x-cpod-domain: grc
GRC
Governance, risk and compliance program — frameworks, controls, evidence, incidents, risks.
Try in explorer
client.grcFramework
A compliance framework being tracked (SOC 2, ISO, PCI).
REST path
/api/v1/grc/frameworksOperations
listgetcreateupdateSDK
// list — returns only your records; add filters/search:
await client.grc.frameworks.list()
// create:
await client.grc.frameworks.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| slug | string | Stable human-readable slug for the framework. |
| name | string | Full display name of the framework. |
| version | string | Version or edition of the framework. |
| status | string | Lifecycle status of this framework record. |
| authority | json | Issuing regulatory body. |
| jurisdiction | json | ISO 3166-1 alpha-2 country codes where this framework applies. |
| industries | json | Industry sectors this framework targets. |
| effective_date | date-time | Date the framework came into force. |
| compliance_deadline | date-time | Deadline by which organizations must comply. |
| scope_and_applicability | json | Describes what is in scope for this framework. |
| exemptions_and_exceptions | json | Known exemptions or exceptions under this framework. |
| control_categories | json | Top-level control categories defined by this framework. |
| control_count | number | Cached count of controls under this framework. |
| risk_categories | json | Risk categories addressed by this framework. |
| risk_impact | string | Overall risk impact level associated with non-compliance. |
| assurance_level | string | Assurance level this framework provides when achieved. |
| related_framework_ids | json | IDs of related or overlapping frameworks. |
| derived_from_framework_id | string | ID of the parent framework this one is derived from. |
| penalties | json | Penalty or consequence structure for non-compliance. |
| reporting_requirements | json | Reporting obligations imposed by the framework. |
| certification | string | Certification or opinion type issued on compliance. |
| reference_docs | json | URLs or DOIs pointing to official framework documentation. |
| key_terms | json | Glossary of key terms defined by the framework. |
| tags | json | Free-form tags for filtering. |
Control
A control statement attached to a Framework.
REST path
/api/v1/grc/controlsOperations
listgetcreateupdateSDK
// list — returns only your records; add filters/search:
await client.grc.controls.list()
// create:
await client.grc.controls.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| framework_id | string | ID of the Framework this control belongs to. |
| control_ref | string | Framework-specific control reference number. |
| name | string | Short name of the control. |
| description | string | Full description of the control requirement. |
| category | string | Control category within the framework. |
| objective | string | Control objective statement. |
| implementation_guidance | string | Recommended steps for implementing this control. |
| implementation_maturity | string | Current maturity level of this control's implementation. |
| effectiveness | number | Effectiveness score between 0 and 1. |
| owner_id | string | ID of the Person who owns this control. |
| next_review_date | date-time | Date when this control is next due for review. |
| evidence_ids | json | IDs of Evidence records that support this control. |
| mapped_control_ids | json | IDs of controls in other frameworks that this control maps to. |
| mitigated_risk_ids | json | IDs of Risk records that this control mitigates. |
| related_document_ids | json | IDs of related documents. |
| knowledge_entity_id | string | Bridge to the Knowledge Graph entity for this control. |
| custom_fields | json | Tenant-defined additional fields. |
| tags | json | Free-form tags for filtering. |
Evidence
Evidence collected against a Control.
REST path
/api/v1/grc/evidenceOperations
listgetcreateupdateSDK
// list — returns only your records; add filters/search:
await client.grc.evidence.list()
// create:
await client.grc.evidence.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| control_ids | json | IDs of Controls this evidence satisfies. One evidence item may cover multiple controls. |
| name | string | Short descriptive name of the evidence. |
| description | string | Description of what this evidence demonstrates. |
| evidence_type | string | Classification of the evidence artifact. |
| collection_method | string | How the evidence was collected. |
| document_id | string | ID of the bound source Document, if stored as a Document. |
| chunk_ids | json | IDs of text chunks extracted from the source document. |
| minio_ref | string | Direct MinIO file pointer when not backed by a Document. |
| period | json | Validity window the evidence covers. |
| collected_at | date-time | ISO 8601 timestamp when the evidence was collected. |
| collected_by | string | ID of the user or service that collected the evidence. |
| assessor | string | Name of the external auditor who assessed this evidence, if applicable. |
| assessment_result | string | Outcome of the assessment of this evidence. |
| findings | json | Key findings from the assessment. |
| recommendations | json | Recommendations arising from this evidence review. |
| expiry_date | date-time | Date after which this evidence is no longer considered fresh. |
| next_collection_date | date-time | Date when evidence should next be collected. |
| connector_id | string | ID of the Connector used to collect this evidence automatically. |
| custom_fields | json | Tenant-defined additional fields. |
| tags | json | Free-form tags for filtering. |
Incident
A security or compliance incident.
REST path
/api/v1/grc/incidentsOperations
listgetcreateupdateSDK
// list — returns only your records; add filters/search:
await client.grc.incidents.list()
// create:
await client.grc.incidents.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| incident_number | string | Human-readable incident reference number. |
| title | string | Short title of the incident. |
| description | string | Detailed description of the incident. |
| category | string | Classification of the incident type. |
| severity | string | Severity rating of the incident. |
| status | string | Current lifecycle status of the incident. |
| detected_at | date-time | ISO 8601 timestamp when the incident was detected. |
| reported_at | date-time | ISO 8601 timestamp when the incident was formally reported. |
| contained_at | date-time | ISO 8601 timestamp when the incident was contained. |
| closed_at | date-time | ISO 8601 timestamp when the incident was closed. |
| realized_risk_ids | json | IDs of Risk records that were realized by this incident. |
| affected_asset_ids | json | IDs of assets affected by this incident. |
| affected_account_ids | json | IDs of accounts affected by this incident. |
| consolidated_investigation_ids | json | IDs of SOC Investigations rolled up into this incident. |
| triggered_by_alert_ids | json | IDs of SOC Alerts that triggered this incident. |
| owner_id | string | ID of the Person who owns this incident. |
| commander_ids | json | IDs of Persons serving as incident commanders. |
| root_cause | string | Root cause analysis summary. |
| lessons_learned | json | Lessons learned from this incident. |
| corrective_action_ids | json | IDs of follow-up tasks created as corrective actions. |
| reportable_to | json | IDs of regulators to whom this incident must be reported. |
| reported_to_regulators_at | date-time | ISO 8601 timestamp when the incident was reported to regulators. |
| customer_notified_at | date-time | ISO 8601 timestamp when affected customers were notified. |
| financial_impact | number | Estimated financial impact in USD. |
| mttd_minutes | number | Mean time to detect in minutes. |
| mttr_minutes | number | Mean time to recover in minutes. |
| tags | json | Free-form tags for filtering. |
Risk
A GRC risk record, distinct from operational RiskItem.
REST path
/api/v1/grc/risksOperations
listgetcreateupdateSDK
// list — returns only your records; add filters/search:
await client.grc.risks.list()
// create:
await client.grc.risks.create({
id: "rec_01HXEXAMPLE",
tenant_id: "example tenant_id",
created_at: "2026-01-01T00:00:00Z",
updated_at: "2026-01-01T00:00:00Z",
app_id: "example app_id",
created_by: "rec_01HXEXAMPLE",
})| Field | Type | Description |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | Where the write originated. Defaults to 'api'.frontendbackendserversystemapi |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| title | string | Short descriptive title for the risk. |
| description | string | Detailed description of the risk scenario and its potential impact. |
| category | string | Domain category of the risk. |
| owner_id | string | ID of the Person who owns this risk. |
| asset_ids | json | IDs of knowledge-graph asset entities threatened by this risk. |
| threat_actor_ids | json | IDs of knowledge-graph threat actor entities posing this risk. |
| inherent_likelihood | number | Inherent likelihood score (1–5) before controls are applied. |
| inherent_impact | number | Inherent impact score (1–5) before controls are applied. |
| inherent_rating | number | Computed inherent risk rating (inherentLikelihood × inherentImpact). |
| residual_likelihood | number | Residual likelihood score (1–5) after controls are applied. |
| residual_impact | number | Residual impact score (1–5) after controls are applied. |
| residual_rating | number | Computed residual risk rating (residualLikelihood × residualImpact). |
| mitigating_control_ids | json | IDs of Controls that mitigate this risk. |
| treatment | string | Selected risk treatment approach. |
| treatment_rationale | string | Explanation of why this treatment was chosen. |
| status | string | Current lifecycle status of the risk. |
| acceptance_level | string | Delegation level for risk acceptance. |
| accepted_by | string | ID of the Person who formally accepted this risk. |
| accepted_at | date-time | ISO 8601 timestamp when the risk was formally accepted. |
| next_review_date | date-time | Date when this risk is next due for reassessment. |
| last_assessed_at | date-time | ISO 8601 timestamp of the most recent assessment. |
| assessment_notes | string | Notes from the most recent assessment. |
| realized_incident_ids | json | IDs of Incidents that realized this risk. |
| tags | json | Free-form tags for filtering. |