Vendor Security Reviews

Vendor Security Reviews track the status of security reviews for Vendors. You can create a security review, upload questionnaires, and track the progress of the review. The help docs have more information.

Create Vendor Security Review

Create a new Security Review for a given Vendor.

🔒 Requires Vendors: Create Security Review permission.

Securitybearer
Request
path Parameters
vendorId
required
number
Request Body schema: application/json
required
reviewDeadlineAt
required
string <date-time>

Vendor Security Review deadline date

securityReviewStatus
required
string

The status of the Security Review

Enum: "NOT_YET_STARTED" "IN_PROGRESS" "COMPLETED" "NOT_REQUIRED"
securityReviewType
required
string

The type of the Security Review

Enum: "SECURITY" "SOC_REPORT" "UPLOAD_REPORT"
requestedAt
string <date-time>

Vendor Security Review requested date

note
string or null <= 1000 characters

Vendor Security Review note

requesterUserId
number or null <= 1000000000

The user ID of the person that requested the Security Review

title
string or null <= 191 characters

Vendor Security Review title

Responses
201

Created

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

post/vendors/{vendorId}/security-reviews
Request samples
application/json
{
  • "reviewDeadlineAt": "2025-07-01T16:45:55.246Z",
  • "securityReviewStatus": "NOT_YET_STARTED",
  • "securityReviewType": "SECURITY",
  • "requestedAt": "2025-07-01T16:45:55.246Z",
  • "note": "Security Review note",
  • "requesterUserId": 1,
  • "title": "Security Review title"
}
Response samples
application/json
{
  • "id": 1,
  • "requestedAt": "2019-08-24T14:15:22Z",
  • "reviewDeadlineAt": "2019-08-24T14:15:22Z",
  • "decision": "APPROVED",
  • "note": "string",
  • "status": "NOT_YET_STARTED",
  • "type": "SECURITY",
  • "userId": 0,
  • "requesterUserId": 0,
  • "user": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "requesterUser": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}

Create Vendor Security Review with File

Create a new Security Review for a given Vendor with file upload in a single atomic operation.

🔒 Requires Vendors: Create Security Review permission.

Securitybearer
Request
path Parameters
vendorId
required
number
Request Body schema: application/json
required
title
required
string <= 255 characters

The title of the security review

reviewDeadlineAt
required
string <date-time>

Vendor Security Review deadline date

requestedAt
string

The date when the security review was requested

securityReviewStatus
required
string

The status of the security review

Enum: "NOT_YET_STARTED" "IN_PROGRESS" "COMPLETED" "NOT_REQUIRED"
securityReviewType
required
string

The type of security review

Enum: "SECURITY" "SOC_REPORT" "UPLOAD_REPORT"
requesterUserId
number

The ID of the user requesting the security review

note
string <= 1000 characters

Optional notes for the security review

documentType
string

The type of document being uploaded

Enum: "COMPLIANCE_REPORT" "COMPLIANCE_REPORT_REVIEW" "BRIDGE_LETTER" "UPLOADED_COMPLIANCE_REPORT_REVIEW" "QUESTIONNAIRE_ATTACHMENT" "SOC_DOCUMENT" "QUESTIONNAIRE_REPORT"
file
required
string <binary>

File to upload. Accepted file extensions: .pdf, .docx, .odt, .doc, .xlsx, .ods, .pptx, .odp, .gif, .jpg, .jpeg, .png, .csv

Responses
201

Created

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

post/vendors/{vendorId}/security-reviews/with-file
Request samples
application/json
{
  • "title": "Q4 2024 Security Review",
  • "reviewDeadlineAt": "2025-07-01T16:45:55.246Z",
  • "requestedAt": "2024-01-01T00:00:00.000Z",
  • "securityReviewStatus": 3,
  • "securityReviewType": 1,
  • "requesterUserId": 123,
  • "note": "Additional notes about the security review",
  • "documentType": 1,
  • "file": "string"
}
Response samples
application/json
{
  • "id": 1,
  • "requestedAt": "2019-08-24T14:15:22Z",
  • "reviewDeadlineAt": "2019-08-24T14:15:22Z",
  • "decision": "APPROVED",
  • "note": "string",
  • "status": "NOT_YET_STARTED",
  • "type": "SECURITY",
  • "userId": 0,
  • "requesterUserId": 0,
  • "user": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "requesterUser": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}

Get Vendor Security Review

Get a specific Security Review for a given Vendor.

🔒 Requires Vendors: List Vendors permission.

Securitybearer
Request
path Parameters
vendorId
required
number
securityReviewId
required
number
query Parameters
expand[]
Array of strings (VendorSecurityReviewExpandEnum)

List of subcollections and sub-objects to expand

Items Enum: "user" "requesterUser"
Responses
200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/vendors/{vendorId}/security-reviews/{securityReviewId}
Request samples 
Response samples 
application/json
{
  • "id": 1,
  • "requestedAt": "2019-08-24T14:15:22Z",
  • "reviewDeadlineAt": "2019-08-24T14:15:22Z",
  • "decision": "APPROVED",
  • "note": "string",
  • "status": "NOT_YET_STARTED",
  • "type": "SECURITY",
  • "userId": 0,
  • "requesterUserId": 0,
  • "user": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    },
  • "requesterUser": {
    • "id": 1,
    • "email": "[email protected]",
    • "firstName": "Sally",
    • "lastName": "Smith",
    • "createdAt": "2025-07-01T16:45:55.246Z",
    • "updatedAt": "2025-07-01T16:45:55.246Z"
    }
}
Upload Security Questionnaire
🔒 Requires Vendors: Upload Security Questionnaire permission.


Securitybearer 
Request 
path Parameters
vendorId
required
number
 
Request Body schema: multipart/form-data
required
files
required
Array of strings <binary> 
Accepted file extensions: .pdf, .docx, .odt, .doc, .xlsx, .ods, .pptx, .odp, .csv


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/vendors/{vendorId}/security-questionnaires
Request samples 
Response samples 
application/json
{
  • "id": 1,
  • "completedBy": "Acme",
  • "recipientEmail": "[email protected]",
  • "isCompleted": "true",
  • "dateSent": "2025-07-01T16:45:55.246Z",
  • "isManualUpload": "true",
  • "responseId": 1,
  • "title": "Vendor Security Questionnaire"
}
Upload Security Questionnaire
Upload a Security Questionnaire to a Vendor for a specific Security Review.


🔒 Requires Vendors: Upload Security Questionnaire permission.


Securitybearer 
Request 
path Parameters
vendorId
required
number
 
securityReviewId
required
number
 
Request Body schema: multipart/form-data
required
files
required
Array of strings <binary> 
Accepted file extensions: .pdf, .docx, .odt, .doc, .xlsx, .ods, .pptx, .odp, .csv


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/vendors/{vendorId}/security-reviews/{securityReviewId}/security-questionnaires
Request samples 
Response samples 
application/json
{
  • "id": 1,
  • "completedBy": "Acme",
  • "recipientEmail": "[email protected]",
  • "isCompleted": "true",
  • "dateSent": "2025-07-01T16:45:55.246Z",
  • "isManualUpload": "true",
  • "responseId": 1,
  • "title": "Vendor Security Questionnaire"
}