Compliance Score
pro/v1/score/complianceCalculates a composite compliance score (0-100) from 12 weighted components: cookie consent mechanism (16%), privacy policy presence and quality (15%), GDPR compliance signals (14%), terms of service (8%), CCPA/CPRA compliance (8%), security disclosure via security.txt (8%), contact/DPO information (8%), accessibility statement (6%), technical accessibility (5%), children's data protection (4%), cookie technical compliance (4%), and multi-state US privacy (4%). Returns a letter grade (A+ to F), detailed breakdown with per-component findings, and actionable recommendations for improving compliance posture across GDPR, CCPA, ePrivacy Directive, and accessibility requirements.
What It Does
Fetches the domain's main page and up to 5 sub-pages (privacy policy, terms, accessibility statement, contact, CCPA opt-out) plus /.well-known/security.txt. Detects consent management platforms (OneTrust, CookieBot, Quantcast, etc.), IAB TCF v2 API signals, and granular consent options. Analyzes privacy policy content for GDPR terms (data rights, legal basis, DPO, consent withdrawal, transfer mechanisms) and CCPA terms (California disclosures, right to know/delete). Parses security.txt per RFC 9116 for required fields. Detects accessibility statement with WCAG level references. Checks contact pages for physical address, email, and impressum compliance. Also evaluates technical accessibility via automated audit, children's data protection (COPPA, age gates), cookie security attributes, and multi-state US privacy signals (GPC, universal opt-out, AI disclosure).
Why It's Useful
Global privacy regulations (GDPR, CCPA/CPRA, ePrivacy Directive) require specific disclosures, consent mechanisms, and contact information. A single compliance score lets you audit your own domains, track improvements over time, and demonstrate compliance readiness to stakeholders. Component breakdowns identify exactly which compliance areas need attention.
Use Cases
Self-Audit Before Launch
Run a compliance score check on your own domain before launching to new markets (EU, California). Identify missing privacy policy sections, absent cookie consent, or missing security.txt before regulatory exposure increases.
Catch compliance gaps before regulators or users flag them — avoid fines and reputational damage.
Continuous Compliance Monitoring
Schedule periodic compliance score checks via domain monitoring subscriptions. Get alerted when score drops — for example, when a CMS update removes the cookie consent banner or a deploy breaks the privacy policy page.
Detect compliance regressions immediately rather than during the next manual audit.
Vendor Privacy Assessment
Score vendor and partner domains for compliance signals as part of due diligence. A vendor without a privacy policy, cookie consent, or security.txt may pose data handling risks to your organization.
Quantify vendor compliance posture with a single metric for risk assessments and procurement decisions.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to calculate compliance score for (e.g., example.com)Example: edgedns.dev |
verbose | string | Optional | Pass "true" to receive the full recommendation list. By default the response is capped at the top 15 highest-impact items (sorted by priority, estimated effort, and score gain); the remaining items are still counted in totalRecommendations and recommendationsTruncated will be true.Example: true |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The scored domain |
score | number | Composite compliance score 0-100 (weighted sum of 12 components) |
grade | string | Letter grade: A+ (95-100), A (85-94), B (70-84), C (50-69), D (30-49), F (0-29) |
gradeDescription | string | Human-readable grade description (e.g., "Good - adequate with room for improvement") |
breakdown | object | Per-component scores with score, max, and details for each of the 12 compliance factors |
breakdown.cookieConsent | object | Cookie consent mechanism: CMP detection, IAB TCF, granular options, reject-all (max 16 pts) |
breakdown.privacyPolicy | object | Privacy policy presence, word count, GDPR/CCPA terms, contact info (max 15 pts) |
breakdown.gdpr | object | GDPR signals: data rights, legal basis, DPO, consent withdrawal, transfer mechanism (max 14 pts) |
breakdown.termsOfService | object | Terms of service presence and document quality (max 8 pts) |
breakdown.ccpa | object | CCPA/CPRA: Do Not Sell link, opt-out, California disclosures (max 8 pts) |
breakdown.securityDisclosure | object | security.txt per RFC 9116: Contact, Expires, Policy, PGP signing (max 8 pts) |
breakdown.contactInfo | object | Contact page, physical address, email, impressum (max 8 pts) |
breakdown.accessibilityStatement | object | Accessibility statement with WCAG level and contact info (max 6 pts) |
breakdown.technicalAccessibility | object | Technical accessibility from automated WCAG audit score (max 5 pts) |
breakdown.childrenProtection | object | Children's data protection: COPPA notice, age gate, parental consent (max 4 pts) |
breakdown.cookieTechnical | object | Cookie security: Secure flag, SameSite, third-party count, cookie wall penalty (max 4 pts) |
breakdown.multiStatePrivacy | object | Multi-state US privacy: GPC support, universal opt-out, state references, AI disclosure (max 4 pts) |
recommendations | array | Prioritized list of actionable compliance improvements. Each item carries priority (critical/high/medium/low), component, issue, regulation citation, action, estimatedEffort (minutes/hours/days), and approximate scoreGain points. Capped at the top 15 by default — pass ?verbose=true to receive the full list. |
totalRecommendations | number | Total number of recommendations generated before any cap (so you can tell how many were trimmed when recommendationsTruncated is true). |
recommendationsTruncated | boolean | True when the recommendations array was capped to the top 15 highest-impact items. Pass ?verbose=true to retrieve the full list. |
componentCount | number | Number of compliance components evaluated (12) |
partialFailure | boolean | True when any required sub-page fetch failed. The grade is still meaningful — components that could not be evaluated are excluded from the score rather than counted as zero. |
failedComponents | array | Human-readable names of sub-fetches that failed (e.g., "privacy policy", "terms of service") for debugging and confidence reporting. |
excludedComponents | array | Component keys (e.g., "privacyPolicy", "gdpr") that were marked notApplicable because their required sub-fetch failed, and therefore are excluded from both the numerator and the denominator of the score. A slow origin no longer drags the grade to F. |
confidence | object | Result confidence indicator: level (high/medium/low) and limitations list |
discoveryMetadata | object | URL discovery debugging metadata: urlsDiscovered (per-type), cmsDetected (platform or null), sitemapFound (boolean) |
methodology | object | Methodology metadata: version (e.g., "2026.05"), docsUrl, and per-component weight rationale. Lets callers detect when scoring has shifted between versions and explain "why did my grade change?" without guessing. |
Code Examples
curl "https://api.edgedns.dev/v1/score/compliance" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=edgedns.dev"const response = await fetch(
'https://api.edgedns.dev/v1/score/compliance?domain=edgedns.dev',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/score/compliance',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'edgedns.dev'
}
)
data = response.json()
print(data)Read the full Compliance Score guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Compliance Score endpoint live in the playground.