> ## Documentation Index > Fetch the complete documentation index at: https://www.trycomp.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # List compliance policies | Comp AI API > Lists active compliance policies by default. Use includeArchived=true to include archived rows and excludeContent=true when you only need policy metadata. ## OpenAPI ````yaml /openapi.json get /v1/policies openapi: 3.0.0 info: title: Comp AI API description: >- Compliance automation API for SOC 2, ISO 27001, HIPAA, GDPR, evidence collection, policy workflows, Trust Access, security questionnaires, integrations, cloud checks, and device compliance. version: '1.0' contact: {} servers: - url: https://api.trycomp.ai description: Production API Server security: [] tags: - name: Attachments description: >- Generate signed download links for files attached to compliance tasks, comments, evidence records, and workflow reviews. - name: Audit Logs description: >- Retrieve audit trails for compliance activity, evidence changes, access decisions, and customer-facing security review workflows. - name: CloudSecurity description: >- Run AWS, Azure, and GCP cloud security scans, detect enabled services, review findings, and connect cloud posture results to compliance work. x-group: Cloud Security - name: Comments description: >- Create and manage collaboration comments on compliance entities such as tasks, policies, risks, vendors, and findings. - name: Context description: >- Manage organization context that helps Comp AI tailor policies, assessments, and compliance automation to the business. - name: Controls description: >- Manage controls, map them to policies, tasks, framework requirements, and evidence document types, and track implementation progress. - name: Device Agent description: >- Register employee devices, submit device compliance check-ins, download agent builds, and manage endpoint security status. - name: Devices description: >- Read and manage employee device inventory and Fleet compliance data used for endpoint security controls. - name: Evidence Export description: >- Export task evidence, automation evidence, and reviewer-ready evidence bundles as PDF or ZIP files. - name: Evidence Export (Auditor) description: Export all organization evidence for an auditor review package. - name: Evidence Forms description: >- Collect, review, upload, and export structured evidence submissions for compliance tasks and document requirements. - name: Findings description: >- Create, review, update, and track audit findings, remediation activity, and finding history for an organization. - name: Frameworks description: >- Manage SOC 2, ISO 27001, HIPAA, GDPR, and custom framework instances, requirements, scores, and sync history. - name: ISMS - name: Integrations description: >- Connect vendor systems, configure OAuth apps, run compliance checks, sync employees, manage variables, and collect automated evidence. - name: Knowledge Base description: >- Upload source documents, process them for retrieval, and manage reusable manual answers that power questionnaires and AI policy workflows. - name: Offboarding Checklist - name: Org Chart description: >- Manage organization chart metadata and evidence used for governance, accountability, and audit readiness. - name: Organization description: >- Manage organization profile data, API keys, logos, ownership, role notifications, and access approval settings. - name: People description: >- Invite and manage workforce members, training status, device compliance, email preferences, and employee evidence records. - name: Policies description: >- Create, version, publish, export, map, and improve compliance policies with AI-assisted drafting and approval workflows. - name: Questionnaire description: >- Parse security questionnaires, generate answers from approved evidence, save reviewer edits, stream progress, and export completed files. - name: Risks description: >- Create, update, and report on organizational risks with ownership, departments, and compliance remediation status. - name: Roles description: >- Create custom roles and resolve permission sets for organization-level access control. - name: SOA description: >- Create, auto-fill, review, approve, and export ISO 27001 Statement of Applicability documents. x-group: Statement of Applicability - name: Security Penetration Tests description: >- Create AI-powered penetration test runs, track progress, inspect findings and events, and download markdown or PDF reports. - name: Task Automations description: >- Create, version, run, and inspect automated evidence collection workflows attached to compliance tasks. - name: Task Management description: >- Manage task items and attachments linked to operational entities such as risks and vendors. - name: Tasks description: >- Manage compliance task lifecycle, assignments, review approvals, evidence uploads, policy links, and activity history. - name: Timelines description: >- Track audit and compliance readiness timelines, phases, and review milestones for an organization. - name: Training description: >- Record security awareness and HIPAA training completion status and generate completion certificates. - name: Trust Access description: >- Manage external Trust Center access requests, NDA signing, grants, tokenized document downloads, public FAQs, and reviewer access. - name: Trust Portal description: >- Configure the live Trust Center, custom domain, public overview, FAQs, compliance resources, documents, links, and vendor disclosures. - name: Uploads - name: Vendors description: >- Manage third-party vendors, global vendor search, risk assessment triggers, and Trust Center vendor visibility. paths: /v1/policies: get: tags: - Policies summary: List compliance policies description: >- Lists active compliance policies by default. Use includeArchived=true to include archived rows and excludeContent=true when you only need policy metadata. operationId: PoliciesController_getAllPolicies_v1 parameters: - name: X-Organization-Id in: header description: >- Organization ID (required for session auth, optional for API key auth) required: false schema: type: string - name: excludeContent required: false in: query description: >- When true, omits `content` and `draftContent` from each policy in the response. Use this when listing policies to find one by name/ID — fetch the full content via GET /v1/policies/{id} after. schema: type: boolean - name: includeArchived required: false in: query description: >- When true, includes user-archived and framework-sync-archived policies in the response. Defaults to false. schema: type: boolean responses: '200': description: Policies retrieved successfully content: application/json: schema: type: object properties: data: type: array items: $ref: '#/components/schemas/PolicyResponseDto' description: Array of policies authType: type: string enum: - api-key - session description: How the request was authenticated authenticatedUser: type: object description: >- Authenticated user information (only present for session auth) properties: id: type: string description: User ID example: usr_abc123def456 email: type: string description: User email example: user@company.com required: - data - authType example: data: - id: pol_abc123def456 name: Data Privacy Policy description: >- This policy outlines how we handle and protect personal data status: draft content: - type: paragraph attrs: textAlign: null content: - type: text text: >- This policy outlines our commitment to protecting personal data. frequency: yearly department: IT isRequiredToSign: true signedBy: [] reviewDate: '2024-12-31T00:00:00.000Z' isArchived: false archivedAt: null createdAt: '2024-01-01T00:00:00.000Z' updatedAt: '2024-01-15T00:00:00.000Z' lastArchivedAt: null lastPublishedAt: '2024-01-10T00:00:00.000Z' organizationId: org_abc123def456 assigneeId: usr_abc123def456 approverId: usr_xyz789abc123 policyTemplateId: null authType: session authenticatedUser: id: usr_abc123def456 email: user@company.com '401': description: Unauthorized - Invalid authentication or insufficient permissions content: application/json: schema: type: object properties: message: type: string example: Unauthorized security: - apikey: [] x-codeSamples: - lang: bash label: List policies source: >- curl --request GET --url "https://api.trycomp.ai/v1/policies" --header "X-API-Key: $COMP_AI_API_KEY" - lang: bash label: List policies (lightweight, no content) source: >- curl --request GET --url "https://api.trycomp.ai/v1/policies?excludeContent=true" --header "X-API-Key: $COMP_AI_API_KEY" - lang: bash label: List policies including archived source: >- curl --request GET --url "https://api.trycomp.ai/v1/policies?includeArchived=true" --header "X-API-Key: $COMP_AI_API_KEY" components: schemas: PolicyResponseDto: type: object properties: id: type: string description: The policy ID example: pol_abc123def456 name: type: string description: Name of the policy example: Data Privacy Policy description: type: string description: Description of the policy example: This policy outlines how we handle and protect personal data nullable: true status: type: string description: Status of the policy enum: - draft - published - needs_review example: draft content: type: array description: Content of the policy as TipTap JSON (array of nodes) example: - type: heading attrs: level: 2 textAlign: null content: - type: text text: Purpose - type: paragraph attrs: textAlign: null content: - type: text text: >- Verify workforce integrity and grant the right access at start, revoke at end. items: type: object additionalProperties: true frequency: type: string description: Review frequency of the policy enum: - monthly - quarterly - yearly example: yearly nullable: true department: type: string description: >- Department this policy applies to. May be one of the built-in values (none, admin, gov, hr, it, itsm, qms) or a custom department name. example: it nullable: true isRequiredToSign: type: boolean description: Whether this policy requires a signature example: true signedBy: type: array description: List of user IDs who have signed this policy example: - usr_123 - usr_456 items: type: string reviewDate: format: date-time type: string description: Review date for the policy example: '2024-12-31T00:00:00.000Z' nullable: true isArchived: type: boolean description: Whether this policy is archived example: false archivedAt: format: date-time type: string description: When the policy was archived by framework sync example: '2024-02-01T00:00:00.000Z' nullable: true createdAt: format: date-time type: string description: When the policy was created example: '2024-01-01T00:00:00.000Z' updatedAt: format: date-time type: string description: When the policy was last updated example: '2024-01-15T00:00:00.000Z' lastArchivedAt: format: date-time type: string description: When the policy was last archived example: '2024-02-01T00:00:00.000Z' nullable: true lastPublishedAt: format: date-time type: string description: When the policy was last published example: '2024-01-10T00:00:00.000Z' nullable: true organizationId: type: string description: Organization ID this policy belongs to example: org_abc123def456 assigneeId: type: string description: ID of the user assigned to this policy example: usr_abc123def456 nullable: true approverId: type: string description: ID of the user who approved this policy example: usr_xyz789abc123 nullable: true policyTemplateId: type: string description: ID of the policy template this policy is based on example: plt_template123 nullable: true required: - id - name - description - status - content - frequency - department - isRequiredToSign - signedBy - reviewDate - isArchived - archivedAt - createdAt - updatedAt - lastArchivedAt - lastPublishedAt - organizationId - assigneeId - approverId - policyTemplateId securitySchemes: apikey: type: apiKey in: header name: X-API-Key description: API key for authentication ````