Policies

A policy is a document that outlines an organization’s commitment to following standards relevant to its operations. The help docs have more information.

List Policies

List published Policies matching the provided filters.

🔒 Requires Policies: List Policies permission.

Securitybearer
Request
query Parameters
cursor
string

This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results

size
number [ 1 .. 500 ]
Default: 50

Number of results to return

sort
string (SortTypeLimitedEnum)

Which field to sort by

Enum: "createdAt" "updatedAt"
sortDir
string (SortDirectionEnum)

The direction to sort the data

Enum: "ASC" "DESC"
includeTotalCount
boolean
Default: false

Include total count of all matching records in response. Only honored on first page (when cursor is null).

Example: includeTotalCount=false
expand[]
Array of strings (PolicyListExpandEnum)

List of subcollections and sub-objects to expand

Items Enum: "groups" "weekTimeFrameSlas" "gracePeriodSlas" "p3MatrixSlas" "owner"
name
string <= 191 characters

Filter Policies by name (partial match)

Example: name=Data Protection Policy
statuses[]
Array of strings (PolicyStatusEnum)

Filter Policies by one or more statuses

Items Enum: "ACTIVE" "ARCHIVED" "REPLACED" "UNACCEPTABLE" "OUTDATED"
reviewerUserId
string

Filter Policies by a reviewer. A Drata integer ID, an email address of the form 'email:value', or 'me' to reference the authenticated user. Note: 'me' is only available when authenticating with OAuth 2.1 Authorization Code grant, not with Public API Keys.

Example: reviewerUserId=me
reviewerStatus[]
Array of strings (ReviewStatusEnum)

Filter Policies by the reviewer's review status on an active approval. Typically used with reviewerUserId.

Items Enum: "READY_FOR_REVIEW" "APPROVED" "CHANGES_REQUESTED" "DEADLINE_EXCEEDED"
Responses
200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/policies
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "name": "Acceptable Use Policy",
      • "description": "This policy covers acceptable use of company resources.",
      • "disclaimer": "This policy is subject to change.",
      • "scope": "ALL",
      • "notifyGroups": false,
      • "status": "ACTIVE",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "currentVersionId": 2,
      • "version": "1",
      • "subVersion": "0",
      • "renewalDate": "2025-07-01T16:45:55.246Z",
      • "publishedAt": "2025-07-01T16:45:55.246Z",
      • "approvedAt": "2025-07-01T16:45:55.246Z",
      • "owner": {
        • "id": 1,
        • "email": "[email protected]",
        • "firstName": "Sally",
        • "lastName": "Smith",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z"
        },
      • "groups": [
        • {
          • "id": 1,
          • "name": "Engineering Team",
          • "externalId": "external-group-123",
          • "source": "GOOGLE",
          • "connectionId": 1,
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "controls": [
        • {
          • "id": 1,
          • "code": "AC-1",
          • "name": "Access Control",
          • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
          • "isReady": true,
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "weekTimeFrameSlas": [
        • {
          • "id": 1,
          • "timeFrame": "1",
          • "label": "Weekly Review",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "gracePeriodSlas": [
        • {
          • "id": 1,
          • "label": "Grace Period Review",
          • "gracePeriod": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "p3MatrixSlas": [
        • {
          • "id": 1,
          • "label": "P3 Matrix Review",
          • "timeFrame": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ]
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Create Policy
Create a new Policy with an initial draft version. Supports file upload (UPLOADED) or an existing external file reference (EXTERNAL).


🔒 Requires policies-post permission.


Securitybearer 
Request 
Request Body schema: 
required
name
required
string  <= 191 characters 
Human-readable policy title shown in Drata


 
ownerId
required
number
User ID assigned as the owner of this policy


 
sourceType
required
string
Determines how policy content is sourced. UPLOADED requires a file attachment; EXTERNAL requires externalFileId.


 Enum: "UPLOADED" "EXTERNAL"  
renewalDate
required
string <date> 
Date when the policy is next due for review/renewal. Must be today or a future date.


 
description
required
string  <= 30000 characters 
Short description of the policy purpose


 
disclaimer
string  <= 1000 characters 
Legal disclaimer text shown with the Policy


 
externalFileId
number
ID of an existing external file record in Drata. Required when sourceType is EXTERNAL. Must belong to the caller's tenant.


 
fileName
string  <= 191 characters 
Friendly file name for display in the UI


 
file
string <binary> 
Policy file. Required when sourceType is UPLOADED. Accepted file extensions: .pdf, .docx, .odt, .doc, .xlsx, .ods, .pptx, .odp, .gif, .jpg, .jpeg, .png, .json, .csv, .md, .markdown, .txt, .html, .log, .zip, .msg, .mp4


 
requiresAcknowledgement
boolean
Whether this policy requires user acknowledgement once published


 
assignedTo
string
Assignment mode for policy acknowledgement


 Enum: "ALL" "GROUP" "NONE"  
groupIds
Array of numbers  non-empty 
IDs of groups who must acknowledge the policy. Required when assignedTo is GROUP.


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/policies
Request samples 
No sample
Response samples 
application/json
{
  • "id": 99,
  • "name": "Data Backup Policy",
  • "description": null,
  • "ownerId": 42,
  • "status": "ACTIVE",
  • "requiresAcknowledgement": true,
  • "assignedTo": "ALL",
  • "renewalDate": "2020-07-06",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "latestVersion": {
    • "id": 201,
    • "version": 1,
    • "subVersion": 0,
    • "status": "DRAFT",
    • "sourceType": "UPLOADED",
    • "externalFileId": null,
    • "fileName": "data-backup-policy.pdf",
    • "createdAt": "2025-07-01T16:45:55.246Z"
    }
}
Get Policy
Get a specific published Policy.


🔒 Requires Policies: List Policies permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
query Parameters
expand[]
Array of strings (PolicyExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "groups" "controls" "weekTimeFrameSlas" "gracePeriodSlas" "p3MatrixSlas" "owner"  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/policies/{policyId}
Request samples 
Response samples 
application/json
{
  • "id": 1,
  • "name": "Acceptable Use Policy",
  • "description": "This policy covers acceptable use of company resources.",
  • "disclaimer": "This policy is subject to change.",
  • "scope": "ALL",
  • "notifyGroups": false,
  • "status": "ACTIVE",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "currentVersionId": 2,
  • "version": "1",
  • "subVersion": "0",
  • "renewalDate": "2025-07-01T16:45:55.246Z",
  • "publishedAt": "2025-07-01T16:45:55.246Z",
  • "approvedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "groups": [
    • {
      • "id": 1,
      • "name": "Engineering Team",
      • "externalId": "external-group-123",
      • "source": "GOOGLE",
      • "connectionId": 1,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "controls": [
    • {
      • "id": 1,
      • "code": "AC-1",
      • "name": "Access Control",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
      • "isReady": true,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "weekTimeFrameSlas": [
    • {
      • "id": 1,
      • "timeFrame": "1",
      • "label": "Weekly Review",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "gracePeriodSlas": [
    • {
      • "id": 1,
      • "label": "Grace Period Review",
      • "gracePeriod": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "p3MatrixSlas": [
    • {
      • "id": 1,
      • "label": "P3 Matrix Review",
      • "timeFrame": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ]
}
Modify Policy
🔒 Requires Policies: Modify Policy permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Request Body schema: application/json
required
name
string  <= 191 characters 
Policy name. Only updatable for custom policies. Drata template policies return 400.


 
description
string  <= 30000 characters 
Policy description.


 
disclaimer
string or null  <= 1000 characters 
Legal disclaimer text. Pass null to clear.


 
renewalDate
string
Policy renewal date. Mutually exclusive with renewalSchedule.


 
renewalSchedule
string
Renewal schedule type. Auto-computes renewalDate as today + N months. Mutually exclusive with renewalDate.


 Enum: "ONE_MONTH" "TWO_MONTHS" "THREE_MONTHS" "SIX_MONTHS" "ONE_YEAR"  
assignedTo
string
Personnel assignment scope.


 Enum: "ALL" "GROUP" "NONE"  
groupIds
Array of numbers  non-empty  unique 
Fully replaces existing group assignments. Required when assignedTo=GROUP. Must not be set when assignedTo is not GROUP. Must contain at least one valid group ID.


 
notifyGroups
boolean
Notify group members of this Policy. Only valid when assignedTo=GROUP, defaults to false if not provided.


 
controlIds
Array of numbers
Fully replaces existing control assignments. Pass an empty array to remove all.


 
Responses 
200
Successful


204
No Content


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/policies/{policyId}
Request samples 
application/json
{
  • "name": "My Custom Policy",
  • "description": "This policy covers data backup procedures.",
  • "disclaimer": "This policy is subject to change.",
  • "renewalDate": "2020-07-06",
  • "renewalSchedule": "ONE_YEAR",
  • "assignedTo": "GROUP",
  • "groupIds": [
    • 1,
    • 2,
    • 3
    ],
  • "notifyGroups": true,
  • "controlIds": [
    • 10,
    • 20,
    • 30
    ]
}
Response samples 
application/json
{
  • "id": 1,
  • "name": "Acceptable Use Policy",
  • "description": "This policy covers acceptable use of company resources.",
  • "disclaimer": "This policy is subject to change.",
  • "scope": "ALL",
  • "notifyGroups": false,
  • "status": "ACTIVE",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "currentVersionId": 2,
  • "version": "1",
  • "subVersion": "0",
  • "renewalDate": "2025-07-01T16:45:55.246Z",
  • "publishedAt": "2025-07-01T16:45:55.246Z",
  • "approvedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "groups": [
    • {
      • "id": 1,
      • "name": "Engineering Team",
      • "externalId": "external-group-123",
      • "source": "GOOGLE",
      • "connectionId": 1,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "controls": [
    • {
      • "id": 1,
      • "code": "AC-1",
      • "name": "Access Control",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
      • "isReady": true,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "weekTimeFrameSlas": [
    • {
      • "id": 1,
      • "timeFrame": "1",
      • "label": "Weekly Review",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "gracePeriodSlas": [
    • {
      • "id": 1,
      • "label": "Grace Period Review",
      • "gracePeriod": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "p3MatrixSlas": [
    • {
      • "id": 1,
      • "label": "P3 Matrix Review",
      • "timeFrame": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ]
}
Assign Policy Owner
🔒 Requires Policies: Assign Policy Owner permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Request Body schema: application/json
required
userId
required
number  >= 1 
ID of the user to assign as the policy owner. The user must have one of the following roles: Admin, Tech/Gov, Workspace Administrator, Policy Manager, or Control Manager.


 
Responses 
204
No Content


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/policies/{policyId}/owner
Request samples 
application/json
{
  • "userId": 42
}
Response samples 
application/json
{
  • "name": "string",
  • "statusCode": 0,
  • "message": "string",
  • "code": 0,
  • "debugInfo": {
    • "name": "string",
    • "message": "string",
    • "stack": "string"
    }
}
Get Policy Approval Configuration
🔒 Requires Policies: Get Policy Approval Configuration permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Responses 
200
Successful


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/policies/{policyId}/approval-configuration
Request samples 
Response samples 
application/json
{
  • "reviewGroups": [
    • {
      • "name": "Legal Review",
      • "tier": 1,
      • "consensusRule": "ALL",
      • "timeline": 7,
      • "approvers": [
        • {
          • "id": 1,
          • "email": "[email protected]",
          • "firstName": "Sally",
          • "lastName": "Smith",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ]
      }
    ]
}
Add Review Group Configuration
Appends a new review group configuration (tier) to the end of the approval sequence. Other tiers are not affected. Maximum of 6 tiers per policy.


🔒 Requires Policies: Add Policy Review Group Configuration permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Request Body schema: application/json
required
name
required
string
Name of this approval tier.


 
userIds
required
Array of numbers  non-empty 
Approver user IDs for this tier.


 
consensusRule
required
string
Voting rule for this tier. ALL requires every approver to approve; ONE_OF requires any one approver.


 Enum: "ALL" "ONE_OF"  
timeline
required
number  >= 1 
Number of days allowed to complete this approval tier.


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/policies/{policyId}/approval-configuration
Request samples 
application/json
{
  • "name": "Legal Review",
  • "userIds": [
    • 12,
    • 34
    ],
  • "consensusRule": "ALL",
  • "timeline": 7
}
Response samples 
application/json
{
  • "name": "Legal Review",
  • "tier": 1,
  • "consensusRule": "ALL",
  • "timeline": 7,
  • "approvers": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ]
}
Update Review Group Configuration
Updates a single review group configuration by its tier position (1-based). Other tiers are not affected. Returns 404 if the tier does not exist.


🔒 Requires Policies: Update Policy Review Group Configuration permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
approvalConfigurationTier
required
number
 
Request Body schema: application/json
required
name
required
string
Name of this approval tier.


 
userIds
required
Array of numbers  non-empty 
Approver user IDs for this tier.


 
consensusRule
required
string
Voting rule for this tier. ALL requires every approver to approve; ONE_OF requires any one approver.


 Enum: "ALL" "ONE_OF"  
timeline
required
number  >= 1 
Number of days allowed to complete this approval tier.


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/policies/{policyId}/approval-configuration/{approvalConfigurationTier}
Request samples 
application/json
{
  • "name": "Legal Review",
  • "userIds": [
    • 12,
    • 34
    ],
  • "consensusRule": "ALL",
  • "timeline": 7
}
Response samples 
application/json
{
  • "name": "Legal Review",
  • "tier": 1,
  • "consensusRule": "ALL",
  • "timeline": 7,
  • "approvers": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ]
}
Remove Review Group Configuration
Removes a single review group configuration (tier) by its tier position (1-based). Remaining tiers are renumbered to remain contiguous. Returns 404 if the tier does not exist; returns 400 if removing it would leave zero tiers.


🔒 Requires Policies: Remove Policy Review Group Configuration permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
approvalConfigurationTier
required
number
 
Responses 
204
No Content


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


delete/policies/{policyId}/approval-configuration/{approvalConfigurationTier}
Request samples 
Response samples 
application/json
{
  • "name": "string",
  • "statusCode": 0,
  • "message": "string",
  • "code": 0,
  • "debugInfo": {
    • "name": "string",
    • "message": "string",
    • "stack": "string"
    }
}
List Policy Actions
List available actions the authenticated user can perform on this Policy based on its current state.


🔒 Requires Policies: Submit Policy for Approval, Policies: Override Approve Policy, Policies: Publish Policy, Policies: Discard Policy, Policies: Reset Policy to Template permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/policies/{policyId}/actions
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "action": "SubmitForApproval",
      • "label": "Submit for Approval",
      • "description": "Submit this Policy Version for approval review",
      • "payloadSchema": [
        • {
          • "name": "reason",
          • "type": "string",
          • "required": true,
          • "description": "Reason for requesting changes"
          }
        ]
      }
    ]
}
Perform Policy Action
Execute an action on a Policy (e.g., submit for approval, approve, request changes, publish, discard).


🔒 Requires Policies: Submit Policy for Approval, Policies: Override Approve Policy, Policies: Publish Policy, Policies: Discard Policy, Policies: Reset Policy to Template permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Request Body schema: application/json
required
action
required
string
The action to perform on the Policy


 Enum: "SubmitForApproval" "Approve" "RequestChanges" "OverrideApprove" "Publish" "Discard" "ResetToTemplate"  
reason
string
Required when action is RequestChanges. The reason for requesting changes.


 
overrideReason
string
Required when action is OverrideApprove. The reason for overriding approval.


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/policies/{policyId}/actions
Request samples 
application/json
{
  • "action": "SubmitForApproval",
  • "reason": "string",
  • "overrideReason": "string"
}
Response samples 
application/json
{
  • "success": true,
  • "newStatus": "NEEDS_APPROVAL",
  • "message": "Policy submitted for approval"
}
List Policy Versions
List Policy Versions for a specific Policy matching the provided filters.


🔒 Requires Policies: List Policies permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
query Parameters
cursor
string
This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results


 
size
number  [ 1 .. 500 ] 
 Default:  50
Number of results to return


 
sort
string (SortTypeLimitedEnum) 
Which field to sort by


 Enum: "createdAt" "updatedAt"  
sortDir
string (SortDirectionEnum) 
The direction to sort the data


 Enum: "ASC" "DESC"  
includeTotalCount
boolean
 Default:  false
Include total count of all matching records in response. Only honored on first page (when cursor is null).


 
 Example:  includeTotalCount=false
expand[]
Array of strings (PolicyVersionExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "owner" "weekTimeFrameSlas" "p3MatrixSlas" "gracePeriodSlas" "downloadUrl" "downloadPdfUrl"  
version
number
Filter Policy Versions by version number


 
 Example:  version=1
current
boolean
Filter to only current Policy Versions


 
statuses[]
Array of strings (PolicyVersionStatusEnum) 
Filter Policy Versions by status


Items Enum: "NEEDS_APPROVAL" "APPROVED" "PUBLISHED" "DRAFT" "DISCARDED"  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/policies/{policyId}/policy-versions
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "approvedAt": "2025-07-01T16:45:55.246Z",
      • "changeSummary": "string",
      • "changesExplanation": "string",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "current": true,
      • "description": "string",
      • "policyVersionStatus": "PUBLISHED",
      • "publishedAt": "2025-07-01T16:45:55.246Z",
      • "renewalDate": "2020-07-06",
      • "subVersion": 0,
      • "type": "BUILDER",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "version": 1,
      • "gracePeriodSlas": [
        • {
          • "id": 1,
          • "label": "Grace Period Review",
          • "gracePeriod": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "owner": {
        • "id": 1,
        • "email": "[email protected]",
        • "firstName": "Sally",
        • "lastName": "Smith",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z"
        },
      • "p3MatrixSlas": [
        • {
          • "id": 1,
          • "label": "P3 Matrix Review",
          • "timeFrame": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "policy": {
        • "id": 1,
        • "name": "Acceptable Use Policy",
        • "description": "string",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z",
        • "assignedTo": "ALL",
        • "policyStatus": "ACTIVE",
        • "renewalDate": "2025-07-01T16:45:55.246Z"
        },
      • "requiresAcknowledgment": true,
      • "weekTimeFrameSlas": [
        • {
          • "id": 1,
          • "timeFrame": "1",
          • "label": "Weekly Review",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "downloadUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=...",
      • "downloadPdfUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=..."
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Get Policy Version
Get a specific Policy Version. Returns policy version details (default) or policy version HTML content based on Accept header.


🔒 Requires Policies: List Policies permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
policyVersionId
required
number
 
query Parameters
expand[]
Array of strings (PolicyVersionExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "owner" "weekTimeFrameSlas" "p3MatrixSlas" "gracePeriodSlas" "downloadUrl" "downloadPdfUrl"  
Responses 
200
Successful


get/policies/{policyId}/policy-versions/{policyVersionId}
Request samples 
Response samples 
{
  • "id": 1,
  • "approvedAt": "2025-07-01T16:45:55.246Z",
  • "changeSummary": "string",
  • "changesExplanation": "string",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "current": true,
  • "description": "string",
  • "policyVersionStatus": "PUBLISHED",
  • "publishedAt": "2025-07-01T16:45:55.246Z",
  • "renewalDate": "2020-07-06",
  • "subVersion": 0,
  • "type": "BUILDER",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "version": 1,
  • "gracePeriodSlas": [
    • {
      • "id": 1,
      • "label": "Grace Period Review",
      • "gracePeriod": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "p3MatrixSlas": [
    • {
      • "id": 1,
      • "label": "P3 Matrix Review",
      • "timeFrame": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "policy": {
    • "id": 1,
    • "name": "Acceptable Use Policy",
    • "description": "string",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z",
    • "assignedTo": "ALL",
    • "policyStatus": "ACTIVE",
    • "renewalDate": "2025-07-01T16:45:55.246Z"
    },
  • "requiresAcknowledgment": true,
  • "weekTimeFrameSlas": [
    • {
      • "id": 1,
      • "timeFrame": "1",
      • "label": "Weekly Review",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "downloadUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=...",
  • "downloadPdfUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=..."
}