API reference: Compliance bundle export

The compliance bundle export API exports compliance bundle definitions as portable JSON and imports them into the current Arbitex instance. Use it to share compliance bundles across organizations, migrate bundles between environments, or archive bundle definitions for compliance documentation.

This API is separate from the full org config backup (/api/admin/orgs/{org_id}/config/export). It operates on individual compliance bundles and supports conflict resolution modes.

All endpoints require admin authentication.

Base path: /api/admin/compliance-bundles-export

---

Endpoints

Method	Path	Description
GET	/api/admin/compliance-bundles-export/{bundle_id}	Export a single compliance bundle
GET	/api/admin/compliance-bundles-export/	Export all compliance bundles
POST	/api/admin/compliance-bundles-export/	Import compliance bundles

---

BundleExportResponse object

Field	Type	Description
name	string	Bundle name (unique per org)
description	string | null	Optional description
regulatory_framework	string	Regulatory framework code, e.g. "SOC2", "HIPAA", "GDPR"
version	string	Bundle definition version
enabled	boolean	Whether the bundle is currently active
seed_rule_mappings	array of strings	Entity type strings mapped to DLP rule associations
exported_at	string	ISO 8601 timestamp of the export
export_version	string	Schema version of the export envelope

---

GET /api/admin/compliance-bundles-export/{bundle_id}

Export a single compliance bundle by its UUID.

Authentication: Admin Bearer token

Path parameters:

Parameter	Type	Description
bundle_id	UUID	The compliance bundle’s UUID

Response 200 OK:

{
  "name": "SOC2-Type-II",
  "description": "SOC 2 Type II compliance bundle — trust service criteria",
  "regulatory_framework": "SOC2",
  "version": "1.2",
  "enabled": true,
  "seed_rule_mappings": [
    "credit_card",
    "ssn",
    "bank_account",
    "driver_license"
  ],
  "exported_at": "2026-03-12T14:30:00.123456Z",
  "export_version": "1.0"
}

Response 404 Not Found:

{ "detail": "Compliance bundle not found" }

---

GET /api/admin/compliance-bundles-export/

Export all compliance bundles for the organization as a JSON array. Suitable for bulk archival or migrating all bundles to another instance.

Authentication: Admin Bearer token

Response 200 OK: Array of BundleExportResponse objects.

[
  {
    "name": "SOC2-Type-II",
    "regulatory_framework": "SOC2",
    "version": "1.2",
    "enabled": true,
    "seed_rule_mappings": ["credit_card", "ssn"],
    "exported_at": "2026-03-12T14:30:00.123456Z",
    "export_version": "1.0"
  },
  {
    "name": "HIPAA-PHI",
    "regulatory_framework": "HIPAA",
    "version": "2.0",
    "enabled": true,
    "seed_rule_mappings": ["name", "dob", "medical_record"],
    "exported_at": "2026-03-12T14:30:00.123456Z",
    "export_version": "1.0"
  }
]

Returns an empty array if no bundles exist.

---

POST /api/admin/compliance-bundles-export/

Import one or more compliance bundles from an exported JSON payload. The request body is an array of BundleExportResponse objects (the same format returned by the GET endpoints).

Authentication: Admin Bearer token

Query parameters:

Parameter	Type	Default	Description
mode	string	"skip"	Conflict resolution: "skip" or "replace"

Conflict resolution modes:

Mode	Behavior
skip	If a bundle with the same name already exists, skip it. The existing bundle is not modified.
replace	If a bundle with the same name already exists, overwrite it with the imported definition.

Request body: Array of BundleExportResponse objects.

[
  {
    "name": "SOC2-Type-II",
    "description": "SOC 2 Type II compliance bundle",
    "regulatory_framework": "SOC2",
    "version": "1.2",
    "enabled": true,
    "seed_rule_mappings": ["credit_card", "ssn", "bank_account"],
    "exported_at": "2026-03-12T14:30:00Z",
    "export_version": "1.0"
  }
]

Response 200 OK — ImportSummaryResponse:

Field	Type	Description
created	integer	Number of new bundles created
skipped	integer	Number of bundles skipped due to name conflicts
replaced	integer	Number of existing bundles overwritten
created_names	array of strings	Names of newly created bundles
skipped_names	array of strings	Names of skipped bundles
replaced_names	array of strings	Names of replaced bundles

{
  "created": 2,
  "skipped": 1,
  "replaced": 0,
  "created_names": ["SOC2-Type-II", "GDPR-Standard"],
  "skipped_names": ["HIPAA-PHI"],
  "replaced_names": []
}

Response 422 Unprocessable Entity: Payload validation failed. The detail field contains a list of validation errors.

Validation checks include:

• name must be a non-empty string
• regulatory_framework must be one of the canonical framework codes (e.g. SOC2, HIPAA, GDPR, PCI-DSS, ISO27001)
• seed_rule_mappings entries must be valid entity type strings from the canonical taxonomy
• version must be a non-empty string

---

Common workflows

Migrate all bundles from one org to another

# Export from source org
curl -s \
  -H "Authorization: Bearer ${SOURCE_ADMIN_TOKEN}" \
  "https://api.arbitex.ai/api/admin/compliance-bundles-export/" \
  > bundles.json

# Import into destination org (replace existing if names conflict)
curl -s -X POST \
  -H "Authorization: Bearer ${DEST_ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d @bundles.json \
  "https://api.arbitex.ai/api/admin/compliance-bundles-export/?mode=replace"

Export a single bundle for archival

# Look up bundle ID first
BUNDLE_ID=$(curl -s \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  "https://api.arbitex.ai/api/admin/compliance-bundles" \
  | jq -r '.[] | select(.name == "SOC2-Type-II") | .id')

# Export it
curl -s \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  "https://api.arbitex.ai/api/admin/compliance-bundles-export/${BUNDLE_ID}" \
  > soc2-bundle.json

---

See also

• Compliance bundles — managing compliance bundles via the admin UI and bundles API
• Config backup API reference — full org config snapshot including compliance bundles
• Policy rule reference — entity type taxonomy used in seed_rule_mappings