Vendor Security Reviews

Vendor Security Reviews track the status of security reviews for Vendors. You can create a security review, upload questionnaires, and track the progress of the review. The help docs have more information.

Create Vendor Security Review

Create a new Security Review for a given Vendor.

🔒 Requires Vendors: Create Security Review permission.

Securitybearer
Request
path Parameters
vendorId
required
number
Request Body schema: application/json
required
reviewDeadlineAt
required
string <date-time>

Vendor Security Review deadline date

securityReviewStatus
required
string

The status of the Security Review

Enum: "NOT_YET_STARTED" "IN_PROGRESS" "COMPLETED" "NOT_REQUIRED"
securityReviewType
required
string

The type of the Security Review

Enum: "SECURITY" "SOC_REPORT" "UPLOAD_REPORT"
requestedAt
string <date-time>

Vendor Security Review requested date

note
string or null <= 1000 characters

Vendor Security Review note

requesterUserId
number or null <= 1000000000

The user ID of the person that requested the Security Review

title
string or null <= 191 characters

Vendor Security Review title

Responses
201

Created

400

Malformed data and/or validation errors

401

Invalid Authorization

402

You must upgrade your plan to use this feature

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

post/vendors/{vendorId}/security-reviews
Request samples
application/json
{
  • "reviewDeadlineAt": "2025-07-01T16:45:55.246Z",
  • "securityReviewStatus": "NOT_YET_STARTED",
  • "securityReviewType": "SECURITY",
  • "requestedAt": "2025-07-01T16:45:55.246Z",
  • "note": "Security Review note",
  • "requesterUserId": 1,
  • "title": "Security Review title"
}
Response samples
application/json
{
  • "id": 1,
  • "requestedAt": "2019-08-24T14:15:22Z",
  • "reviewDeadlineAt": "2019-08-24T14:15:22Z",
  • "decision": "APPROVED",
  • "note": "string",
  • "status": "NOT_YET_STARTED",
  • "type": "SECURITY",
  • "userId": 0,
  • "requesterUserId": 0,
  • "user": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "requesterUser": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}

Get Vendor Security Review

Get a specific Security Review for a given Vendor.

🔒 Requires Vendors: List Vendors permission.

Securitybearer
Request
path Parameters
vendorId
required
number
securityReviewId
required
number
query Parameters
expand[]
Array of strings (VendorSecurityReviewExpandEnum)

List of subcollections and sub-objects to expand

Items Enum: "user" "requesterUser"
Responses
200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

402

You must upgrade your plan to use this feature

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/vendors/{vendorId}/security-reviews/{securityReviewId}
Request samples 
Response samples 
application/json
{
  • "id": 1,
  • "requestedAt": "2019-08-24T14:15:22Z",
  • "reviewDeadlineAt": "2019-08-24T14:15:22Z",
  • "decision": "APPROVED",
  • "note": "string",
  • "status": "NOT_YET_STARTED",
  • "type": "SECURITY",
  • "userId": 0,
  • "requesterUserId": 0,
  • "user": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "requesterUser": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}