v1.1.0 · Updated February 2026

API Documentation

Enterprise-grade PII detection and anonymisation across 10 global compliance frameworks.

GDPR HIPAA CCPA PCI-DSS LGPD PIPEDA DPDPA POPIA PDPA APPI
Base URL: https://api.comply-tech.co.uk
Swagger UI: https://api.comply-tech.co.uk/swagger

1 Getting Started

Every request requires an API key passed via the X-Api-Key header. When you omit the frameworks field, the API automatically uses all frameworks your plan includes.

Quick Example

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \ -H "X-Api-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "content": "Contact John Smith at john.smith@example.com", "contentType": "text", "strategy": "Redact" }'

Example Response

{ "requestId": "A3F9C2B1", "processedAt": "2026-02-23T10:00:00Z", "anonymisedContent": "Contact [NAME REDACTED] at [EMAIL REDACTED]", "summary": { "totalPiiDetected": 2, "totalReplaced": 2, "byCategory": { "Name": 1, "Email": 1 }, "byFramework": { "GDPR": 2 }, "bySeverity": { "Medium": 2 }, "averageConfidence": 0.94, "lowestConfidence": 0.90, "highestConfidence": 0.98, "matches": [ { "category": "Email", "originalValue": "john.smith@example.com", "startIndex": 30, "endIndex": 52, "confidence": 0.98, "framework": "GDPR", "severity": "Medium" } ] }, "risk": { "score": 16, "level": "Low", "frameworksAffected": 1, "categoriesFound": 2 }, "metadata": { "processingTimeMs": 3, "engineVersion": "1.1.0", "patternsEvaluated": 2, "contentLength": 52, "contentType": "text", "fieldsProcessed": 1, "minConfidenceApplied": 0.0 } }

Authentication

MethodFormatExample
Header (recommended)X-Api-Key: {key}X-Api-Key: ct_live_abc123...
Query parameter?api_key={key}?api_key=ct_live_abc123...

Response Headers

Every authenticated response includes rate limit and quota information in HTTP headers.

HeaderExampleDescription
X-RateLimit-Limit60Requests allowed per minute
X-RateLimit-Remaining55Requests remaining in current window
X-RateLimit-Reset42Seconds until window resets
X-Quota-Limit25000Monthly field quota
X-Quota-Used1234Fields processed this month
X-Quota-Remaining23766Fields remaining this month

2 Plans & Pricing

PlanMonthly FieldsRate LimitFrameworksPrice
Free2,00010 req/minGDPR£0
Starter25,00060 req/minGDPR, CCPA£29/mo
Pro150,000120 req/minGDPR, CCPA, HIPAA, PCI-DSS, LGPD, PIPEDA£99/mo
EnterpriseCustom300 req/minAll 10 frameworks£499+/mo

Billing Metric — Fields Processed

Usage is measured by the number of fields scanned, not raw request count:

Every response includes metadata.fieldsProcessed so you can track consumption per request.

Framework Access & Quota Rules

3 Endpoints

POST /api/v1/anonymise

Request Body

FieldTypeRequiredDefaultDescription
contentstringYesText, JSON string, or CSV. Max 500 KB.
contentTypestringNo"text""text", "json", or "csv"
strategystringNo"Redact""Redact", "Mask", or "Pseudonymise"
frameworksstring[]Noall for planCompliance frameworks to apply
targetCategoriesstring[]NoallRestrict to specific PII categories
includeReportboolNotrueInclude detection summary in response
minimumConfidencenumberNo0.0Only process matches at or above this confidence (0.0–1.0)
allowListstring[]No[]Known-safe values to exclude

summary is null when includeReport: false. risk and metadata are always included.

POST /api/v1/detect
FieldTypeRequiredDefaultDescription
contentstringYesContent to scan
contentTypestringNo"text""text", "json", or "csv"
frameworksstring[]Noall for planCompliance frameworks to apply
minimumConfidencenumberNo0.0Filter out matches below this threshold
allowListstring[]No[]Known-safe values to exclude
GET /api/v1/usage
This endpoint does not count toward your monthly usage quota.
FieldDescription
planYour plan tier (Free, Starter, Pro, Enterprise)
monthlyQuotaTotal monthly field quota (-1 = unlimited)
currentMonthUsage.fieldsProcessedFields processed so far this month
currentMonthUsage.requestsNumber of API requests this month
quotaRemainingFields remaining (-1 = unlimited)
rateLimitPerMinuteYour per-minute request limit
periodStart / periodEndCurrent billing period (UTC)
GET /api/v1/frameworks

Use /api/v1/frameworks/{name} to get details for a specific framework. Name is case-insensitive.

GET /api/v1/audit

Every anonymise/detect request is logged with a SHA-256 content hash for non-repudiation.

ParamTypeDefaultDescription
pageint1Page number
pageSizeint20Items per page (max 100)
POST /api/v1/batch

Submit up to 100 anonymise/detect requests in a single call. Returns a job ID immediately (202 Accepted). Poll GET /api/v1/batch/{jobId} for results, or provide a webhookUrl for completion notification.

FieldTypeRequiredDescription
itemsarrayYes1–100 items to process
items[].typestringYes"anonymise" or "detect"
items[].requestobjectYesSame schema as the respective endpoint
webhookUrlstringNoHTTPS URL to receive POST on completion

Batch Job Statuses

StatusMeaning
pendingJob queued, not yet started
processingAt least one item is being processed
completedAll items finished (individual items may have status: "failed")

Webhook Headers

HeaderDescription
X-ComplyTech-SignatureLowercase-hex HMAC-SHA256 of the raw JSON body. The HMAC key is the uppercase-hex SHA-256 digest of your raw API key (not the raw key itself).
X-ComplyTech-EventEvent type (batch.completed)

Verifying the signature

import hashlib, hmac # The signing key is the UPPERCASE hex SHA-256 of your raw API key key_hash = hashlib.sha256(raw_api_key.encode()).hexdigest().upper() # Signature is lowercase hex expected = hmac.new(key_hash.encode(), payload_bytes, hashlib.sha256).hexdigest() assert hmac.compare_digest(expected, request.headers["X-ComplyTech-Signature"])
Webhooks have a 5-second timeout and are fire-once (no retries in v1). Use GET /api/v1/batch/{jobId} as a fallback.
GET /health
{ "status": "healthy", "product": "ComplyTech PII Anonymisation API", "version": "1.0.0", "timestamp": "2026-02-23T10:00:00Z", "checks": { "database": "ok" } }

status is "healthy" when the database is reachable and "degraded" otherwise (checks.database becomes "unavailable"). The endpoint always returns HTTP 200 regardless, for liveness-probe compatibility. There is no documentation field.

4 Content Types

Plain Text — "text"

Free-form text. Suitable for log files, emails, support tickets, and notes.

{ "content": "Patient John Doe, DOB 12/05/1980, MRN 00123456", "contentType": "text", "frameworks": ["HIPAA"], "strategy": "Redact" }

JSON — "json"

Pass a JSON object as a string. All string values are scanned recursively. The response anonymisedContent is a valid JSON string with PII replaced.

{ "content": "{\"firstName\":\"Alice\",\"email\":\"alice@corp.com\", \"address\":{\"street\":\"10 Downing St\"}}", "contentType": "json", "frameworks": ["GDPR"], "strategy": "Pseudonymise" }

CSV — "csv"

CSV with a header row. Each cell is scanned independently; column headers are preserved.

{ "content": "name,email,phone\n John Smith,john@example.com,07700900123\n Jane Doe,jane@example.com,07700900456", "contentType": "csv", "frameworks": ["GDPR"], "strategy": "Mask" }

5 Anonymisation Strategies

StrategyWhat it doesInputOutput
RedactReplaces PII with a clear labeljohn@example.com[EMAIL REDACTED]
MaskPartially hides the valuejohn@example.comj***@*******.com
PseudonymiseReplaces with realistic fake datajohn@example.comsarah.jones@outlook.com
Pseudonymise is fully deterministic — the same input value always produces the same replacement, across requests, application restarts, and server instances (the fake is seeded from a SHA-256 hash of the input value). The mapping is one-way: it is not reversible and no lookup table is retained. This keeps pseudonymised data internally consistent and relatable for testing, analytics, and development workflows.

6 Compliance Frameworks

ComplyTech supports 10 global compliance frameworks. Access is gated by your plan tier. You can combine multiple frameworks in one request.

FrameworkRegionPlan RequiredKey PII Covered
GDPREuropean UnionFree+Name, Email, Phone, DOB, Address, National ID, IP, Passport, Biometrics, GUIDs, Coordinates, Crypto
CCPACalifornia, USAStarter+Name, Email, SSN, Driver's Licence, IP, DOB, GUIDs, Coordinates, Crypto
HIPAAUnited StatesPro+Name, MRN, DOB, Phone, Email, Device ID, Biometrics, Health Plan IDs, GUIDs, Coordinates
PCI-DSSGlobalPro+Credit Card, Bank Account, Sort Code, IBAN, Crypto
LGPDBrazilPro+Name, Email, Phone, CPF, Address, DOB, IP, Credit Card, Passport, Biometrics
PIPEDACanadaPro+Name, Email, Phone, SIN, Address, DOB, IP, Credit Card, MRN, Biometrics
DPDPAIndiaEnterpriseName, Email, Phone, Aadhaar, Address, DOB, IP, Credit Card, Passport, Biometrics
POPIASouth AfricaEnterpriseName, Email, Phone, SA ID, Address, DOB, IP, Credit Card, Passport, Biometrics
PDPASingapore / ThailandEnterpriseName, Email, Phone, NRIC, Address, DOB, IP, Credit Card, Passport, Coordinates
APPIJapanEnterpriseName, Email, Phone, My Number, Address, DOB, IP, Credit Card, Passport, Biometrics

7 DOB Date Format Support

Context-prefixed dates — with keywords such as DOB:, Date of Birth:, or born — are detected with high confidence (0.92). Standalone dates without context are detected at lower confidence (0.60).

FormatExampleConfidence
Slash separatorDOB: 12/03/19850.92
Dash separatorborn 12-03-19850.92
Dot separatorDOB: 12.03.19850.92
ISO YYYY-MM-DDDate of Birth: 1985-03-120.92
Written month (UK)born 12 March 19850.92
Written month (US)DOB: March 12, 19850.92
Abbreviated monthDOB: 12 Mar 19850.92
Ordinal suffixesborn 1st January 19900.92
Standalone (no context)12.03.1985, 1985-03-120.60
Use minimumConfidence: 0.85 to exclude standalone dates while keeping all labelled DOBs.

8 Risk Scoring

Every response includes a risk object that quantifies the compliance exposure of the scanned content.

FieldDescription
score0–100. Weighted sum: Critical=25pts, High=15pts, Medium=8pts, Low=3pts per match. Capped at 100.
levelNone (0) • Low (1–25) • Medium (26–50) • High (51–75) • Critical (76–100)
bySeverityMatch count per severity tier
frameworksAffectedNumber of distinct compliance frameworks with findings
categoriesFoundNumber of distinct PII categories found
Use the risk score to prioritise remediation — a document scoring 85 needs attention before one scoring 12.

9 Severity Levels

Each PII match includes a severity field based on the category's sensitivity:

SeverityCategoriesRationale
CriticalCreditCardNumber, SSN, BankAccountNumber, IBAN, NationalId, Passport, Biometric, Password, ApiKey, CPF, Aadhaar, SIN, SA ID, My Number, NRICDirect financial loss or identity theft risk
HighMedicalRecordNumber, HealthPlanBeneficiary, DriverLicence, DOB, AccountNumber, SortCode, TaxId, CryptocurrencyAddressHealthcare / financial / strongly identifying
MediumName, Email, Phone, Address, IpAddress, DeviceIdentifier, GeoCoordinatePersonally identifying but not directly exploitable
LowUrl, GuidIndirect identifiers

10 Confidence Filtering

Every PII match has a confidence score between 0.0 and 1.0. Use minimumConfidence to control the precision/recall tradeoff:

ThresholdEffect
0.0 (default)All matches returned — maximum recall, may include false positives
0.7Drops low-confidence patterns like standalone dates and 9-digit numbers
0.85High-precision mode — only well-established patterns
0.95Strictest — only very high confidence matches (email, SSN, credit cards, IPs)
The value you set is echoed back in metadata.minConfidenceApplied for verification.

11 Allow List

Exclude known-safe values from detection. Useful for internal data that looks like PII but isn't.

FormatExampleEffect
Exact match"test@example.com"This specific value is ignored
Domain suffix"@mycompany.com"Any email ending with this domain is ignored
Substring"192.168."Any value containing this string is ignored. Substring matching applies only to entries that contain punctuation (dots, dashes, @, slashes, etc.). Entries composed purely of letters, digits, and spaces — e.g. a name like "Ann" or "John Smith" — are matched exactly and will not suppress longer values that merely contain them. This prevents an entry like "Ann" from accidentally suppressing every value containing the substring "ann".

Per-request example

{ "content": "Contact support@mycompany.com or john@gmail.com", "strategy": "Redact", "allowList": ["@mycompany.com"] } // Output: "Contact support@mycompany.com or [EMAIL REDACTED]"

Persistent allow list (per API key)

Your API key can have a persistent allow list configured via PATCH /admin/keys/{id}.

Persistent and per-request allow lists are merged automatically (deduplicated, case-insensitive). You do not need to include persistent values in every request.

12 PII Categories

Use these values in the targetCategories field to restrict detection to specific types.

Universal

NameEmailPhoneNumberDateOfBirth AddressNationalIdIpAddressUrl TaxIdPassportNumberDriverLicencePassword
Note on Password and ApiKey: these categories are not associated with any compliance framework, so they are never detected by default framework selection. They can only be targeted explicitly via the targetCategories field on POST /api/v1/anonymise. Because POST /api/v1/detect has no targetCategories parameter, /detect cannot surface Password or ApiKey at all. If you need password/API-key redaction, use /anonymise with targetCategories: ["Password"].

Healthcare — HIPAA (Pro+)

MedicalRecordNumberHealthPlanBeneficiaryAccountNumberDeviceIdentifierBiometricIdentifierNhsNumber
NhsNumber — UK NHS number (10 digits, XXX XXX XXXX), covered by GDPR and HIPAA. Context-labelled numbers (e.g. NHS Number: 943 476 5919) are detected at 0.95 confidence and are always flagged, even if mistyped. Standalone XXX XXX XXXX numbers with no surrounding keyword are detected at 0.88 only if they pass the NHS mod-11 check-digit validation — this prevents US-style phone numbers such as 800 555 0199 from being misclassified as NHS numbers.

Financial — PCI-DSS (Pro+)

CreditCardNumberBankAccountNumberSortCodeIban

US-specific — CCPA (Starter+)

SocialSecurityNumber

Region-specific

Cpf(Brazil) Aadhaar(India) Sin(Canada) SaIdNumber(South Africa) MyNumber(Japan) Nric(Singapore)

Technical identifiers

GuidGeoCoordinateCryptocurrencyAddress

13 Error Reference

All errors follow the same shape:

{ "code": "ERROR_CODE", "message": "Human-readable description.", "detail": "Optional additional context." }
HTTPCodeMeaning
400EMPTY_CONTENTContent field is blank
400CONTENT_TOO_LARGEContent exceeds 500 KB
400FRAMEWORK_NOT_AVAILABLERequested framework not in your plan tier
400NO_FRAMEWORKSNo valid frameworks specified
400EMPTY_BATCHBatch request contains no items
400BATCH_TOO_LARGEBatch exceeds 100 items
400INVALID_ITEM_TYPEBatch item type must be "anonymise" or "detect"
400INVALID_WEBHOOK_URLwebhookUrl is not a valid HTTPS URL
401MISSING_API_KEYNo API key provided
403INVALID_API_KEYKey does not exist or has been revoked
403KEY_EXPIREDKey has passed its expiry date
404JOB_NOT_FOUNDBatch job ID does not exist or belongs to another key
429QUOTA_EXCEEDEDMonthly field quota exhausted. Resets 1st of next month.
429RATE_LIMIT_EXCEEDEDToo many requests per minute
500PROCESSING_ERRORUnexpected server error — contact support

14 cURL Examples

Check your usage and quota

curl https://api.comply-tech.co.uk/api/v1/usage \ -H "X-Api-Key: YOUR_API_KEY"

Detect PII — GDPR (all plans)

curl -X POST https://api.comply-tech.co.uk/api/v1/detect \ -H "X-Api-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "content": "John Smith, john@email.com, 07700900123", "contentType": "text", "frameworks": ["GDPR"] }'

Redact PII — HIPAA + PCI-DSS (Pro+)

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \ -H "X-Api-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "content": "Patient: Jane Doe, DOB: 1980-05-12, Card: 4111111111111111", "contentType": "text", "frameworks": ["HIPAA", "PCI_DSS"], "strategy": "Redact" }'

Redact DOB in various formats

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \ -H "X-Api-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "content": "Patient born 12 March 1985, DOB: 1985-03-12, recorded as 12.03.1985", "contentType": "text", "frameworks": ["GDPR"], "strategy": "Redact" }'

High-precision detection — filter false positives

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \ -H "X-Api-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "content": "Order 123456789 for John Smith, email john@corp.com", "contentType": "text", "frameworks": ["GDPR"], "strategy": "Redact", "minimumConfidence": 0.85 }'

Exclude internal data with allow list

curl -X POST https://api.comply-tech.co.uk/api/v1/anonymise \ -H "X-Api-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "content": "admin@mycompany.com forwarded john@gmail.com patient data", "contentType": "text", "frameworks": ["GDPR"], "strategy": "Redact", "allowList": ["@mycompany.com"] }'

Submit a batch with webhook

curl -X POST https://api.comply-tech.co.uk/api/v1/batch \ -H "X-Api-Key: YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "items": [ { "type": "anonymise", "request": { "content": "Email: john@test.com", "strategy": "Redact" } }, { "type": "detect", "request": { "content": "SSN: 123-45-6789", "frameworks": ["CCPA"] } } ], "webhookUrl": "https://your-server.com/webhooks/complytech" }'

View your audit log

curl "https://api.comply-tech.co.uk/api/v1/audit?page=1&pageSize=10" \ -H "X-Api-Key: YOUR_API_KEY"

Poll batch job status

curl https://api.comply-tech.co.uk/api/v1/batch/1 \ -H "X-Api-Key: YOUR_API_KEY"

15 Data Handling & Retention

Content submitted to /anonymise and /detect is processed in memory and never persisted. The audit log stores only a SHA-256 hash of the input plus metadata (request ID, endpoint, content type, match/field counts, timing) — never the raw content or detected values. Application logs never contain raw content or matched PII values.

Batch requests store raw item content transiently while queued and purge it immediately after each item is processed (a sweep also purges any stragglers every 5 minutes); note that anonymised results are retained in the job record so you can poll for them.

No third-party services are called during detection or anonymisation — all processing is in-process (regex + local dictionary + local faker). The only outbound traffic is optional batch webhooks to your URL and nightly encrypted database backups.

Questions? Contact us at contact@comply-tech.co.uk

Contents