
| 500 | Internal Error -- server-side failure |
// Example error response
{
"error": "Title is required (max 150 chars)"
}Applications
Manage AI systems and applications registered in your organization. Each application can be linked to frameworks for compliance tracking.
/api/systemsCreate a new application (AI system) in draft status.
Request Body
{
"name": "Customer Support Chatbot",
"description": "AI-powered customer service assistant",
"purpose": "Automated customer support",
"uses_ai": true,
"use_case_tags": ["chatbot"],
"deployment_type": "api",
"jurisdiction": "EU"
}Response
{ "id": "uuid-of-new-system" }/api/systems/:idGet full details of a specific application.
Response
{
"id": "...",
"name": "Customer Support Chatbot",
"status": "draft",
"uses_ai": true,
"ai_act_category": "limited_risk",
"version": 1,
...
}/api/systems/:idUpdate application details, classification, or status. Also supports draft auto-save.
Request Body
{
"name": "Updated Name",
"status": "approved",
"ai_act_category": "high_risk"
}Response
{ "success": true }/api/systems/:id/pdfExport application compliance report as PDF. Includes all linked frameworks and checks.
Response
(Binary PDF file)/api/systems/:id/frameworks/:fidUnlink a framework from an application.
Response
{ "success": true }Frameworks
Browse built-in compliance frameworks (EU AI Act, GDPR, NIS2, DORA) and manage custom frameworks. Toggle framework visibility per organization.
/api/frameworks/:idGet framework details. Built-in frameworks are accessible to all; custom frameworks only to the owning organization.
Response
{
"id": "...",
"name": "EU AI Act",
"slug": "eu-ai-act",
"is_builtin": true,
"is_active": true,
...
}/api/frameworks/:idUpdate a custom framework (name, description, color, icon). Cannot edit built-in frameworks.
Request Body
{
"name": "Internal Security Policy",
"description": "Company security standards v2",
"color": "#3B82F6"
}Response
{ "id": "...", "name": "Internal Security Policy", ... }/api/frameworks/:idToggle framework visibility for your organization. Works for both built-in and custom frameworks.
Request Body
{ "is_visible": false }Response
{ "ok": true }/api/frameworks/:idDelete a custom framework. Built-in frameworks cannot be deleted.
Response
{ "success": true }/api/frameworks/:id/templatesGet all compliance check templates for a framework.
Response
[
{
"id": "...",
"title": "Data Protection Impact Assessment",
"check_key": "dpia",
"article_reference": "Art. 35",
"guidance": "...",
...
}
]/api/frameworks/:id/templatesAdd a compliance check template to a custom framework.
Request Body
{
"title": "Security Audit Check",
"description": "Verify annual security audit completion",
"article_reference": "Section 4.2",
"guidance": "Review the latest audit report..."
}Response
{ "id": "...", "title": "Security Audit Check", ... }Controls
Manage compliance controls using a Common Control Framework approach. Map controls to multiple frameworks simultaneously to eliminate duplicate work.
/api/controlsList all controls for your organization. Filter by status, category, or framework.
Response
[
{
"id": "...",
"title": "Access Control Policy",
"category": "access_control",
"status": "implemented",
"mappings": [...],
...
}
]/api/controlsCreate a new control.
Request Body
{
"title": "Access Control Policy",
"description": "Organization-wide access management",
"category": "access_control",
"status": "not_started",
"due_date": "2026-06-01"
}Response
{ "id": "...", "title": "Access Control Policy", ... }/api/controls/:idGet control details with framework mappings and assigned profiles.
Response
{
"id": "...",
"title": "Access Control Policy",
"mappings": [...],
"owner_profile": { "id": "...", "full_name": "..." },
...
}/api/controls/:idUpdate a control.
Request Body
{
"status": "implemented",
"implementation_notes": "Implemented via SSO provider"
}Response
{ "id": "...", "status": "implemented", ... }/api/controls/:idDelete a control.
Response
{ "ok": true }/api/controls/:id/mappingsGet all framework mappings for a control.
Response
[
{
"id": "...",
"framework_id": "...",
"framework": { "name": "GDPR", "slug": "gdpr" },
"framework_reference": "Art. 32"
}
]/api/controls/:id/mappingsMap a control to a framework. Creates the cross-framework link.
Request Body
{
"framework_id": "uuid-of-framework",
"framework_reference": "Art. 32"
}Response
{ "id": "...", "framework_id": "...", ... }/api/controls/:id/mappings?mapping_id=:midRemove a framework mapping from a control.
Response
{ "ok": true }Evidence
Manage compliance evidence with approval workflows. Evidence can be linked to controls and includes support for attachments, validity periods, and approval status.
/api/evidenceList all evidence items. Filter by evidence_type, approval_status, period_start, period_end.
Response
[
{
"id": "...",
"title": "Q1 Access Review Export",
"evidence_type": "export",
"approval_status": "approved",
"source": "manual",
...
}
]/api/evidenceCreate new evidence and optionally link to controls.
Request Body
{
"title": "Q1 Access Review Export",
"evidence_type": "export",
"source": "manual",
"period_start": "2026-01-01",
"period_end": "2026-03-31",
"control_ids": ["uuid-1", "uuid-2"]
}Response
{ "id": "...", "title": "Q1 Access Review Export", ... }/api/evidence/:idGet evidence details with linked controls.
Response
{
"id": "...",
"title": "...",
"approval_status": "pending",
"evidence_controls": [{ "control_id": "..." }],
...
}/api/evidence/:idUpdate evidence details, approval status, or linked controls. Supports approval workflow (pending, under_review, approved, rejected, expired).
Request Body
{
"approval_status": "approved",
"control_ids": ["uuid-1"]
}Response
{ "id": "...", "approval_status": "approved", ... }/api/evidence/:idDelete evidence and its control links.
Response
{ "ok": true }Risks
Manage the risk register with likelihood/impact scoring, treatment plans, and control linkage. Risk scores are computed automatically.
/api/risksList all risks. Filter by category, status, treatment, min_score, max_score.
Response
[
{
"id": "...",
"title": "Data Breach Risk",
"category": "technical",
"likelihood": "medium",
"impact": "high",
"risk_score": 12,
"treatment": "mitigate",
"status": "in_treatment",
...
}
]/api/risksCreate a new risk entry.
Request Body
{
"title": "Data Breach Risk",
"category": "technical",
"likelihood": "medium",
"impact": "high",
"treatment": "mitigate",
"control_id": "uuid-of-mitigating-control"
}Response
{ "id": "...", "risk_score": 12, ... }/api/risks/:idGet risk details with linked control and owner profile.
Response
{
"id": "...",
"title": "Data Breach Risk",
"control": { "id": "...", "title": "Encryption Policy" },
"owner_profile": { "id": "...", "full_name": "..." },
...
}/api/risks/:idUpdate a risk entry.
Request Body
{
"status": "closed",
"likelihood": "low"
}Response
{ "id": "...", "status": "closed", ... }/api/risks/:idDelete a risk entry.
Response
{ "ok": true }Requirements
Define, track, and link compliance requirements with full traceability to frameworks, controls, test cases, and tasks.
/api/requirementsList all requirements. Filter by status, type, priority, application_id. Includes traceability link counts.
Response
[
{
"id": "...",
"title": "DPIA Required for High-Risk AI",
"requirement_type": "regulatory",
"priority": "critical",
"status": "approved",
"link_counts": {
"frameworks": 1,
"controls": 2,
"test_cases": 1,
"tasks": 0
},
...
}
]/api/requirementsCreate a new requirement.
Request Body
{
"title": "DPIA Required for High-Risk AI",
"requirement_type": "regulatory",
"priority": "critical",
"source": "EU AI Act Art. 27",
"acceptance_criteria": "DPIA completed and reviewed"
}Response
{ "id": "...", "title": "...", ... }/api/requirements/:idGet requirement details with owner, application, and traceability links.
Response
{
"id": "...",
"title": "...",
"owner_profile": { ... },
"application": { "id": "...", "name": "..." },
"links": [...]
}/api/requirements/:idUpdate a requirement.
Request Body
{ "status": "verified", "priority": "high" }Response
{ "id": "...", "status": "verified", ... }/api/requirements/:idDelete a requirement and its traceability links.
Response
{ "ok": true }/api/requirements/:id/linksGet all traceability links for a requirement, enriched with entity names.
Response
[
{
"id": "...",
"linked_type": "control",
"linked_id": "...",
"linked_name": "Access Control Policy",
"link_type": "implements",
"direction": "outgoing"
}
]/api/requirements/:id/linksCreate a traceability link from a requirement to another entity.
Request Body
{
"target_type": "control",
"target_id": "uuid-of-control",
"link_type": "implements"
}Response
{ "id": "...", "source_type": "requirement", ... }/api/requirements/:id/links?link_id=:lidDelete a traceability link from a requirement.
Response
{ "ok": true }Testing
Control testing and check management. Manage control checks, deficiency tracking, and effectiveness monitoring.
/api/testing/strategiesList test strategies. Filter by status (draft, active, archived).
Response
[
{
"id": "...",
"title": "Q1 2026 Test Strategy",
"status": "active",
"scope": "...",
"approach": "...",
...
}
]/api/testing/strategiesCreate a test strategy with IEEE 829 sections (objectives, risk analysis, environment, etc.).
Request Body
{
"title": "Q1 2026 Test Strategy",
"scope": "All high-risk AI systems",
"approach": "Risk-based testing",
"objectives": "Validate compliance controls",
"entry_criteria": "Systems classified",
"exit_criteria": "All critical tests pass"
}Response
{ "id": "...", "title": "...", ... }/api/testing/plansList test plans. Filter by status, strategy_id, application_id.
Response
[
{
"id": "...",
"title": "GDPR Compliance Test Plan",
"status": "ready",
"strategy": { "id": "...", "title": "..." },
"application": { "id": "...", "name": "..." },
...
}
]/api/testing/plansCreate a test plan linked to a strategy and application.
Request Body
{
"title": "GDPR Compliance Test Plan",
"strategy_id": "uuid-of-strategy",
"application_id": "uuid-of-app",
"start_date": "2026-03-01",
"end_date": "2026-03-31"
}Response
{ "id": "...", "title": "...", ... }/api/testing/casesList test cases. Filter by plan_id, folder, test_type (manual/automated/exploratory), priority.
Response
[
{
"id": "...",
"title": "Verify consent collection",
"test_type": "manual",
"priority": "high",
"folder": "GDPR/Consent",
...
}
]/api/testing/casesCreate a test case.
Request Body
{
"title": "Verify consent collection",
"plan_id": "uuid-of-plan",
"test_type": "manual",
"priority": "high",
"preconditions": "User is on signup page",
"expected_result": "Consent checkbox visible and functional",
"folder": "GDPR/Consent"
}Response
{ "id": "...", "title": "...", ... }/api/testing/cyclesList test cycles with run statistics. Filter by status, plan_id.
Response
[
{
"id": "...",
"title": "Sprint 12 Execution",
"status": "in_progress",
"stats": { "passed": 5, "failed": 1, "not_run": 3 },
...
}
]/api/testing/cyclesCreate a test execution cycle.
Request Body
{
"title": "Sprint 12 Execution",
"plan_id": "uuid-of-plan",
"status": "not_started"
}Response
{ "id": "...", "title": "...", ... }/api/testing/runsList test runs. Filter by cycle_id, case_id, status. Returns execution details.
Response
[
{
"id": "...",
"test_case": { "id": "...", "title": "..." },
"status": "passed",
"run_number": 1,
"executed_by": "...",
...
}
]/api/testing/runsCreate a test run (execute a test case). Run number is auto-incremented.
Request Body
{
"test_case_id": "uuid-of-case",
"cycle_id": "uuid-of-cycle",
"status": "passed",
"actual_result": "Consent checkbox displayed correctly",
"duration_seconds": 120
}Response
{ "id": "...", "run_number": 1, "status": "passed", ... }/api/testing/findings/:idGet finding details with related test run, assigned profile, and linked task.
Response
{
"id": "...",
"title": "Missing consent checkbox on mobile",
"severity": "high",
"status": "open",
"test_run": { ... },
"assigned_profile": { ... },
"task": { ... }
}/api/testing/findings/:idUpdate a finding (severity, status, assignment, links).
Request Body
{
"status": "resolved",
"severity": "medium"
}Response
{ "id": "...", "status": "resolved", ... }/api/testing/findings/:idDelete a finding.
Response
{ "ok": true }Tasks
Manage compliance tasks with multi-assignee support, priority levels, tags, and auto-completion tracking.
/api/tasksList tasks. Filter by status, assigned_to, ai_system_id, priority, from_date, to_date.
Response
[
{
"id": "...",
"title": "Complete DPIA for Chatbot",
"status": "in_progress",
"priority": "high",
"assignees": [...],
...
}
]/api/tasksCreate a task. Supports multiple assignees or assign_all for the whole team.
Request Body
{
"title": "Complete DPIA for Chatbot",
"priority": "high",
"assignees": ["uuid-1", "uuid-2"],
"ai_system_id": "uuid-of-system",
"due_date": "2026-04-01",
"tags": ["dpia", "gdpr"]
}Response
{ "id": "...", "title": "...", ... }/api/tasks/:idGet task details with assignees.
Response
{
"id": "...",
"title": "...",
"assignees": [
{ "profile_id": "...", "completed_at": null, "profile": { ... } }
],
...
}/api/tasks/:idUpdate a task. Supports status changes, assignee management, and individual completion (complete_for_me).
Request Body
{
"status": "done",
"priority": "urgent"
}Response
{ "id": "...", "status": "done", ... }/api/tasks/:idDelete a task.
Response
{ "ok": true }/api/tasks/export?format=:fmtExport tasks as PDF, Excel, CSV, or Word. Format via query parameter.
Response
(Binary file in requested format)Traceability Links
Cross-link any entity (requirement, risk, control, test case, task, evidence, framework, finding) for full traceability across your compliance program.
/api/links?entity_type=:type&entity_id=:idGet all traceability links for an entity, enriched with names.
Response
[
{
"id": "...",
"linked_type": "test_case",
"linked_id": "...",
"linked_name": "Verify DPIA completion",
"link_type": "verifies",
"direction": "outgoing"
}
]/api/linksCreate a traceability link between any two entities.
Request Body
{
"source_type": "control",
"source_id": "uuid",
"target_type": "risk",
"target_id": "uuid",
"link_type": "mitigates"
}Response
{ "id": "...", "source_type": "control", ... }/api/links?link_id=:idDelete a traceability link.
Response
{ "ok": true }Organization & Export
Manage organization profile and export compliance data in multiple formats (PDF, Excel, CSV, Word).
/api/organizations/profileGet organization profile including sector, jurisdiction, and compliance settings.
Response
{
"id": "...",
"name": "Acme Corp",
"sector": "technology",
"default_jurisdiction": "EU",
"org_profile": { ... }
}/api/organizations/profileUpdate organization profile and compliance settings.
Request Body
{
"name": "Acme Corp",
"sector": "finance",
"org_profile": { "employee_count": "50-250" }
}Response
{ "id": "...", "name": "Acme Corp", ... }/api/organizations/pdf?format=:fmtExport organization-wide compliance report. Supports PDF, Excel, CSV, and Word formats.
Response
(Binary file in requested format)/api/account/exportExport all personal account data (GDPR data portability).
Response
(JSON export of all account data)Integrations
Manage external integrations including Jira, Slack, Teams, webhooks, and API keys. Professional plan or higher required.
/api/integrationsList all integrations for your organization.
Response
[
{
"id": "...",
"name": "Jira Cloud",
"type": "jira",
"status": "active",
...
}
]/api/integrationsCreate a new integration. Admin role required.
Request Body
{
"name": "Slack Notifications",
"type": "slack",
"description": "Post compliance alerts to #compliance channel",
"config": { "webhook_url": "https://hooks.slack.com/..." }
}Response
{ "id": "...", "status": "inactive", ... }/api/integrations/:idGet integration details.
Response
{
"id": "...",
"name": "Slack Notifications",
"type": "slack",
"status": "active",
"config": { ... },
...
}/api/integrations/:idUpdate an integration. Admin role required.
Request Body
{
"status": "active",
"config": { "webhook_url": "https://..." }
}Response
{ "id": "...", "status": "active", ... }/api/integrations/:idDelete an integration. Admin role required.
Response
{ "success": true }Audit Trail
All API actions are automatically logged in a hash-chained, tamper-proof audit trail. Export available for administrators.
/api/admin/audit/export?format=:fmtExport audit log. Filter by org, action, entity, date range. Supports CSV and JSON. Admin only.
Response
(CSV or JSON audit log export)Rate Limits & Data Isolation
Row Level Security: All data access is enforced at the database level via Supabase RLS policies. Your API token can only access data belonging to your organization -- there is no risk of cross-tenant data leakage.
Rate Limiting: Draft auto-save endpoints are rate limited to 1 request per 5 seconds per user per resource. Export endpoints are subject to plan-based quotas.
Audit Trail: All write operations (POST, PUT, PATCH, DELETE) are automatically logged in the hash-chained audit trail with actor, timestamp, and change details.
Ready to integrate?
Full API access is available on the Consultant plan. Start with a free account and upgrade when you are ready.