Vendors

Vendors are third-parties that your organization is working with. Drata allows you to track and review risks associated with these third-parties. The help docs have more information.

List Vendors

Find Vendors matching the provided filters.

🔒 Requires Vendors: List Vendors permission.

Securitybearer

Request

query Parameters

cursor	string This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a `pagination.cursor` value that can be used in the subsequent request to retrieve the next page of results
size	number [ 1 .. 500 ] Default: 50 Number of results to return
sort	string (SortTypeLimitedEnum) Which field to sort by Enum: "createdAt" "updatedAt" "name"
sortDir	string (SortDirectionEnum) The direction to sort the data Enum: "ASC" "DESC"
includeTotalCount	boolean Default: false Include total count of all matching records in response. Only honored on first page (when cursor is null). Example: includeTotalCount=false
category	string (VendorCategoryEnum) The category of the Vendors Enum: "ENGINEERING" "PRODUCT" "MARKETING" "CS" "SALES" "FINANCE" "HR" "ADMINISTRATIVE" "SECURITY" "LEGAL" "INFORMATION_TECHNOLOGY" "NONE"
expand[]	Array of strings (VendorExpandEnum) List of subcollections and sub-objects to expand Items Enum: "customFields" "documents" "integrations" "lastQuestionnaire" "latestSecurityReviews" "reviews" "vendorUser" "vendorRelationshipContact" "dataAccessedOrProcessed" "scheduleConfiguration" "customVendorType"
impactLevel	string (VendorImpactLevelEnum) Overall Vendor impact level Enum: "INSIGNIFICANT" "MINOR" "MODERATE" "MAJOR" "CRITICAL" "UNSCORED"
renewalDate	string <date> Vendor renewal date Example: renewalDate=2020-07-06
renewalScheduleType	string (RenewalScheduleTypeEnum) Vendor renewal schedule type Enum: "ONE_MONTH" "TWO_MONTHS" "THREE_MONTHS" "SIX_MONTHS" "ONE_YEAR" "CUSTOM" "NONE"
risk	string (VendorRiskEnum) Filter data to Vendors of this risk level Enum: "NONE" "LOW" "MODERATE" "HIGH"
status	string (VendorStatusEnum) The status of the Vendors Enum: "PROSPECTIVE" "ACTIVE" "ARCHIVED" "APPROVED" "REJECTED" "FLAGGED" "ON_HOLD" "OFFBOARDED" "UNDER_REVIEW" "NONE"
type	string (VendorTypeEnum) Vendor type Enum: "VENDOR" "SUPPLIER" "CONTRACTOR" "PARTNER" "OTHER" "NONE"

Responses

200

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/vendors

Request samples

Response samples

application/json

{"data": [{"id": 1,
"name": "Acme",
"category": "ENGINEERING",
"risk": "MODERATE",
"type": "CONTRACTOR",
"critical": false,
"status": "ACTIVE",
"location": "USA",
"url": "https://acme.com",
"privacyUrl": "config.get('swagger.examples.url')/privacy",
"termsUrl": "config.get('swagger.examples.url')/terms-of-service",
"trustCenterUrl": "https://trust.example.com",
"trustCenterProvider": "DRATA",
"servicesProvided": "Perform security scans once a month",
"dataStored": "Resulting reports of security scans",
"hasPii": true,
"passwordPolicy": "USERNAME_PASSWORD",
"passwordRequiresMinLength": true,
"passwordMinLength": 8,
"passwordRequiresNumber": true,
"passwordRequiresSymbol": true,
"passwordMfaEnabled": true,
"contactAtVendor": "John Doe",
"contactsEmail": "[email protected]",
"notes": "Meeting once a month to adjust contract",
"logoUrl": "https://cdn-prod.imgpilot.com/logo.png",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"isSubProcessor": false,
"isSubProcessorActive": false,
"archivedAt": "2025-07-01T16:45:55.246Z",
"renewalDate": "2020-07-06",
"renewalScheduleType": "ONE_YEAR",
"renewalDateStatus": "COMPLETED",
"confirmedAt": "2025-07-01T16:45:55.246Z",
"sharedAccountId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
"isDrataUser": false,
"events": 4,
"integrations": [{"id": 1,
"name": "Acme"
}
],
"cost": "1088",
"operationalImpact": "CRITICAL",
"environmentAccess": "READ_ONLY",
"impactLevel": "INSIGNIFICANT",
"dataAccessedOrProcessedList": ["string"
],
"user": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"documents": [{"id": 1,
"name": "AWS SOC 2 2025",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"type": "COMPLIANCE_REPORT",
"downloadUrl": {"signedUrl": "https://somedomain.com/filename.pdf?Signature=ABC123",
"fileBuffer": {"buffer": "RXhhbXBsZSB0ZXh0IGNvbnRlbnQ="
}
}
}
],
"lastQuestionnaire": {"vendorId": 1,
"sendAt": "2025-07-01T16:45:55.246Z",
"sentEmail": "[email protected]",
"file": "questionnaire.pdf",
"respondedAt": "2025-07-01T16:45:55.246Z",
"responseId": 1,
"isManualUpload": true,
"completedBy": "Acme"
},
"latestSecurityReviews": [{"id": 1,
"requestedAt": "2019-08-24T14:15:22Z",
"reviewDeadlineAt": "2019-08-24T14:15:22Z",
"decision": "APPROVED",
"note": "string",
"status": "NOT_YET_STARTED",
"type": "SECURITY"
}
],
"vendorRelationshipContact": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"reviews": [{"id": 1,
"updatedAt": "2025-07-01T16:45:55.246Z",
"reviewer": "John Doe",
"reviewDate": "2025-07-01T16:45:55.246Z",
"reportIssueDate": "2025-07-01T16:45:55.246Z",
"socReport": "SOC_1",
"socReportType1": true,
"socReportType2": true,
"socType1StartDate": "2025-07-01T16:45:55.246Z",
"socType1EndDate": "2025-07-01T16:45:55.246Z",
"socType2StartDate": "2025-07-01T16:45:55.246Z",
"socType2EndDate": "2025-07-01T16:45:55.246Z",
"reportOpinion": "UNQUALIFIED",
"encompassBusinessNeeds": true,
"followUpActivity": "User must proceed to...",
"hasMaterialImpact": true,
"cpaFirm": "CPA firm name",
"cpaProcedurePerformed": "The following procedures were performed...",
"subserviceOrganization": "Subservice Inc.",
"subserviceOrganizationUsingInclusiveMethod": true,
"subserviceOrganizationProcedurePerformed": "The following procedures were performed...",
"trustServiceCategories": [{"id": 1,
"category": "AVAILABILITY"
}
],
"userControls": [{"id": 1,
"name": "End User Control 1",
"inPlace": true
}
],
"services": [{"id": 1,
"name": "Service 1"
}
],
"locations": [{"id": 1,
"city": "San Diego",
"stateCountry": "CA"
}
],
"findings": [{"id": 1,
"description": "Finding 1"
}
]
}
],
"customFields": [{"customFieldId": 1,
"name": "Stakeholders",
"value": "Security & IT"
}
]
}
],
"pagination": {"cursor": "string",
"totalCount": 0
}
}

Create Vendor

Create a new Vendor

🔒 Requires Vendors: Create Vendor permission.

Securitybearer

Request

Request Body schema: application/json
required

name required	string <= 191 characters The name of the Vendor
hasPii	boolean Default: false Indicates whether this Vendor stores any type of Personally Identifiable Information (PII)
passwordRequiresNumber	boolean Default: false Indicates whether a password requires numbers
passwordRequiresSymbol	boolean Default: false Indicates whether a password requires non-alpha-numeric characters
passwordMfaEnabled	boolean Default: false Indicates whether multi-factor authentication is enabled for this Vendor
passwordRequiresMinLength	boolean Default: false Indicates whether there is a minimum length requirement for password
isSubProcessor	boolean Default: false Indicates whether this Vendor is considered a subprocessor
isSubProcessorActive	boolean Default: false Indicates whether this subprocessor is active
category	string or null The type of Vendor Enum: "ENGINEERING" "PRODUCT" "MARKETING" "CS" "SALES" "FINANCE" "HR" "ADMINISTRATIVE" "SECURITY" "LEGAL" "INFORMATION_TECHNOLOGY" "NONE"
risk	string The level of risk associated with customer data Enum: "NONE" "LOW" "MODERATE" "HIGH"
status	string or null The status of Vendor Enum: "PROSPECTIVE" "ACTIVE" "ARCHIVED" "APPROVED" "REJECTED" "FLAGGED" "ON_HOLD" "OFFBOARDED" "UNDER_REVIEW" "NONE"
critical	boolean or null Indicates if the Vendor is considered critical
userId	number or null <= 1000000000 The user ID of the person responsible for Vendor compliance
url	string or null <uri> <= 768 characters Vendor URL
privacyUrl	string <uri> <= 768 characters Vendor Privacy Policy URL
termsUrl	string <uri> <= 768 characters Vendor Terms of Use URL
servicesProvided	string or null <= 30000 characters Description of the services provided by the Vendor
dataStored	string or null <= 30000 characters Description of the type of data the Vendor stores
location	string <= 30000 characters Location where the Vendor services are provided
passwordPolicy	string or null The Vendor password policy Enum: "USERNAME_PASSWORD" "SSO" "LDAP" "NONE" "NOT_APPLICABLE" "SCIM" "OTHER"
passwordMinLength	number or null [ 6 .. 12 ] Minimum character length required for a password
contactAtVendor	string or null <= 191 characters Name of the corresponding account manager for this Vendor
contactEmail	string or null <email> <= 191 characters Email of the corresponding account manager for this Vendor
notes	string <= 30000 characters Additional notes for Vendor
renewalDate	string or null Vendor renewal date
renewalScheduleType	string or null Vendor renewal schedule type Enum: "ONE_MONTH" "TWO_MONTHS" "THREE_MONTHS" "SIX_MONTHS" "ONE_YEAR" "CUSTOM" "NONE"
confirmed	boolean or null Indicate if all Vendor data is confirmed
type	string or null Vendor type identifier Enum: "VENDOR" "SUPPLIER" "CONTRACTOR" "PARTNER" "OTHER" "NONE"
accountId	string <= 36 characters Account Id
operationalImpact	string or null Vendor level of operational impact Enum: "NONE" "LOW" "NORMAL" "IMPORTANT" "CRITICAL"
environmentAccess	string or null Vendor environment access privileges Enum: "NO" "READ_ONLY" "READ_WRITE"
impactLevel	string or null Vendor overall impact level Enum: "INSIGNIFICANT" "MINOR" "MODERATE" "MAJOR" "CRITICAL" "UNSCORED"
dataAccessedOrProcessedList	Array of strings or null (VendorDataAccessedOrProcessedEnum) unique List of data accessed or processed enum type Enum: "GENERAL" "PUBLIC" "CONTROLLED_UNCLASSIFIED" "FINANCIAL" "PROPRIETARY" "EMPLOYEE_PERSONNEL" "PERSONAL_IDENTIFIABLE_INFORMATION" "PROTECTED_HEALTH_INFORMATION" "OTHER_PERSONAL_OR_SENSITIVE" "CARDHOLDER_DATA"
integrations	Array of numbers unique List of vendor IDs
cost	string or null Annual Contract Value for the Vendor in Cents unit
	Array of objects (CustomFieldSubmitRequestPublicV2Dto) Custom Fields for the Vendor. 💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading.

Responses

201

Created

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

post/vendors

Request samples

application/json

{"name": "Acme",
"hasPii": true,
"passwordRequiresNumber": true,
"passwordRequiresSymbol": true,
"passwordMfaEnabled": true,
"passwordRequiresMinLength": true,
"isSubProcessor": false,
"isSubProcessorActive": false,
"category": "ENGINEERING",
"risk": "MODERATE",
"status": "UNDER_REVIEW",
"critical": false,
"userId": 1,
"url": "https://acme.com",
"privacyUrl": "https://acme.com/privacy",
"termsUrl": "https://acme.com/terms",
"servicesProvided": "Perform security scans once a month",
"dataStored": "resulting reports of security scans",
"location": "San Diego",
"passwordPolicy": "USERNAME_PASSWORD",
"passwordMinLength": 8,
"contactAtVendor": "John Doe",
"contactEmail": "[email protected]",
"notes": "Meeting once a month to adjust contract",
"renewalDate": "2025-07-01T16:45:55.246Z",
"renewalScheduleType": "ONE_YEAR",
"confirmed": true,
"type": "VENDOR",
"accountId": 36,
"operationalImpact": "IMPORTANT",
"environmentAccess": "READ_ONLY",
"impactLevel": "INSIGNIFICANT",
"dataAccessedOrProcessedList": ["FINANCIAL",
"GENERAL"
],
"integrations": [1,
2,
3
],
"cost": "1088",
"customFields": [{"id": 1,
"name": "Compliance Status",
"value": "Security & IT"
}
]
}

Response samples

application/json

{"id": 1,
"name": "Acme",
"category": "ENGINEERING",
"risk": "MODERATE",
"type": "CONTRACTOR",
"critical": false,
"status": "ACTIVE",
"location": "USA",
"url": "https://acme.com",
"privacyUrl": "config.get('swagger.examples.url')/privacy",
"termsUrl": "config.get('swagger.examples.url')/terms-of-service",
"trustCenterUrl": "https://trust.example.com",
"trustCenterProvider": "DRATA",
"servicesProvided": "Perform security scans once a month",
"dataStored": "Resulting reports of security scans",
"hasPii": true,
"passwordPolicy": "USERNAME_PASSWORD",
"passwordRequiresMinLength": true,
"passwordMinLength": 8,
"passwordRequiresNumber": true,
"passwordRequiresSymbol": true,
"passwordMfaEnabled": true,
"contactAtVendor": "John Doe",
"contactsEmail": "[email protected]",
"notes": "Meeting once a month to adjust contract",
"logoUrl": "https://cdn-prod.imgpilot.com/logo.png",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"isSubProcessor": false,
"isSubProcessorActive": false,
"archivedAt": "2025-07-01T16:45:55.246Z",
"renewalDate": "2020-07-06",
"renewalScheduleType": "ONE_YEAR",
"renewalDateStatus": "COMPLETED",
"confirmedAt": "2025-07-01T16:45:55.246Z",
"sharedAccountId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
"isDrataUser": false,
"events": 4,
"integrations": [{"id": 1,
"name": "Acme"
}
],
"cost": "1088",
"operationalImpact": "CRITICAL",
"environmentAccess": "READ_ONLY",
"impactLevel": "INSIGNIFICANT",
"dataAccessedOrProcessedList": ["string"
],
"user": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"documents": [{"id": 1,
"name": "AWS SOC 2 2025",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"type": "COMPLIANCE_REPORT",
"downloadUrl": {"signedUrl": "https://somedomain.com/filename.pdf?Signature=ABC123",
"fileBuffer": {"buffer": "RXhhbXBsZSB0ZXh0IGNvbnRlbnQ="
}
}
}
],
"lastQuestionnaire": {"vendorId": 1,
"sendAt": "2025-07-01T16:45:55.246Z",
"sentEmail": "[email protected]",
"file": "questionnaire.pdf",
"respondedAt": "2025-07-01T16:45:55.246Z",
"responseId": 1,
"isManualUpload": true,
"completedBy": "Acme"
},
"latestSecurityReviews": [{"id": 1,
"requestedAt": "2019-08-24T14:15:22Z",
"reviewDeadlineAt": "2019-08-24T14:15:22Z",
"decision": "APPROVED",
"note": "string",
"status": "NOT_YET_STARTED",
"type": "SECURITY"
}
],
"vendorRelationshipContact": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"reviews": [{"id": 1,
"updatedAt": "2025-07-01T16:45:55.246Z",
"reviewer": "John Doe",
"reviewDate": "2025-07-01T16:45:55.246Z",
"reportIssueDate": "2025-07-01T16:45:55.246Z",
"socReport": "SOC_1",
"socReportType1": true,
"socReportType2": true,
"socType1StartDate": "2025-07-01T16:45:55.246Z",
"socType1EndDate": "2025-07-01T16:45:55.246Z",
"socType2StartDate": "2025-07-01T16:45:55.246Z",
"socType2EndDate": "2025-07-01T16:45:55.246Z",
"reportOpinion": "UNQUALIFIED",
"encompassBusinessNeeds": true,
"followUpActivity": "User must proceed to...",
"hasMaterialImpact": true,
"cpaFirm": "CPA firm name",
"cpaProcedurePerformed": "The following procedures were performed...",
"subserviceOrganization": "Subservice Inc.",
"subserviceOrganizationUsingInclusiveMethod": true,
"subserviceOrganizationProcedurePerformed": "The following procedures were performed...",
"trustServiceCategories": [{"id": 1,
"category": "AVAILABILITY"
}
],
"userControls": [{"id": 1,
"name": "End User Control 1",
"inPlace": true
}
],
"services": [{"id": 1,
"name": "Service 1"
}
],
"locations": [{"id": 1,
"city": "San Diego",
"stateCountry": "CA"
}
],
"findings": [{"id": 1,
"description": "Finding 1"
}
]
}
],
"customFields": [{"customFieldId": 1,
"name": "Stakeholders",
"value": "Security & IT"
}
]
}

Get Vendor Statistics

Retrieve vendor statistics for specified scopes. At least one expand parameter is required. By default, archived vendors are excluded unless includeArchived is set to true.

🔒 Requires Vendors: Get Vendors Statistics permission.

Securitybearer

Request

query Parameters

expand[] required	Array of strings (VendorStatsExpandEnum) List of stat scopes to include. At least one scope is required. Items Enum: "reminder" "hasPii" "businessUnits" "passwordPolicy" "status" "isCritical" "isSubProcessor" "type" "risk" "impactLevel"
includeArchived	boolean Default: false Whether to include archived vendors in statistics. Defaults to false (excludes archived vendors). Example: includeArchived=false

Responses

200

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/vendors-stats

Request samples

Response samples

application/json

{"reminder": [{"key": "RENEWAL_DUE",
"count": 1
},
{"key": "RENEWAL_DUE_SOON",
"count": 1
}
],
"hasPii": [{"key": true,
"count": 1
},
{"key": false,
"count": 1
}
],
"businessUnits": [{"key": "ENGINEERING",
"count": 118
},
{"key": "PRODUCT",
"count": 2
}
],
"passwordPolicy": [{"key": "USERNAME_PASSWORD",
"count": 118
},
{"key": "SSO",
"count": 32
}
],
"status": [{"key": "ACTIVE",
"count": 118
},
{"key": "UNDER_REVIEW",
"count": 20
}
],
"isCritical": [{"key": "Yes",
"count": 10
},
{"key": "No",
"count": 20
}
],
"isSubProcessor": [{"key": true,
"count": 10
},
{"key": false,
"count": 20
}
],
"type": [{"key": "CONTRACTOR",
"count": 15
},
{"key": "VENDOR",
"count": 45
}
],
"risk": [{"key": "HIGH",
"count": 15
},
{"key": "MODERATE",
"count": 50
},
{"key": "LOW",
"count": 45
},
{"key": "NONE",
"count": 10
}
],
"impactLevel": [{"key": "CRITICAL",
"count": 7
},
{"key": "MAJOR",
"count": 12
},
{"key": "UNSCORED",
"count": 0
}
]
}

Get Vendor

🔒 Requires Vendors: Get Vendor permission.

Securitybearer

Request

path Parameters

vendorId

required

number

query Parameters

expand[]

Array of strings (VendorExpandEnum)

List of subcollections and sub-objects to expand

Items Enum: "customFields" "documents" "integrations" "lastQuestionnaire" "latestSecurityReviews" "reviews" "vendorUser" "vendorRelationshipContact" "dataAccessedOrProcessed" "scheduleConfiguration" "customVendorType"

Responses

200

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/vendors/{vendorId}

Request samples

Response samples

application/json

{"id": 1,
"name": "Acme",
"category": "ENGINEERING",
"risk": "MODERATE",
"type": "CONTRACTOR",
"critical": false,
"status": "ACTIVE",
"location": "USA",
"url": "https://acme.com",
"privacyUrl": "config.get('swagger.examples.url')/privacy",
"termsUrl": "config.get('swagger.examples.url')/terms-of-service",
"trustCenterUrl": "https://trust.example.com",
"trustCenterProvider": "DRATA",
"servicesProvided": "Perform security scans once a month",
"dataStored": "Resulting reports of security scans",
"hasPii": true,
"passwordPolicy": "USERNAME_PASSWORD",
"passwordRequiresMinLength": true,
"passwordMinLength": 8,
"passwordRequiresNumber": true,
"passwordRequiresSymbol": true,
"passwordMfaEnabled": true,
"contactAtVendor": "John Doe",
"contactsEmail": "[email protected]",
"notes": "Meeting once a month to adjust contract",
"logoUrl": "https://cdn-prod.imgpilot.com/logo.png",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"isSubProcessor": false,
"isSubProcessorActive": false,
"archivedAt": "2025-07-01T16:45:55.246Z",
"renewalDate": "2020-07-06",
"renewalScheduleType": "ONE_YEAR",
"renewalDateStatus": "COMPLETED",
"confirmedAt": "2025-07-01T16:45:55.246Z",
"sharedAccountId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
"isDrataUser": false,
"events": 4,
"integrations": [{"id": 1,
"name": "Acme"
}
],
"cost": "1088",
"operationalImpact": "CRITICAL",
"environmentAccess": "READ_ONLY",
"impactLevel": "INSIGNIFICANT",
"dataAccessedOrProcessedList": ["string"
],
"user": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"documents": [{"id": 1,
"name": "AWS SOC 2 2025",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"type": "COMPLIANCE_REPORT",
"downloadUrl": {"signedUrl": "https://somedomain.com/filename.pdf?Signature=ABC123",
"fileBuffer": {"buffer": "RXhhbXBsZSB0ZXh0IGNvbnRlbnQ="
}
}
}
],
"lastQuestionnaire": {"vendorId": 1,
"sendAt": "2025-07-01T16:45:55.246Z",
"sentEmail": "[email protected]",
"file": "questionnaire.pdf",
"respondedAt": "2025-07-01T16:45:55.246Z",
"responseId": 1,
"isManualUpload": true,
"completedBy": "Acme"
},
"latestSecurityReviews": [{"id": 1,
"requestedAt": "2019-08-24T14:15:22Z",
"reviewDeadlineAt": "2019-08-24T14:15:22Z",
"decision": "APPROVED",
"note": "string",
"status": "NOT_YET_STARTED",
"type": "SECURITY"
}
],
"vendorRelationshipContact": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"reviews": [{"id": 1,
"updatedAt": "2025-07-01T16:45:55.246Z",
"reviewer": "John Doe",
"reviewDate": "2025-07-01T16:45:55.246Z",
"reportIssueDate": "2025-07-01T16:45:55.246Z",
"socReport": "SOC_1",
"socReportType1": true,
"socReportType2": true,
"socType1StartDate": "2025-07-01T16:45:55.246Z",
"socType1EndDate": "2025-07-01T16:45:55.246Z",
"socType2StartDate": "2025-07-01T16:45:55.246Z",
"socType2EndDate": "2025-07-01T16:45:55.246Z",
"reportOpinion": "UNQUALIFIED",
"encompassBusinessNeeds": true,
"followUpActivity": "User must proceed to...",
"hasMaterialImpact": true,
"cpaFirm": "CPA firm name",
"cpaProcedurePerformed": "The following procedures were performed...",
"subserviceOrganization": "Subservice Inc.",
"subserviceOrganizationUsingInclusiveMethod": true,
"subserviceOrganizationProcedurePerformed": "The following procedures were performed...",
"trustServiceCategories": [{"id": 1,
"category": "AVAILABILITY"
}
],
"userControls": [{"id": 1,
"name": "End User Control 1",
"inPlace": true
}
],
"services": [{"id": 1,
"name": "Service 1"
}
],
"locations": [{"id": 1,
"city": "San Diego",
"stateCountry": "CA"
}
],
"findings": [{"id": 1,
"description": "Finding 1"
}
]
}
],
"customFields": [{"customFieldId": 1,
"name": "Stakeholders",
"value": "Security & IT"
}
]
}

Update Vendor

Update Vendor details

🔒 Requires Vendors: Update Vendor permission.

Securitybearer

Request

path Parameters

vendorId

required

number

Request Body schema: application/json
required

name	string <= 191 characters The name of the Vendor
hasPii	boolean Indicates whether this Vendor stores any type of Personally Identifiable Information (PII)
passwordRequiresNumber	boolean Indicates whether a password requires numbers
passwordRequiresSymbol	boolean Indicates whether a password requires non-alpha-numeric characters
passwordMfaEnabled	boolean Indicates whether multi-factor authentication is enabled for this Vendor
passwordRequiresMinLength	boolean Indicates whether there is a minimum length requirement for password
isSubProcessor	boolean Indicates whether this Vendor is considered a subprocessor
isSubProcessorActive	boolean Indicates whether this subprocessor is active
category	string or null The type of Vendor Enum: "ENGINEERING" "PRODUCT" "MARKETING" "CS" "SALES" "FINANCE" "HR" "ADMINISTRATIVE" "SECURITY" "LEGAL" "INFORMATION_TECHNOLOGY" "NONE"
risk	string The level of risk associated with customer data Enum: "NONE" "LOW" "MODERATE" "HIGH"
status	string or null The status of Vendor Enum: "PROSPECTIVE" "ACTIVE" "ARCHIVED" "APPROVED" "REJECTED" "FLAGGED" "ON_HOLD" "OFFBOARDED" "UNDER_REVIEW" "NONE"
critical	boolean or null Indicates if the Vendor is considered critical
userId	number or null <= 1000000000 The user ID of the person responsible for Vendor compliance
url	string or null <uri> <= 768 characters Vendor URL
privacyUrl	string <uri> <= 768 characters Vendor Privacy Policy URL
termsUrl	string <uri> <= 768 characters Vendor Terms of Use URL
servicesProvided	string or null <= 30000 characters Description of the services provided by the Vendor
dataStored	string or null <= 30000 characters Description of the type of data the Vendor stores
location	string <= 30000 characters Location where the Vendor services are provided
passwordPolicy	string or null The Vendor password policy Enum: "USERNAME_PASSWORD" "SSO" "LDAP" "NONE" "NOT_APPLICABLE" "SCIM" "OTHER"
passwordMinLength	number or null [ 6 .. 12 ] Minimum character length required for a password
contactAtVendor	string or null <= 191 characters Name of the corresponding account manager for this Vendor
contactsEmail	string or null <email> <= 191 characters Email of the corresponding account manager for this Vendor
notes	string <= 30000 characters Additional notes for Vendor
renewalDate	string or null Vendor renewal date
renewalScheduleType	string or null Vendor renewal schedule type Enum: "ONE_MONTH" "TWO_MONTHS" "THREE_MONTHS" "SIX_MONTHS" "ONE_YEAR" "CUSTOM" "NONE"
confirmed	boolean or null Indicate if all Vendor data is confirmed
type	string or null Vendor type identifier Enum: "VENDOR" "SUPPLIER" "CONTRACTOR" "PARTNER" "OTHER" "NONE"
accountId	string <= 36 characters Account Id
operationalImpact	string or null Vendor level of operational impact Enum: "NONE" "LOW" "NORMAL" "IMPORTANT" "CRITICAL"
environmentAccess	string or null Vendor environment access privileges Enum: "NO" "READ_ONLY" "READ_WRITE"
impactLevel	string or null Vendor overall impact level Enum: "INSIGNIFICANT" "MINOR" "MODERATE" "MAJOR" "CRITICAL" "UNSCORED"
dataAccessedOrProcessedList	Array of strings or null (VendorDataAccessedOrProcessedEnum) unique List of data accessed or processed enum type Enum: "GENERAL" "PUBLIC" "CONTROLLED_UNCLASSIFIED" "FINANCIAL" "PROPRIETARY" "EMPLOYEE_PERSONNEL" "PERSONAL_IDENTIFIABLE_INFORMATION" "PROTECTED_HEALTH_INFORMATION" "OTHER_PERSONAL_OR_SENSITIVE" "CARDHOLDER_DATA"
integrations	Array of numbers unique List of vendor IDs
cost	string or null Annual Contract Value for the Vendor in cents unit
	Array of objects (CustomFieldSubmitRequestPublicV2Dto) Custom Fields for the Vendor. 💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading.

Responses

200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

put/vendors/{vendorId}

Request samples

application/json

{"name": "Acme",
"hasPii": true,
"passwordRequiresNumber": true,
"passwordRequiresSymbol": true,
"passwordMfaEnabled": true,
"passwordRequiresMinLength": true,
"isSubProcessor": false,
"isSubProcessorActive": false,
"category": "ENGINEERING",
"risk": "MODERATE",
"status": "UNDER_REVIEW",
"critical": false,
"userId": 1,
"url": "https://acme.com",
"privacyUrl": "https://acme.com/privacy",
"termsUrl": "https://acme.com/terms",
"servicesProvided": "Perform security scans once a month",
"dataStored": "resulting reports of security scans",
"location": "San Diego",
"passwordPolicy": "USERNAME_PASSWORD",
"passwordMinLength": 8,
"contactAtVendor": "John Doe",
"contactsEmail": "[email protected]",
"notes": "Meeting once a month to adjust contract",
"renewalDate": "2025-07-01T16:45:55.246Z",
"renewalScheduleType": "ONE_YEAR",
"confirmed": true,
"type": "VENDOR",
"accountId": 36,
"operationalImpact": "IMPORTANT",
"environmentAccess": "READ_ONLY",
"impactLevel": "INSIGNIFICANT",
"dataAccessedOrProcessedList": ["FINANCIAL",
"GENERAL"
],
"integrations": [1,
2,
3
],
"cost": "1088",
"customFields": [{"id": 1,
"name": "Compliance Status",
"value": "Security & IT"
}
]
}

Response samples

application/json

{"id": 1,
"name": "Acme",
"category": "ENGINEERING",
"risk": "MODERATE",
"type": "CONTRACTOR",
"critical": false,
"status": "ACTIVE",
"location": "USA",
"url": "https://acme.com",
"privacyUrl": "config.get('swagger.examples.url')/privacy",
"termsUrl": "config.get('swagger.examples.url')/terms-of-service",
"trustCenterUrl": "https://trust.example.com",
"trustCenterProvider": "DRATA",
"servicesProvided": "Perform security scans once a month",
"dataStored": "Resulting reports of security scans",
"hasPii": true,
"passwordPolicy": "USERNAME_PASSWORD",
"passwordRequiresMinLength": true,
"passwordMinLength": 8,
"passwordRequiresNumber": true,
"passwordRequiresSymbol": true,
"passwordMfaEnabled": true,
"contactAtVendor": "John Doe",
"contactsEmail": "[email protected]",
"notes": "Meeting once a month to adjust contract",
"logoUrl": "https://cdn-prod.imgpilot.com/logo.png",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"isSubProcessor": false,
"isSubProcessorActive": false,
"archivedAt": "2025-07-01T16:45:55.246Z",
"renewalDate": "2020-07-06",
"renewalScheduleType": "ONE_YEAR",
"renewalDateStatus": "COMPLETED",
"confirmedAt": "2025-07-01T16:45:55.246Z",
"sharedAccountId": "aaaaaaaa-bbbb-0000-cccc-dddddddddddd",
"isDrataUser": false,
"events": 4,
"integrations": [{"id": 1,
"name": "Acme"
}
],
"cost": "1088",
"operationalImpact": "CRITICAL",
"environmentAccess": "READ_ONLY",
"impactLevel": "INSIGNIFICANT",
"dataAccessedOrProcessedList": ["string"
],
"user": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"documents": [{"id": 1,
"name": "AWS SOC 2 2025",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z",
"type": "COMPLIANCE_REPORT",
"downloadUrl": {"signedUrl": "https://somedomain.com/filename.pdf?Signature=ABC123",
"fileBuffer": {"buffer": "RXhhbXBsZSB0ZXh0IGNvbnRlbnQ="
}
}
}
],
"lastQuestionnaire": {"vendorId": 1,
"sendAt": "2025-07-01T16:45:55.246Z",
"sentEmail": "[email protected]",
"file": "questionnaire.pdf",
"respondedAt": "2025-07-01T16:45:55.246Z",
"responseId": 1,
"isManualUpload": true,
"completedBy": "Acme"
},
"latestSecurityReviews": [{"id": 1,
"requestedAt": "2019-08-24T14:15:22Z",
"reviewDeadlineAt": "2019-08-24T14:15:22Z",
"decision": "APPROVED",
"note": "string",
"status": "NOT_YET_STARTED",
"type": "SECURITY"
}
],
"vendorRelationshipContact": {"id": 1,
"email": "[email protected]",
"firstName": "Sally",
"lastName": "Smith",
"createdAt": "2025-07-01T16:45:55.246Z",
"updatedAt": "2025-07-01T16:45:55.246Z"
},
"reviews": [{"id": 1,
"updatedAt": "2025-07-01T16:45:55.246Z",
"reviewer": "John Doe",
"reviewDate": "2025-07-01T16:45:55.246Z",
"reportIssueDate": "2025-07-01T16:45:55.246Z",
"socReport": "SOC_1",
"socReportType1": true,
"socReportType2": true,
"socType1StartDate": "2025-07-01T16:45:55.246Z",
"socType1EndDate": "2025-07-01T16:45:55.246Z",
"socType2StartDate": "2025-07-01T16:45:55.246Z",
"socType2EndDate": "2025-07-01T16:45:55.246Z",
"reportOpinion": "UNQUALIFIED",
"encompassBusinessNeeds": true,
"followUpActivity": "User must proceed to...",
"hasMaterialImpact": true,
"cpaFirm": "CPA firm name",
"cpaProcedurePerformed": "The following procedures were performed...",
"subserviceOrganization": "Subservice Inc.",
"subserviceOrganizationUsingInclusiveMethod": true,
"subserviceOrganizationProcedurePerformed": "The following procedures were performed...",
"trustServiceCategories": [{"id": 1,
"category": "AVAILABILITY"
}
],
"userControls": [{"id": 1,
"name": "End User Control 1",
"inPlace": true
}
],
"services": [{"id": 1,
"name": "Service 1"
}
],
"locations": [{"id": 1,
"city": "San Diego",
"stateCountry": "CA"
}
],
"findings": [{"id": 1,
"description": "Finding 1"
}
]
}
],
"customFields": [{"customFieldId": 1,
"name": "Stakeholders",
"value": "Security & IT"
}
]
}

Remove Vendor

🔒 Requires Vendors: Delete Vendor permission.

Securitybearer

Request

path Parameters

vendorId

required

number

Responses

204

No Content

401

Invalid Authorization

403

You are not allowed to perform this action

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

delete/vendors/{vendorId}

Request samples

Response samples

application/json

{"statusCode": 0,
"message": "string",
"code": 0,
"debugInfo": {"name": "string",
"message": "string",
"stack": "string"
}
}

List Vendor Questionnaires

Get Questionnaires sent to a Vendor.

🔒 Requires Vendors: List Vendor Questionnaire permission.

Securitybearer

Request

path Parameters

vendorId

required

number

query Parameters

cursor	string This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a `pagination.cursor` value that can be used in the subsequent request to retrieve the next page of results
size	number [ 1 .. 500 ] Default: 50 Number of results to return
sort	string (SortTypeLimitedEnum) Which field to sort by Enum: "createdAt" "updatedAt" "name"
sortDir	string (SortDirectionEnum) The direction to sort the data Enum: "ASC" "DESC"
includeTotalCount	boolean Default: false Include total count of all matching records in response. Only honored on first page (when cursor is null). Example: includeTotalCount=false

Responses

200

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/vendors/{vendorId}/questionnaires

Request samples

Response samples

application/json

{"data": [{"id": 1,
"title": "Vendor Security Questionnaire",
"recipientEmail": "[email protected]",
"isCompleted": true,
"completedBy": "Acme",
"responseId": 1,
"dateSent": "2025-07-01T16:45:55.246Z",
"isManualUpload": false
}
],
"pagination": {"cursor": "string",
"totalCount": 0
}
}

Send Questionnaire to Vendor

Send a Questionnaire to a Vendor by email.

🔒 Requires Vendors: Send Questionnaire to Vendor permission.

Securitybearer

Request

path Parameters

vendorId

required

number

Request Body schema: application/json
required

email required	string <email> <= 191 characters The email address to receive the Questionnaire
questionnaireId required	number Vendor Questionnaire ID
emailSubject	string <= 191 characters The email subject for the vendor questionnaire
emailContent required	string <= 30000 characters The email content for the Vendor
securityReviewId required	number Security Review ID to associate the Questionnaire with. When provided, the sent Questionnaire will be linked to the specified security review as a document of type QUESTIONNAIRE.

Responses

201

Created

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

post/vendors/{vendorId}/questionnaires

Request samples

application/json

{"email": "[email protected]",
"questionnaireId": 1,
"emailSubject": "Drata is conducting a security review of you.",
"emailContent": "Hi,\n\nWe'd like to conduct a security review and would like some information from you. Use this link to complete the questionnaire.\n\nThank you.",
"securityReviewId": 1
}

Response samples

application/json

{"id": 1,
"title": "Vendor Security Questionnaire",
"recipientEmail": "[email protected]",
"isCompleted": true,
"completedBy": "Acme",
"responseId": 1,
"dateSent": "2025-07-01T16:45:55.246Z",
"isManualUpload": false
}

Get Vendor Questionnaire

Get a specific Questionnaire sent to a Vendor.

🔒 Requires Vendors: List Vendor Questionnaire permission.

Securitybearer

Request

path Parameters

vendorId required	number
questionnaireId required	number

Responses

200

400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/vendors/{vendorId}/questionnaires/{questionnaireId}

Request samples

Response samples

application/json

{"id": 1,
"title": "Vendor Security Questionnaire",
"recipientEmail": "[email protected]",
"isCompleted": true,
"completedBy": "Acme",
"responseId": 1,
"dateSent": "2025-07-01T16:45:55.246Z",
"isManualUpload": false
}

Vendors

List Vendors

query Parameters

Create Vendor

Request Body schema: application/jsonrequired

Get Vendor Statistics

query Parameters

Get Vendor

path Parameters

query Parameters

Update Vendor

path Parameters

Request Body schema: application/jsonrequired

Remove Vendor

path Parameters

List Vendor Questionnaires

path Parameters

query Parameters

Send Questionnaire to Vendor

path Parameters

Request Body schema: application/jsonrequired

Get Vendor Questionnaire

path Parameters

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required