Policies

A policy is a document that outlines an organization’s commitment to following standards relevant to its operations. The help docs have more information.

List Policies

List published Policies matching the provided filters.

🔒 Requires Policies: List Policies permission.

Securitybearer
Request
query Parameters
cursor
string

This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results

size
number [ 1 .. 500 ]
Default: 50

Number of results to return

sort
string (SortTypeLimitedEnum)

Which field to sort by

Enum: "createdAt" "updatedAt" "name"
sortDir
string (SortDirectionEnum)

The direction to sort the data

Enum: "ASC" "DESC"
includeTotalCount
boolean
Default: false

Include total count of all matching records in response. Only honored on first page (when cursor is null).

Example: includeTotalCount=false
expand[]
Array of strings (PolicyListExpandEnum)

List of subcollections and sub-objects to expand

Items Enum: "groups" "weekTimeFrameSlas" "gracePeriodSlas" "p3MatrixSlas" "owner"
name
string <= 191 characters

Filter Policies by name (partial match)

Example: name=Data Protection Policy
statuses[]
Array of strings (PolicyStatusEnum)

Filter Policies by one or more statuses

Items Enum: "ACTIVE" "ARCHIVED" "REPLACED" "UNACCEPTABLE" "OUTDATED"
Responses
200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/policies
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "name": "Acceptable Use Policy",
      • "description": "This policy covers acceptable use of company resources.",
      • "disclaimer": "This policy is subject to change.",
      • "scope": "ALL",
      • "notifyGroups": false,
      • "status": "ACTIVE",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "currentVersionId": 2,
      • "version": "1",
      • "subVersion": "0",
      • "renewalDate": "2025-07-01T16:45:55.246Z",
      • "publishedAt": "2025-07-01T16:45:55.246Z",
      • "approvedAt": "2025-07-01T16:45:55.246Z",
      • "owner": {
        • "id": 1,
        • "email": "[email protected]",
        • "firstName": "Sally",
        • "lastName": "Smith",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z"
        },
      • "groups": [
        • {
          • "id": 1,
          • "name": "Engineering Team",
          • "externalId": "external-group-123",
          • "source": "GOOGLE",
          • "connectionId": 1,
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "controls": [
        • {
          • "id": 1,
          • "code": "AC-1",
          • "name": "Access Control",
          • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
          • "isReady": true,
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "weekTimeFrameSlas": [
        • {
          • "id": 1,
          • "timeFrame": "1",
          • "label": "Weekly Review",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "gracePeriodSlas": [
        • {
          • "id": 1,
          • "label": "Grace Period Review",
          • "gracePeriod": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "p3MatrixSlas": [
        • {
          • "id": 1,
          • "label": "P3 Matrix Review",
          • "timeFrame": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ]
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Get Policy
Get a specific published Policy.


🔒 Requires Policies: List Policies permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
query Parameters
expand[]
Array of strings (PolicyExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "groups" "controls" "weekTimeFrameSlas" "gracePeriodSlas" "p3MatrixSlas" "owner"  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/policies/{policyId}
Request samples 
Response samples 
application/json
{
  • "id": 1,
  • "name": "Acceptable Use Policy",
  • "description": "This policy covers acceptable use of company resources.",
  • "disclaimer": "This policy is subject to change.",
  • "scope": "ALL",
  • "notifyGroups": false,
  • "status": "ACTIVE",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "currentVersionId": 2,
  • "version": "1",
  • "subVersion": "0",
  • "renewalDate": "2025-07-01T16:45:55.246Z",
  • "publishedAt": "2025-07-01T16:45:55.246Z",
  • "approvedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "groups": [
    • {
      • "id": 1,
      • "name": "Engineering Team",
      • "externalId": "external-group-123",
      • "source": "GOOGLE",
      • "connectionId": 1,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "controls": [
    • {
      • "id": 1,
      • "code": "AC-1",
      • "name": "Access Control",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
      • "isReady": true,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "weekTimeFrameSlas": [
    • {
      • "id": 1,
      • "timeFrame": "1",
      • "label": "Weekly Review",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "gracePeriodSlas": [
    • {
      • "id": 1,
      • "label": "Grace Period Review",
      • "gracePeriod": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "p3MatrixSlas": [
    • {
      • "id": 1,
      • "label": "P3 Matrix Review",
      • "timeFrame": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ]
}
Modify Policy
🔒 Requires Policies: Modify Policy permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Request Body schema: application/json
required
name
string  <= 191 characters 
Policy name. Only updatable for custom policies. Drata template policies return 400.


 
description
string  <= 30000 characters 
Policy description.


 
disclaimer
string or null  <= 1000 characters 
Legal disclaimer text. Pass null to clear.


 
renewalDate
string
Policy renewal date. Mutually exclusive with renewalSchedule.


 
renewalSchedule
string
Renewal schedule type. Auto-computes renewalDate as today + N months. Mutually exclusive with renewalDate.


 Enum: "ONE_MONTH" "TWO_MONTHS" "THREE_MONTHS" "SIX_MONTHS" "ONE_YEAR"  
assignedTo
string
Personnel assignment scope.


 Enum: "ALL" "GROUP" "NONE"  
groupIds
Array of numbers  non-empty  unique 
Fully replaces existing group assignments. Required when assignedTo=GROUP. Must not be set when assignedTo is not GROUP. Must contain at least one valid group ID.


 
notifyGroups
boolean
Notify group members of this Policy. Only valid when assignedTo=GROUP, defaults to false if not provided.


 
controlIds
Array of numbers
Fully replaces existing control assignments. Pass an empty array to remove all.


 
Responses 
200
Successful


204
No Content


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/policies/{policyId}
Request samples 
application/json
{
  • "name": "My Custom Policy",
  • "description": "This policy covers data backup procedures.",
  • "disclaimer": "This policy is subject to change.",
  • "renewalDate": "2020-07-06",
  • "renewalSchedule": "ONE_YEAR",
  • "assignedTo": "GROUP",
  • "groupIds": [
    • 1,
    • 2,
    • 3
    ],
  • "notifyGroups": true,
  • "controlIds": [
    • 10,
    • 20,
    • 30
    ]
}
Response samples 
application/json
{
  • "id": 1,
  • "name": "Acceptable Use Policy",
  • "description": "This policy covers acceptable use of company resources.",
  • "disclaimer": "This policy is subject to change.",
  • "scope": "ALL",
  • "notifyGroups": false,
  • "status": "ACTIVE",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "currentVersionId": 2,
  • "version": "1",
  • "subVersion": "0",
  • "renewalDate": "2025-07-01T16:45:55.246Z",
  • "publishedAt": "2025-07-01T16:45:55.246Z",
  • "approvedAt": "2025-07-01T16:45:55.246Z",
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "groups": [
    • {
      • "id": 1,
      • "name": "Engineering Team",
      • "externalId": "external-group-123",
      • "source": "GOOGLE",
      • "connectionId": 1,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "controls": [
    • {
      • "id": 1,
      • "code": "AC-1",
      • "name": "Access Control",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n                 predetermined criteria. Incidents are escalated per policy.",
      • "isReady": true,
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "weekTimeFrameSlas": [
    • {
      • "id": 1,
      • "timeFrame": "1",
      • "label": "Weekly Review",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "gracePeriodSlas": [
    • {
      • "id": 1,
      • "label": "Grace Period Review",
      • "gracePeriod": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "p3MatrixSlas": [
    • {
      • "id": 1,
      • "label": "P3 Matrix Review",
      • "timeFrame": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ]
}
List Policy Actions
List available actions the authenticated user can perform on this Policy based on its current state.


🔒 Requires Policies: Submit Policy for Approval, Policies: Override Approve Policy, Policies: Publish Policy, Policies: Discard Policy, Policies: Reset Policy to Template permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/policies/{policyId}/actions
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "action": "SubmitForApproval",
      • "label": "Submit for Approval",
      • "description": "Submit this Policy Version for approval review",
      • "payloadSchema": [
        • {
          • "name": "reason",
          • "type": "string",
          • "required": true,
          • "description": "Reason for requesting changes"
          }
        ]
      }
    ]
}
Perform Policy Action
Execute an action on a Policy (e.g., submit for approval, approve, request changes, publish, discard).


🔒 Requires Policies: Submit Policy for Approval, Policies: Override Approve Policy, Policies: Publish Policy, Policies: Discard Policy, Policies: Reset Policy to Template permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
Request Body schema: application/json
required
action
required
string
The action to perform on the Policy


 Enum: "SubmitForApproval" "Approve" "RequestChanges" "OverrideApprove" "Publish" "Discard" "ResetToTemplate"  
reason
string
Required when action is RequestChanges. The reason for requesting changes.


 
overrideReason
string
Required when action is OverrideApprove. The reason for overriding approval.


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/policies/{policyId}/actions
Request samples 
application/json
{
  • "action": "SubmitForApproval",
  • "reason": "string",
  • "overrideReason": "string"
}
Response samples 
application/json
{
  • "success": true,
  • "newStatus": "NEEDS_APPROVAL",
  • "message": "Policy submitted for approval"
}
List Policy Versions
List Policy Versions for a specific Policy matching the provided filters.


🔒 Requires Policies: List Policies permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
query Parameters
cursor
string
This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results


 
size
number  [ 1 .. 500 ] 
 Default:  50
Number of results to return


 
sort
string (SortTypeLimitedEnum) 
Which field to sort by


 Enum: "createdAt" "updatedAt" "name"  
sortDir
string (SortDirectionEnum) 
The direction to sort the data


 Enum: "ASC" "DESC"  
includeTotalCount
boolean
 Default:  false
Include total count of all matching records in response. Only honored on first page (when cursor is null).


 
 Example:  includeTotalCount=false
expand[]
Array of strings (PolicyVersionExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "owner" "weekTimeFrameSlas" "p3MatrixSlas" "gracePeriodSlas" "downloadUrl" "downloadPdfUrl"  
version
number
Filter Policy Versions by version number


 
 Example:  version=1
current
boolean
Filter to only current Policy Versions


 
statuses[]
Array of strings (PolicyVersionStatusEnum) 
Filter Policy Versions by status


Items Enum: "NEEDS_APPROVAL" "APPROVED" "PUBLISHED" "DRAFT" "DISCARDED"  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/policies/{policyId}/policy-versions
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1,
      • "approvedAt": "2025-07-01T16:45:55.246Z",
      • "changeSummary": "string",
      • "changesExplanation": "string",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "current": true,
      • "description": "string",
      • "policyVersionStatus": "PUBLISHED",
      • "publishedAt": "2025-07-01T16:45:55.246Z",
      • "renewalDate": "2020-07-06",
      • "subVersion": 0,
      • "type": "BUILDER",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "version": 1,
      • "gracePeriodSlas": [
        • {
          • "id": 1,
          • "label": "Grace Period Review",
          • "gracePeriod": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "owner": {
        • "id": 1,
        • "email": "[email protected]",
        • "firstName": "Sally",
        • "lastName": "Smith",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z"
        },
      • "p3MatrixSlas": [
        • {
          • "id": 1,
          • "label": "P3 Matrix Review",
          • "timeFrame": "1",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "policy": {
        • "id": 1,
        • "name": "Acceptable Use Policy",
        • "description": "string",
        • "createdAt": "2025-07-01T16:45:55.246Z",
        • "updatedAt": "2025-07-01T16:45:55.246Z",
        • "assignedTo": "ALL",
        • "policyStatus": "ACTIVE",
        • "renewalDate": "2025-07-01T16:45:55.246Z"
        },
      • "requiresAcknowledgment": true,
      • "weekTimeFrameSlas": [
        • {
          • "id": 1,
          • "timeFrame": "1",
          • "label": "Weekly Review",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "downloadUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=...",
      • "downloadPdfUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=..."
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Get Policy Version
Get a specific Policy Version. Returns policy version details (default) or policy version HTML content based on Accept header.


🔒 Requires Policies: List Policies permission.


Securitybearer 
Request 
path Parameters
policyId
required
number
 
policyVersionId
required
number
 
query Parameters
expand[]
Array of strings (PolicyVersionExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "owner" "weekTimeFrameSlas" "p3MatrixSlas" "gracePeriodSlas" "downloadUrl" "downloadPdfUrl"  
Responses 
200
Successful


get/policies/{policyId}/policy-versions/{policyVersionId}
Request samples 
Response samples 
{
  • "id": 1,
  • "approvedAt": "2025-07-01T16:45:55.246Z",
  • "changeSummary": "string",
  • "changesExplanation": "string",
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "current": true,
  • "description": "string",
  • "policyVersionStatus": "PUBLISHED",
  • "publishedAt": "2025-07-01T16:45:55.246Z",
  • "renewalDate": "2020-07-06",
  • "subVersion": 0,
  • "type": "BUILDER",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "version": 1,
  • "gracePeriodSlas": [
    • {
      • "id": 1,
      • "label": "Grace Period Review",
      • "gracePeriod": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "owner": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "p3MatrixSlas": [
    • {
      • "id": 1,
      • "label": "P3 Matrix Review",
      • "timeFrame": "1",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "policy": {
    • "id": 1,
    • "name": "Acceptable Use Policy",
    • "description": "string",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z",
    • "assignedTo": "ALL",
    • "policyStatus": "ACTIVE",
    • "renewalDate": "2025-07-01T16:45:55.246Z"
    },
  • "requiresAcknowledgment": true,
  • "weekTimeFrameSlas": [
    • {
      • "id": 1,
      • "timeFrame": "1",
      • "label": "Weekly Review",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "downloadUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=...",
  • "downloadPdfUrl": "https://s3.amazonaws.com/bucket/file.pdf?signature=..."
}