Platform

Data Model

Canonical entity shapes, CSV export/import columns, and the JSON Schema URLs third-party tooling can point at. Every row is scoped to a single Organization — the tenant.

Owner: Platform TeamLast reviewed: 2026-04-23

Scope

This page documents the entity shapes that matter to auditors and integrators: Control, Evidence, Policy, Vendor, and Incident, plus operational import schemas for Training and CRA Products. The field tables below are generated from the same schema that drives CSV export, CSV import, and the public JSON Schema endpoints — so what you see here is what the API emits and accepts, byte-for-byte.

For the full ERD (joins between these five plus audit logs, API keys, webhook endpoints, org membership, etc.) see the architecture page. For endpoint-level API reference see the API docs.

JSON Schema endpoints

Every export format has a JSON Schema (Draft 2020-12) published at a stable URL. Point AJV, OpenAPI tooling, or a custom validator at these:

  • GET /api/schema/controls — Control CSV rows
  • GET /api/schema/evidence — Evidence CSV rows
  • GET /api/schema/policies — Policy CSV rows
  • GET /api/schema/vendors — Vendor CSV rows
  • GET /api/schema/incidents — Incident CSV rows
  • GET /api/schema/training — Training import rows
  • GET /api/schema/cra-products — CRA product import rows

No auth required

The schema endpoints are public — they describe structure only, no tenant data. Safe to consume from automation that runs before any authentication flow.

Conventions

  • Enums are emitted as raw values. NOT_STARTED, not "Not Started". The raw value is the contract; UI labels are a separate concern.
  • Booleans as true / false — the parser also accepts Yes / No for compatibility with legacy exports.
  • Dates as ISO 8601 (YYYY-MM-DD or YYYY-MM-DDTHH:mm:ss.sssZ).
  • Arrays as pipe-separated strings: ISO27001|NIS2|GDPR.
  • Computed-on-export columns (counts, last-modified, derived status) are skipped on import — the server owns them.

Control

A compliance requirement from one or more frameworks (DORA, ISO 27001, NIS2, GDPR, CSSF, CRA). Every control has a status, an owner, and a due date; evidence and policies hang off it through join tables.

Export: GET /api/controls/export?format=csv · Import: POST /api/controls/import · Template: GET /api/controls/import/template · Schema: GET /api/schema/controls

ColumnTypeOn importDescription
CodestringrequiredUnique control code within the framework (e.g. DORA-GOV-001).
Customer Control IDstringignoredTenant-specific customer control alias from Control Mapping Concierge.
Titlestringrequired
Descriptionstringoptional
Frameworkenum
6 values
DORAISO27001NIS2GDPRCSSF22806CRA
required
Categoryenum
17 values
ICT_RISK_MANAGEMENTINCIDENT_MANAGEMENTRESILIENCE_TESTINGTHIRD_PARTY_RISKINFORMATION_SHARINGGOVERNANCEDATA_PROTECTIONDATA_SUBJECT_RIGHTSDATA_PROCESSINGBREACH_NOTIFICATIONINTERNATIONAL_TRANSFERSICT_OPERATIONSICT_PROJECT_MANAGEMENTICT_OUTSOURCINGACCESS_CONTROLBUSINESS_CONTINUITYINCIDENT_REPORTING
required
Statusenum
5 values
NOT_STARTEDIN_PROGRESSIMPLEMENTEDNEEDS_REVIEWNON_COMPLIANT
required
Priorityenum
4 values
LOWMEDIUMHIGHCRITICAL
required
Referencestringoptional
Assigned TostringoptionalUser ID or email of the assignee. Empty for unassigned.
Due Datedateoptional
Completed AtdateignoredSet automatically when status → IMPLEMENTED.
Applicablebooleanrequired
Justificationstringoptional
Evidence Notesstringoptional
Evidence CountnumberignoredDerived — count of linked ControlEvidence rows.
Evidence StatusstringignoredDerived — 'Has Evidence' | 'No Evidence'.
Last ModifieddateignoredDB updatedAt — cannot be overwritten via import.
Library Versionstringoptional
Mapped TostringArrayoptionalComma-separated control codes in other frameworks.

Evidence

A file or artifact that demonstrates a control is being met. Scoped to the organization, optionally linked to a vendor, with an expiry date so auditors can see when the proof needs refreshing.

Export: GET /api/evidence/export?format=csv · Import: POST /api/evidence/import · Template: GET /api/evidence/import/template · Schema: GET /api/schema/evidence

ColumnTypeOn importDescription
Namestringrequired
Control IDsstringignoredLinked control identifiers formatted according to the export control ID mode.
File Namestringoptional
File SizestringignoredHuman-readable size (e.g. '1.2 MB'). Set by the server.
Typeenum
13 values
CERTIFICATECONTRACTPOLICYREPORTAUDITCONSENT_RECORDDPIAROPADPAPRIVACY_NOTICEDSR_LOGBREACH_NOTIFICATIONOTHER
required
Vendor Namestringoptional
Descriptionstringoptional
Uploaded Atdateoptional
Uploaded Bystringoptional
Expires Atdateoptional
StatusstringignoredDerived — 'Valid' | 'Expiring Soon' | 'Expired'.

Policy

A governance document (policy, procedure, standard) with version, owner, and approval workflow. Distinguished from Evidence by having an internal content body the organization authors directly.

Export: GET /api/policies/export?format=csv · Import: POST /api/policies/import · Template: GET /api/policies/import/template · Schema: GET /api/schema/policies

ColumnTypeOn importDescription
Namestringrequired
Typeenum
10 values
ICT_RISK_MANAGEMENTTHIRD_PARTY_RISKINCIDENT_RESPONSEBUSINESS_CONTINUITYINFORMATION_SECURITYACCESS_CONTROLCHANGE_MANAGEMENTDATA_CLASSIFICATIONENCRYPTIONCUSTOM
required
Versionstringoptional
Version Numbernumberoptional
Statusenum
4 values
DRAFTIN_REVIEWAPPROVEDARCHIVED
required
Frameworkenum
6 values
DORAISO27001NIS2GDPRCSSF22806CRA
optional
DORA ArticlesstringArrayoptional
Ownerstringoptional
Approved Bystringoptional
Approved Atdateoptional
Review Datedateoptional
Next Review Datedateoptional
Created Atdateignored
Updated Atdateignored

Vendor

A third-party ICT service provider. Scored on criticality × risk level to feed the DORA register of ICT services and the concentration-risk dashboard.

Export: GET /api/vendors/export?format=csv · Import: POST /api/vendors/import · Template: GET /api/vendors/import/template · Schema: GET /api/schema/vendors

ColumnTypeOn importDescription
Namestringrequired
Servicestringoptional
Categorystringoptional
Criticalityenum
4 values
CRITICALIMPORTANTSTANDARDLOW
required
Risk Scorenumberoptional
Risk Levelenum
4 values
LOWMEDIUMHIGHCRITICAL
required
Data Accessenum
4 values
NONELIMITEDSIGNIFICANTFULL
required
Statusenum
4 values
ACTIVEUNDER_REVIEWPENDINGTERMINATED
required
Countrystringoptional
Contact Namestringoptional
Contact Emailstringoptional
ICT Providerbooleanoptional
Cloud Providerbooleanoptional
Substitutablebooleanoptional
Contract Startstringoptional
Contract Endstringoptional
ICT Outsourcing Typestringoptional
DORA Article ReferencesstringArrayoptional

Incident

An operational event, tracked against DORA (major incident), NIS2 (24h early warning / 72h notification), and GDPR (Art. 33) deadlines.

Export: GET /api/incidents/export?format=csv · Import: POST /api/incidents/import · Template: GET /api/incidents/import/template · Schema: GET /api/schema/incidents

ColumnTypeOn importDescription
Titlestringrequired
Control IDsstringignoredLinked control identifiers formatted according to the export control ID mode.
Descriptionstringoptional
Severityenum
4 values
LOWMEDIUMHIGHCRITICAL
required
Statusenum
5 values
OPENINVESTIGATINGCONTAINEDRESOLVEDCLOSED
required
Categorystringoptional
Is Majorbooleanoptional
Detected Atdaterequired
Resolved Atdateoptional
Reported to NCAbooleanoptional
Reported Atdateoptional
Vendor NamestringoptionalVendor name (server resolves to vendorId on import).
Impact Descriptionstringoptional
Affected SystemsstringArrayoptionalComma-separated list of system names.
Affected Usersnumberoptional
Financial Impactnumberoptional
Root Causestringoptional
Remediationstringoptional
Lessons Learnedstringoptional

Training

A staff training and awareness record used to evidence DORA Art. 13, ISO 27001 A.6.3, and NIS2 governance expectations.

Export: not currently exposed for this operational import schema · Import: POST /api/training/import · Template: GET /api/training/import/template · Schema: GET /api/schema/training

ColumnTypeOn importDescription
Employee Namestringrequired
Employee Emailstringoptional
Departmentstringoptional
Rolestringoptional
Training Typeenum
9 values
SECURITY_AWARENESSDORA_COMPLIANCEGDPR_PRIVACYNIS2_CYBERSECURITYINCIDENT_RESPONSERISK_MANAGEMENTBOARD_GOVERNANCETECHNICAL_SKILLSOTHER
required
Titlestringrequired
Descriptionstringoptional
Providerstringoptional
Completed Atdateoptional
Expires Atdateoptional
Statusenum
5 values
ASSIGNEDIN_PROGRESSCOMPLETEDEXPIREDOVERDUE
required
Scorenumberoptional
Certificate URLstringoptional
Framework RefsstringArrayoptional
Notesstringoptional

CRA Product

A product-with-digital-elements registry row used to track CRA product classification, SBOM status, support dates, assessment status, and CE marking readiness.

Export: not currently exposed for this operational import schema · Import: POST /api/cra/products/import · Template: GET /api/cra/products/import/template · Schema: GET /api/schema/cra-products

ColumnTypeOn importDescription
Product Namestringrequired
Versionstringoptional
Descriptionstringoptional
Categoryenum
4 values
DEFAULTIMPORTANT_CLASS_IIMPORTANT_CLASS_IICRITICAL
required
Support Start Datedateoptional
Support End Datedateoptional
SBOM Generatedbooleanoptional
SBOM Formatstringoptional
SBOM URLstringoptional
Security Assessmentenum
4 values
NOT_STARTEDIN_PROGRESSPASSEDFAILED
required
CE Markingbooleanoptional
EU Declaration Compliantbooleanoptional

Continue reading

API reference
Architecture & ERD