MemMesh — persistent, self-improving memory for AI agents. Get started →
API ReferenceCompliance

Compliance API

The GDPR / data-subject-rights surface. All routes are under /api/v1/projects/{projectId}/memory-compliance.

⚠️

The data-subject actions (export, hard-delete, audit) require the memory.compliance entitlement (Growth tier and up). Without it the engine returns FEATURE_DISABLED with an upgrade prompt.

Subject export (Art. 15)

POST /memory-compliance/export

Right of access. Returns every memory, pattern, observation, event, and alert fire that references the named subject, in a single bundle a controller can hand to the data subject.

{ "subject": { "kind": "customer", "externalId": "acct-42" } }

Response (the JSON bundle is parsed at the edge):

{
  "subject": { "kind": "customer", "externalId": "acct-42" },
  "export": { "memories": [], "patterns": [], "observations": [], "events": [], "alert_fires": [] },
  "counts": { "memories": 12, "patterns": 3, "observations": 40, "events": 5, "alertFires": 1 },
  "generatedAt": "2026-07-13T00:00:00Z",
  "durationMs": 22
}

Hard delete (Art. 17)

POST /memory-compliance/hard-delete

Right to erasure. Cascade-deletes every artifact tied to a subject — memories, derived patterns + observations, the subject’s events, and the alert fires referencing those events — and writes a single tombstone audit row so the deletion itself stays discoverable.

{
  "subject": { "kind": "customer", "externalId": "acct-42" },
  "reason": "DSR-2026-0142",
  "dryRun": true
}

reason is required (it lands on the tombstone — carry a case id). Set dryRun: true for a counts-only preview that touches no rows:

{
  "subject": { "kind": "customer", "externalId": "acct-42" },
  "memoriesDeleted": 12,
  "patternsDeleted": 3,
  "observationsDeleted": 40,
  "eventsDeleted": 5,
  "alertFiresDeleted": 1,
  "dryRun": true,
  "auditEventId": null,
  "generatedAt": "2026-07-13T00:00:00Z",
  "durationMs": 8
}

Audit log

GET /memory-compliance/audit?subjectKind=…&subjectExternalId=…&actor=…&eventTypes=…&since=…&limit=…

The “who accessed my data and when” surface (Art. 15 + EU AI Act audit-trail). Pass a subject to narrow to one person’s access log. Each row carries actor, eventType, the query, touched memoryIds, resultCount, and parsed metadata.

Installed packs

GET /memory-compliance/packs

List the compliance packs loaded into the engine (HIPAA, GDPR, etc.) — manifests only, surfaced for tenant transparency about which redaction / consent rules are active. Each manifest carries id, version, description, ownsClasses, and regulatoryTags. This route is read-tier and not entitlement-gated.