Frameworks API
The core of PrivaBase. Every registered framework automatically gets these 9 endpoints. No per-framework code needed โ add a framework definition and it's instantly available.
๐ 57 Frameworks ร 9 Endpoints = 513+ Framework Endpoints
Every framework definition automatically gets all 9 endpoints โ no per-framework code needed. See Supported Frameworks for the full list of 57 framework IDs.
List All Frameworks
GET
/api/v1/frameworks
List all registered regulatory frameworks. Optionally filter by category or jurisdiction.
Query Parameters
| Param | Type | Description |
|---|---|---|
category | string | Filter: privacy, security, industry, standard |
jurisdiction | string | Country code, e.g. US, EU |
curl https://api.privabase.com/api/v1/frameworks
curl "https://api.privabase.com/api/v1/frameworks?category=privacy&jurisdiction=US"Response
{
"success": true,
"data": {
"frameworks": [
{
"id": "ccpa",
"name": "CCPA",
"shortName": "CCPA",
"fullName": "California Consumer Privacy Act of 2018",
"category": "privacy",
"jurisdiction": { "country": "US", "region": "California" },
"description": "Consumer rights regarding personal information..."
}
],
"total": 57,
"_meta": {
"categories": ["privacy", "security", "industry", "standard"],
"filters": { "category": null, "jurisdiction": null }
}
}
}Framework Details
GET
/api/v1/frameworks/:id
Get detailed information about a specific framework including stats on requirements, controls, and rules.
curl https://api.privabase.com/api/v1/frameworks/gdprResponse
{
"success": true,
"data": {
"id": "gdpr",
"name": "GDPR",
"shortName": "GDPR",
"fullName": "General Data Protection Regulation",
"category": "privacy",
"jurisdiction": { "country": "EU", "scope": "..." },
"description": "...",
"officialUrl": "https://...",
"effectiveDate": "2018-05-25",
"version": "2026.1",
"stats": {
"requirements": 15,
"controls": 15,
"checkRules": 18,
"policyTemplates": 5,
"remediationItems": 12
},
"inheritsFrom": null
}
}Run Compliance Check
POST
/api/v1/frameworks/:id/check
Run a compliance check against a framework using your business profile. Returns pass/fail per rule with an overall score.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
businessProfile | object | Yes | Business profile with data practice flags |
Business profile fields vary by framework but commonly include:
| Field | Type | Description |
|---|---|---|
collectsPersonalData | boolean | Whether you collect personal data |
hasPrivacyPolicy | boolean | Published privacy policy |
hasConsentMechanism | boolean | Consent collection mechanism |
hasDataInventory | boolean | Maintained data inventory |
hasDeletionProcess | boolean | Data deletion process |
hasBreachNotification | boolean | Breach notification procedure |
hasDPO | boolean | Data Protection Officer appointed |
sellsData | boolean | Whether you sell personal data |
processesHealthData | boolean | Handles health/medical data |
hasEncryption | boolean | Data encryption at rest/transit |
curl -X POST https://api.privabase.com/api/v1/frameworks/gdpr/check \
-H "Content-Type: application/json" \
-d '{
"businessProfile": {
"collectsPersonalData": true,
"hasPrivacyPolicy": true,
"hasConsentMechanism": true,
"hasDataInventory": false,
"hasDeletionProcess": true,
"hasBreachNotification": false,
"hasDPO": false,
"transfersDataInternationally": true
}
}'Response
{
"success": true,
"data": {
"frameworkId": "gdpr",
"frameworkName": "GDPR",
"overallScore": 62,
"passed": 8,
"failed": 5,
"total": 13,
"results": [
{
"checkId": "gdpr-check-001",
"rule": "Privacy Policy Required",
"status": "pass",
"severity": "critical"
},
{
"checkId": "gdpr-check-005",
"rule": "Data Protection Officer",
"status": "fail",
"severity": "required",
"message": "A DPO must be appointed for large-scale processing of personal data"
}
]
}
}List Requirements
GET
/api/v1/frameworks/:id/requirements
List all requirements for a framework. Filter by category or severity.
Query Parameters
| Param | Type | Description |
|---|---|---|
category | string | Filter by requirement category (e.g. transparency, consent, data-subject-rights) |
severity | string | Filter: critical, required, recommended |
curl "https://api.privabase.com/api/v1/frameworks/ccpa/requirements?severity=critical"Response
{
"success": true,
"data": {
"frameworkId": "ccpa",
"frameworkName": "CCPA",
"requirements": [
{
"id": "ccpa-req-001",
"reference": "ยง1798.100",
"title": "Right to Know",
"description": "Consumers have the right to know what personal information is collected...",
"category": "transparency",
"severity": "critical",
"controlIds": ["ccpa-ctrl-001"]
}
],
"total": 12
}
}Run Gap Assessment
POST
/api/v1/frameworks/:id/assessment
Run a comprehensive gap assessment. Similar to a compliance check but with detailed gap analysis and recommendations.
Request Body
{
"businessProfile": {
"collectsPersonalData": true,
"hasPrivacyPolicy": true,
"hasOptOutMechanism": false,
...
}
}curl -X POST https://api.privabase.com/api/v1/frameworks/hipaa/assessment \
-H "Content-Type: application/json" \
-d '{"businessProfile": {"processesHealthData": true, "hasEncryption": true, "hasAccessControls": true, "hasAuditLogs": false}}'Control Mappings
GET
/api/v1/frameworks/:id/controls
Get control-to-requirement mappings. Shows which controls satisfy which requirements.
curl https://api.privabase.com/api/v1/frameworks/soc2/controlsResponse
{
"success": true,
"data": {
"frameworkId": "soc2",
"controls": [
{
"id": "soc2-ctrl-001",
"title": "Access Control Policy",
"description": "Logical and physical access controls",
"category": "security",
"requirementIds": ["soc2-req-001"],
"implementationGuidance": "Implement role-based access controls..."
}
],
"total": 14
}
}Generate Policy
POST
/api/v1/frameworks/:id/generate-policy
Generate a compliance policy document from framework-specific templates.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
companyName | string | Yes | Your company name |
website | string | No | Company website URL |
contactEmail | string | No | Privacy contact email |
dataTypes | string[] | No | Types of data you collect |
curl -X POST https://api.privabase.com/api/v1/frameworks/gdpr/generate-policy \
-H "Content-Type: application/json" \
-d '{
"companyName": "Acme Corp",
"website": "https://acme.com",
"contactEmail": "privacy@acme.com",
"dpoName": "Jane Smith"
}'Response
{
"success": true,
"data": {
"frameworkId": "gdpr",
"policies": [
{
"title": "Privacy Policy",
"content": "# Privacy Policy for Acme Corp\n\nLast updated: ...\n\n## 1. Data Controller\n...",
"format": "markdown"
},
{
"title": "Data Processing Agreement",
"content": "# Data Processing Agreement\n..."
}
],
"generatedAt": "2026-03-13T..."
}
}Remediation Guidance
GET
/api/v1/frameworks/:id/remediation
Get remediation guidance. Optionally filter by specific failed check IDs.
Query Parameters
| Param | Type | Description |
|---|---|---|
checkIds | string | Comma-separated check IDs to get guidance for |
curl "https://api.privabase.com/api/v1/frameworks/gdpr/remediation?checkIds=gdpr-check-005,gdpr-check-008"Response
{
"success": true,
"data": {
"frameworkId": "gdpr",
"guidance": [
{
"id": "gdpr-rem-005",
"title": "Appoint Data Protection Officer",
"severity": "required",
"steps": [
"Determine if DPO appointment is mandatory for your organization",
"Appoint internal or external DPO with appropriate expertise",
"Register DPO contact details with supervisory authority",
"Ensure DPO has access to all data processing activities"
],
"effort": "medium",
"timeline": "2-4 weeks"
}
]
}
}Evidence Requirements
GET
/api/v1/frameworks/:id/evidence
Get evidence requirements for demonstrating compliance. Lists what documentation and artifacts you need.
curl https://api.privabase.com/api/v1/frameworks/pci-dss/evidenceResponse
{
"success": true,
"data": {
"frameworkId": "pci-dss",
"evidence": [
{
"id": "pci-ev-001",
"title": "Network Diagram",
"description": "Current network diagram showing all connections to cardholder data",
"category": "documentation",
"frequency": "annual",
"required": true
},
{
"id": "pci-ev-002",
"title": "Vulnerability Scan Results",
"description": "Quarterly ASV vulnerability scan results",
"category": "technical",
"frequency": "quarterly",
"required": true
}
]
}
}Error Responses
| Status | Description |
|---|---|
400 | Missing or invalid businessProfile in request body |
404 | Framework not found โ check the framework ID |
500 | Internal server error |