Compliance
Read the machine-readable sub-processor list and read or update per-project privacy preferences. One source of truth behind the published legal pages.
The compliance surface backs the published legal pages and the console privacy controls with a single source of truth: a machine-readable sub-processor list and per-project privacy preferences. Defaults are privacy-protective. See GDPR and CCPA.
All requests require a bearer API key. See authentication.
List sub-processors
GET /v2/compliance/sub-processors
Returns the canonical sub-processor list. It mirrors the published legal page, so any integration reads the same authoritative set.
curl https://api.zumik.ai/v2/compliance/sub-processors \
-H "Authorization: Bearer $ZUMIK_API_KEY"{
"object": "list",
"published_at": "2026-06-12",
"data": [
{
"name": "Stripe",
"purpose": "Billing, subscriptions, and payment processing",
"data_categories": ["account", "billing", "payment_metadata"],
"region": "us"
},
{
"name": "Cloudflare",
"purpose": "Edge TLS, WAF, DDoS protection, and CDN for all properties",
"data_categories": ["request_metadata", "ip_address"],
"region": "global_edge"
}
]
}objectstringAlways list.
published_atstringThe list's last review date.
dataarrayEach sub-processor with its name, purpose, data_categories, and region.
Read privacy preferences
GET /v2/compliance/privacy-preferences
Returns the project's privacy preferences, falling back to the protective defaults when none are set.
curl https://api.zumik.ai/v2/compliance/privacy-preferences \
-H "Authorization: Bearer $ZUMIK_API_KEY"{
"object": "privacy_preferences",
"project_id": "prj_01jy7n0a4c8m2t6v9q3wrxk7bd",
"do_not_sell": true,
"gpc_honored": true,
"analytics_consent": false,
"updated_at": "2026-06-15T16:42:30Z"
}objectstringAlways privacy_preferences.
project_idstringThe owning project.
do_not_sellbooleanAlways true. Zumik does not sell personal information regardless.
gpc_honoredbooleanAlways true. Global Privacy Control signals are honored at the edge.
analytics_consentbooleanOpt-in consent for non-essential analytics. Defaults to false.
updated_atstringRFC 3339 update timestamp.
Update privacy preferences
POST /v2/compliance/privacy-preferences
Updates the analytics-consent choice. The change is recorded in the audit log. do_not_sell is always honored and cannot be toggled off.
analytics_consentbooleantrue to opt into non-essential analytics, false to opt out. Defaults to false.
curl https://api.zumik.ai/v2/compliance/privacy-preferences \
-H "Authorization: Bearer $ZUMIK_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "analytics_consent": true }'Returns the updated preferences object.
Errors
| Status | Code | When |
|---|---|---|
| 401 | invalid_api_key | Missing or invalid API key. |
See the full table on errors.
SAML SSO
Configure an enterprise SAML connection and let your team sign in to the Zumik console through your identity provider, with signed-assertion verification, replay protection, and JIT provisioning.
Data rights
Export everything Zumik retains for a project, or request erasure. GDPR and CCPA data-subject rights, scoped strictly to the caller's project.