hdls Comply
hdls Comply is a headless, MCP-native compliance & risk backend. It manages controls, evidence, and audits, operated entirely through named tools your AI assistant calls. It stands in for tools like Vanta, Drata — same job, no UI to run.
💬 Just ask
"Create a control for Acme, then show me my controls."
You don't call these tools yourself — just tell your assistant in plain English. Everything below is the reference for when you (or your assistant) want the exact details.
How Comply is organized
The headline entity is the control — start there, then attach the rest to it. Records connect by reference: an evidence links to a control; an audit links to a framework. The check_run table is an append-only timeline — every change and note lands there and is never edited or deleted.
| Entity | Purpose | Relates to |
|---|---|---|
control | A control/requirement to be satisfied, mapped to a framework, with monitoring status and semantic search. | framework |
framework | A compliance standard/framework (SOC 2, ISO 27001, HIPAA…) that controls map to. | — |
evidence | An artifact (document, screenshot, config, log…) collected to prove a control is satisfied. | control |
audit | A point-in-time audit engagement against a framework, covering an observation period. | framework |
check_run | Append-only history of every automated/manual test executed against a control. | control |
Common workflows
Each line is one real sequence of tool calls — your assistant chains them for you.
- Set up a control end to end:
create_control→link_evidence→track_status
Tools
Call these at https://hdls.ai/api/mcp/compliance. Required fields you must supply; optional fields refine the call. You never pass tenant_id — it is stamped server-side.
Create
| Tool | What it does | Required | Optional |
|---|---|---|---|
create_control | Create a new control. | code, title | framework_id, body, category, status, owner, automated |
Update & advance
| Tool | What it does | Required | Optional |
|---|---|---|---|
link_evidence | Link evidence to a related record. | control_id, title | body, evidence_type, source, storage_ref, collected_at, valid_until |
run_check | Run a check. | id | — |
track_status | Track the status of a control. | id | status |
Find & read
| Tool | What it does | Required | Optional |
|---|---|---|---|
search_controls | Search controls by free-text and/or column filters (tenant-scoped, paginated). | — | search, filters, limit, orderBy |
Field lists come from the product's live schema and are embedded in each tool's own description — read the tool description for the exact, current fields.
Field reference
Every field you can set on each record. Custom fields you add live alongside these in data.
control
| Field | Type | Required | Notes |
|---|---|---|---|
framework_id | id | Links to a framework. | |
code | text | Yes | |
title | text | Yes | Display name. |
body | text | ||
category | text | ||
status | text | Lifecycle state. | |
owner | text | ||
automated | true / false | ||
last_checked_at | timestamp | ||
data | json | Free-form JSON — custom fields live here. |
framework
| Field | Type | Required | Notes |
|---|---|---|---|
code | text | Yes | |
name | text | Yes | Display name. |
version | text | ||
description | text | ||
data | json | Free-form JSON — custom fields live here. |
evidence
| Field | Type | Required | Notes |
|---|---|---|---|
control_id | id | Yes | Links to a control. |
title | text | Yes | Display name. |
body | text | ||
evidence_type | text | ||
source | text | ||
storage_ref | text | ||
collected_at | timestamp | ||
valid_until | timestamp | ||
data | json | Free-form JSON — custom fields live here. |
audit
| Field | Type | Required | Notes |
|---|---|---|---|
framework_id | id | Links to a framework. | |
name | text | Yes | Display name. |
auditor | text | ||
status | text | Lifecycle state. | |
period_start | date | ||
period_end | date | ||
data | json | Free-form JSON — custom fields live here. |
Tailor it with custom fields
Add fields without a schema change. add_custom_field defines one, list_custom_fields shows what's defined, and promote_custom_field (admin) shares a personal field with the whole workspace. The value lives in each row's data (JSON) and is set and read through the normal record tools. See Products, tools & custom fields for the full model.
Roles & safety
- Tenant isolation is automatic. Your credential is pinned to one workspace; you never pass
tenant_id, and you can only ever see your own data (enforced by Postgres row-level security). - Role-gated. Permissions run
reader < member < admin < owner. Installing a product and promoting a custom field workspace-wide need admin/owner. - History is append-only. The
check_runtimeline is never edited or deleted — it's your audit trail.
Connect
On the concierge (https://hdls.ai/api/mcp), run install_product({ slug: "compliance" }) (admin/owner) to enable it for your workspace, then add https://hdls.ai/api/mcp/compliance as a connector in your assistant — see Connect your assistant.
A worked example
The literal call your assistant makes when you ask it to create the headline record:
Tool: create_control
Arguments: {
"code": "example",
"title": "Acme Corp"
}