### GET /personnel/{personnelId} Source: https://gist.githubusercontent.com/japh-firmus/0d202ad047feb4678707e008794059fb/raw/0ff2f104318c3ef17c5a8a37acc2e85748870d1f/drata-api-v2-beta-openapi.json Get a single Personnel record. 🔒 Requires **Personnel: Get Personnel** permission. ```markdown ### Parameters - **expand[]** (array (PersonnelExpandEnum), query, optional): List of subcollections and sub-objects to expand - **personnelId** (union, path, required): An integer Personnel ID or User's email address prefixed with `email:` ### Responses #### 200 - Successful **PersonResponsePublicV2Dto** - **id** (number) (required): Personnel ID (example: 1) - **userId** (number) (required): User ID associated with this Personnel (example: 1) - **user** (object) - **id** (number) (required): User ID (example: 1) - **email** (string) (required): User email (example: "email@example.com") - **firstName** (string) (required): User first name (example: "Sally") - **lastName** (string) (required): User last name (example: "Smith") - **createdAt** (string (date-time)) (required): User created at (example: "2025-07-01T16:45:55.246Z") - **updatedAt** (string (date-time)) (required): User last updated at (example: "2025-07-01T16:45:55.246Z") - **employmentStatus** (string (CURRENT_EMPLOYEE|FORMER_EMPLOYEE|CURRENT_CONTRACTOR|FORMER_CONTRACTOR|OUT_OF_SCOPE|UNKNOWN|SPECIAL_FORMER_EMPLOYEE|SPECIAL_FORMER_CONTRACTOR|FUTURE_HIRE|SERVICE_ACCOUNT)) (required) ("CURRENT_EMPLOYEE"|"FORMER_EMPLOYEE"|"CURRENT_CONTRACTOR"|"FORMER_CONTRACTOR"|"OUT_OF_SCOPE"|"UNKNOWN"|"SPECIAL_FORMER_EMPLOYEE"|"SPECIAL_FORMER_CONTRACTOR"|"FUTURE_HIRE"|"SERVICE_ACCOUNT") - **notHumanReason** (string): Indicates why the employment status of this Personnel is marked as `OUT_OF_SCOPE`. (example: "This is not a real personnel, but a placeholder for anyone in charge of X") - **reasonProvider** (object) - **complianceChecks** (array (ComplianceCheckWithExclusionResponsePublicV2Dto)): Compliance checks for this Personnel, only returned when `expand[]=complianceChecks` is passed. Array items: - **id** (number) (required): Compliance Check ID (example: 1) - **type** (string (FULL_COMPLIANCE|ACCEPTED_POLICIES|IDENTITY_MFA|BG_CHECK|AGENT_INSTALLED|PASSWORD_MANAGER|HDD_ENCRYPTION|ANTIVIRUS|AUTO_UPDATES|LOCK_SCREEN|SECURITY_TRAINING|LOCATION_SERVICES|HIPAA_TRAINING|OFFBOARDING|NIST_AI_TRAINING)) (required) ("FULL_COMPLIANCE"|"ACCEPTED_POLICIES"|"IDENTITY_MFA"|"BG_CHECK"|"AGENT_INSTALLED"|"PASSWORD_MANAGER"|"HDD_ENCRYPTION"|"ANTIVIRUS"|"AUTO_UPDATES"|"LOCK_SCREEN"|"SECURITY_TRAINING"|"LOCATION_SERVICES"|"HIPAA_TRAINING"|"OFFBOARDING"|"NIST_AI_TRAINING") - **status** (string (MISCONFIGURED|PASS|FAIL|EXCLUDED)) (required) ("MISCONFIGURED"|"PASS"|"FAIL"|"EXCLUDED") - **checkFrequency** (string (ONCE|HOURLY|QID|DAILY|WEEKLY|BIWEEKLY|MONTHLY|QUARTERLY|YEARLY)) (required) ("ONCE"|"HOURLY"|"QID"|"DAILY"|"WEEKLY"|"BIWEEKLY"|"MONTHLY"|"QUARTERLY"|"YEARLY") - **expiresAt** (string (date-time)): The date when this Compliance Check expires - **lastCheckedAt** (string (date-time)): The date when this Compliance Check was last performed - **completionDate** (string (date-time)): The date when this Compliance Check was completed - **createdAt** (string (date-time)) (required): Compliance Check created date timestamp (example: "2023-01-01T00:00:00.000Z") - **updatedAt** (string (date-time)) (required): Compliance Check updated date timestamp (example: "2023-01-01T00:00:00.000Z") - **exclusion** (object) - **id** (number) (required): Compliance Check Exclusion ID (example: 1) - **reason** (string) (required): Reason for the Exclusion (example: "Employee is on extended leave") - **createdById** (number) (required): ID of the user who created the Exclusion (example: 1) - **createdByEmail** (string) (required): Email of the user who created the Exclusion (example: "user@company.com") - **createdAt** (string (date-time)) (required): Creation timestamp of the Exclusion (example: "2025-07-01T16:45:55.246Z") - **startDate** (string (date-time)) (required): Start date of the Exclusion (example: "2025-07-01T16:45:55.246Z") - **endDate** (string (date-time)) (required): End date of the Exclusion (example: "2025-07-01T16:45:55.246Z") - **startedAt** (string (date-time)) (required): The date when this Personnel was onboarded onto the company system (example: "2023-01-01T00:00:00.000Z") - **separatedAt** (string (date-time)): The date when this Personnel was separated from the company system (example: "2023-12-31T00:00:00.000Z") - **statusUpdatedAt** (string (date-time)) (required): The date when this Personnel was manually updated. If this value is set, changes in the IDP or HRIS will not be reflected in the employment status. - **createdAt** (string (date-time)) (required): Personnel created date timestamp (example: "2023-01-01T00:00:00.000Z") - **updatedAt** (string (date-time)) (required): Personnel updated date timestamp (example: "2023-01-01T00:00:00.000Z") - **customFields** (array (CustomFieldResponsePublicV2Dto)): Custom Fields. Only returned when `expand[]=customFields` is passed. 💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading. Array items: - **customFieldId** (number) (required): The ID of the Custom Field (example: 1) - **name** (string) (required): The name of the Custom Field (example: "Stakeholders") - **value** (string): The value of the Custom Field (example: "Security & IT") #### 400 - Malformed data and/or validation errors **ExceptionResponsePublicV2Dto** - **name** (string) (required) - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 401 - Invalid Authorization **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 403 - You are not allowed to perform this action **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 404 - Not Found **ExceptionResponsePublicV2Dto** - **name** (string) (required) - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 412 - You must accept the Drata terms and conditions to use the API **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 500 - Internal server error **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) ### Example Usage ```bash curl -X GET "https://public-api.drata.com/public/v2/personnel/{personnelId}?expand[]=item1,item2" ``` ``` -------------------------------- ### POST /vendors Source: https://gist.githubusercontent.com/japh-firmus/0d202ad047feb4678707e008794059fb/raw/0ff2f104318c3ef17c5a8a37acc2e85748870d1f/drata-api-v2-beta-openapi.json Create a new Vendor 🔒 Requires **Vendors: Create Vendor** permission. ```markdown ### Request Body **Content-Type:** application/json - **name** (string) (required): The name of the Vendor (example: "Acme") - **hasPii** (boolean): Indicates whether this Vendor stores any type of Personally Identifiable Information (PII) (example: true) - **passwordRequiresNumber** (boolean): Indicates whether a password requires numbers (example: true) - **passwordRequiresSymbol** (boolean): Indicates whether a password requires non-alpha-numeric characters (example: true) - **passwordMfaEnabled** (boolean): Indicates whether multi-factor authentication is enabled for this Vendor (example: true) - **passwordRequiresMinLength** (boolean): Indicates whether there is a minimum length requirement for password (example: true) - **isSubProcessor** (boolean): Indicates whether this Vendor is considered a subprocessor (example: false) - **isSubProcessorActive** (boolean): Indicates whether this subprocessor is active (example: false) - **category** (string (ENGINEERING|PRODUCT|MARKETING|CS|SALES|FINANCE|HR|ADMINISTRATIVE|SECURITY|LEGAL|INFORMATION_TECHNOLOGY|NONE)) ("ENGINEERING"|"PRODUCT"|"MARKETING"|"CS"|"SALES"|"FINANCE"|"HR"|"ADMINISTRATIVE"|"SECURITY"|"LEGAL"|"INFORMATION_TECHNOLOGY"|"NONE") - **risk** (string (NONE|LOW|MODERATE|HIGH)) ("NONE"|"LOW"|"MODERATE"|"HIGH") - **status** (string (PROSPECTIVE|ACTIVE|ARCHIVED|APPROVED|REJECTED|FLAGGED|ON_HOLD|OFFBOARDED|UNDER_REVIEW|NONE)) ("PROSPECTIVE"|"ACTIVE"|"ARCHIVED"|"APPROVED"|"REJECTED"|"FLAGGED"|"ON_HOLD"|"OFFBOARDED"|"UNDER_REVIEW"|"NONE") - **critical** (boolean): Indicates if the Vendor is considered critical (example: false) - **userId** (number): The user ID of the person responsible for Vendor compliance (example: 1) - **url** (string (uri)): Vendor URL (example: "https://acme.com") - **privacyUrl** (string (uri)): Vendor Privacy Policy URL (example: "https://acme.com/privacy") - **termsUrl** (string (uri)): Vendor Terms of Use URL (example: "https://acme.com/terms") - **servicesProvided** (string): Description of the services provided by the Vendor (example: "Perform security scans once a month") - **dataStored** (string): Description of the type of data the Vendor stores (example: "resulting reports of security scans") - **location** (string): Location where the Vendor services are provided (example: "San Diego") - **passwordPolicy** (string (USERNAME_PASSWORD|SSO|LDAP|NONE|NOT_APPLICABLE|SCIM|OTHER)) ("USERNAME_PASSWORD"|"SSO"|"LDAP"|"NONE"|"NOT_APPLICABLE"|"SCIM"|"OTHER") - **passwordMinLength** (number): Minimum character length required for a password (example: 8) - **contactAtVendor** (string): Name of the corresponding account manager for this Vendor (example: "John Doe") - **contactEmail** (string (email)): Email of the corresponding account manager for this Vendor (example: "jdoe@company.com") - **notes** (string): Additional notes for Vendor (example: "Meeting once a month to adjust contract") - **renewalDate** (string): Vendor renewal date (example: "2025-07-01T16:45:55.246Z") - **renewalScheduleType** (string (ONE_MONTH|TWO_MONTHS|THREE_MONTHS|SIX_MONTHS|ONE_YEAR|CUSTOM|NONE)) ("ONE_MONTH"|"TWO_MONTHS"|"THREE_MONTHS"|"SIX_MONTHS"|"ONE_YEAR"|"CUSTOM"|"NONE") - **confirmed** (boolean): Indicate if all Vendor data is confirmed (example: true) - **type** (string (VENDOR|SUPPLIER|CONTRACTOR|PARTNER|OTHER|NONE)) ("VENDOR"|"SUPPLIER"|"CONTRACTOR"|"PARTNER"|"OTHER"|"NONE") - **accountId** (string): Account Id (example: 36) - **operationalImpact** (string (NONE|LOW|NORMAL|IMPORTANT|CRITICAL)) ("NONE"|"LOW"|"NORMAL"|"IMPORTANT"|"CRITICAL") - **environmentAccess** (string (NO|READ_ONLY|READ_WRITE)) ("NO"|"READ_ONLY"|"READ_WRITE") - **impactLevel** (string (INSIGNIFICANT|MINOR|MODERATE|MAJOR|CRITICAL|UNSCORED)) ("INSIGNIFICANT"|"MINOR"|"MODERATE"|"MAJOR"|"CRITICAL"|"UNSCORED") - **dataAccessedOrProcessedList** (array (VendorDataAccessedOrProcessedEnum)): List of data accessed or processed enum type (example: ["FINANCIAL","GENERAL"]) - **integrations** (array (number)): List of vendor IDs (example: [1,2,3]) - **cost** (string): Annual Contract Value for the Vendor in Cents unit (example: "1088") - **customFields** (array (CustomFieldSubmitRequestPublicV2Dto)): Custom Fields for the Vendor. 💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading. Array items: - **id** (number): The ID of the Custom Field. Either this or the name must be provided. (example: 1) - **name** (string): The name of the Custom Field. Either this or the ID must be provided. (example: "Compliance Status") - **value** (string) (required): The value of the Custom Field. If a value of null is used, the value will be deleted. (example: "Security & IT") ### Responses #### 201 - Created **VendorResponsePublicV2Dto** - **id** (number) (required): Vendor ID (example: 1) - **name** (string) (required): The name of the Vendor (example: "Acme") - **category** (string (ENGINEERING|PRODUCT|MARKETING|CS|SALES|FINANCE|HR|ADMINISTRATIVE|SECURITY|LEGAL|INFORMATION_TECHNOLOGY|NONE)) (required) ("ENGINEERING"|"PRODUCT"|"MARKETING"|"CS"|"SALES"|"FINANCE"|"HR"|"ADMINISTRATIVE"|"SECURITY"|"LEGAL"|"INFORMATION_TECHNOLOGY"|"NONE") - **risk** (string (NONE|LOW|MODERATE|HIGH)) (required) ("NONE"|"LOW"|"MODERATE"|"HIGH") - **type** (string (VENDOR|SUPPLIER|CONTRACTOR|PARTNER|OTHER|NONE)) (required) ("VENDOR"|"SUPPLIER"|"CONTRACTOR"|"PARTNER"|"OTHER"|"NONE") - **critical** (boolean) (required): Indicates if the Vendor is considered critical (example: false) - **status** (string (PROSPECTIVE|ACTIVE|ARCHIVED|APPROVED|REJECTED|FLAGGED|ON_HOLD|OFFBOARDED|UNDER_REVIEW|NONE)) (required) ("PROSPECTIVE"|"ACTIVE"|"ARCHIVED"|"APPROVED"|"REJECTED"|"FLAGGED"|"ON_HOLD"|"OFFBOARDED"|"UNDER_REVIEW"|"NONE") - **location** (string) (required): Vendor location (example: "USA") - **url** (string) (required): Vendor URL (example: "https://acme.com") - **privacyUrl** (string) (required): Vendor Privacy Policy URL (example: "config.get('swagger.examples.url')/privacy") - **termsUrl** (string) (required): Vendor Terms of Use URL (example: "config.get('swagger.examples.url')/terms-of-service") - **trustCenterUrl** (string) (required): Vendor Trust Center URL (example: "https://trust.example.com") - **trustCenterProvider** (string (ANECDOTES|CONVEYOR|DRATA|HYPERCOMPLY|SAFEBASE|SCRUT|SECUREFRAME|SECURITYPAL|SKYPHER|SPRINTO|TRUSTARC|TRUSTCLOUD|VANTA|WHISTIC|ZENGRC)) (required) ("ANECDOTES"|"CONVEYOR"|"DRATA"|"HYPERCOMPLY"|"SAFEBASE"|"SCRUT"|"SECUREFRAME"|"SECURITYPAL"|"SKYPHER"|"SPRINTO"|"TRUSTARC"|"TRUSTCLOUD"|"VANTA"|"WHISTIC"|"ZENGRC") - **servicesProvided** (string) (required): Description of Vendor services (example: "Perform security scans once a month") - **dataStored** (string) (required): Type of data the Vendor stores (example: "Resulting reports of security scans") - **hasPii** (boolean) (required): Does this Vendor store any type of PII (example: true) - **passwordPolicy** (string (USERNAME_PASSWORD|SSO|LDAP|NONE|NOT_APPLICABLE|SCIM|OTHER)) (required) ("USERNAME_PASSWORD"|"SSO"|"LDAP"|"NONE"|"NOT_APPLICABLE"|"SCIM"|"OTHER") - **passwordRequiresMinLength** (boolean) (required): Indicates if there is a minimum length for user passwords (example: true) - **passwordMinLength** (number) (required): Minimum character length for a password (example: 8) - **passwordRequiresNumber** (boolean) (required): Indicates if a password requires numbers (example: true) - **passwordRequiresSymbol** (boolean) (required): Indicates if a password requires non-alpha-numeric characters (example: true) - **passwordMfaEnabled** (boolean) (required): Is multi-factor authentication enabled for this Vendor (example: true) - **contactAtVendor** (string) (required): The name of the corresponding account manager for this Vendor (example: "John Doe") - **contactsEmail** (string) (required): The email of the corresponding account manager for this Vendor (example: "jdoe@company.com") - **notes** (string) (required): Additional notes for Vendor (example: "Meeting once a month to adjust contract") - **logoUrl** (string) (required): Vendor logo URL (example: "https://cdn-prod.imgpilot.com/logo.png") - **createdAt** (string (date-time)) (required): Vendor created at date timestamp (example: "2025-07-01T16:45:55.246Z") - **updatedAt** (string (date-time)) (required): Vendor last updated at date timestamp (example: "2025-07-01T16:45:55.246Z") - **isSubProcessor** (boolean) (required): Is this Vendor a sub-processor? (example: false) - **isSubProcessorActive** (boolean) (required): Is this Vendor an active Sub-processor? (example: false) - **archivedAt** (string (date-time)) (required): Timestamp when the status of the Vendor changed (example: "2025-07-01T16:45:55.246Z") - **renewalDate** (string) (required): Vendor renewal date (example: "2020-07-06") - **renewalScheduleType** (string (ONE_MONTH|TWO_MONTHS|THREE_MONTHS|SIX_MONTHS|ONE_YEAR|CUSTOM|NONE)) (required) ("ONE_MONTH"|"TWO_MONTHS"|"THREE_MONTHS"|"SIX_MONTHS"|"ONE_YEAR"|"CUSTOM"|"NONE") - **renewalDateStatus** (string) (required): Vendor renewal status based on the proximity to the renewal due date (example: "COMPLETED") - **confirmedAt** (string (date-time)) (required): Timestamp when the Vendor details were confirmed (example: "2025-07-01T16:45:55.246Z") - **sharedAccountId** (string) (required): Shared account id (example: "aaaaaaaa-bbbb-0000-cccc-dddddddddddd") - **isDrataUser** (boolean) (required): Is the Vendor an user of Drata (example: false) - **events** (number) (required): The number of event notifications pending for the Vendor (example: 4) - **integrations** (array (VendorIntegrationResponsePublicDto)) (required): Vendor integrations list Array items: - **id** (number) (required): Vendor ID (example: 1) - **name** (string) (required): The name of a vendor (example: "Acme") - **cost** (string) (required): Annual Contract Value for the Vendor in cents unit (example: "1088") - **operationalImpact** (string (NONE|LOW|NORMAL|IMPORTANT|CRITICAL)) (required) ("NONE"|"LOW"|"NORMAL"|"IMPORTANT"|"CRITICAL") - **environmentAccess** (string (NO|READ_ONLY|READ_WRITE)) (required) ("NO"|"READ_ONLY"|"READ_WRITE") - **impactLevel** (string (INSIGNIFICANT|MINOR|MODERATE|MAJOR|CRITICAL|UNSCORED)) (required) ("INSIGNIFICANT"|"MINOR"|"MODERATE"|"MAJOR"|"CRITICAL"|"UNSCORED") - **dataAccessedOrProcessedList** (array (string)) (required): List of data accessed or processed - **user** (object) - **id** (number) (required): User ID (example: 1) - **email** (string) (required): User email (example: "email@example.com") - **firstName** (string) (required): User first name (example: "Sally") - **lastName** (string) (required): User last name (example: "Smith") - **createdAt** (string (date-time)) (required): User created at (example: "2025-07-01T16:45:55.246Z") - **updatedAt** (string (date-time)) (required): User last updated at (example: "2025-07-01T16:45:55.246Z") - **documents** (array (VendorDocumentResponsePublicV2Dto)): A list of Vendor documents, only returned when `expand[]=documents` is passed. Array items: - **id** (number) (required): Vendor document ID (example: 1) - **name** (string) (required): The name the file (example: "AWS SOC 2 2025") - **createdAt** (string (date-time)) (required): Vendor Document created at (example: "2025-07-01T16:45:55.246Z") - **updatedAt** (string (date-time)) (required): Vendor Document last updated at (example: "2025-07-01T16:45:55.246Z") - **type** (string (COMPLIANCE_REPORT|COMPLIANCE_REPORT_REVIEW|BRIDGE_LETTER|UPLOADED_COMPLIANCE_REPORT_REVIEW|QUESTIONNAIRE_ATTACHMENT|SOC_DOCUMENT|QUESTIONNAIRE_REPORT)) (required) ("COMPLIANCE_REPORT"|"COMPLIANCE_REPORT_REVIEW"|"BRIDGE_LETTER"|"UPLOADED_COMPLIANCE_REPORT_REVIEW"|"QUESTIONNAIRE_ATTACHMENT"|"SOC_DOCUMENT"|"QUESTIONNAIRE_REPORT") - **downloadUrl** (object) - **signedUrl** (string) (required): The short lived signed URL to link directly to the private file (example: "https://somedomain.com/filename.pdf?Signature=ABC123") - **fileBuffer** (object) (required): The file on buffer format. This only applies for txt files. (example: {"buffer":"RXhhbXBsZSB0ZXh0IGNvbnRlbnQ="}) - **lastQuestionnaire** (object) - **vendorId** (number) (required): Vendor ID of the Questionnaire (example: 1) - **sendAt** (string (date-time)) (required): Date when the Questionnaire was sent (example: "2025-07-01T16:45:55.246Z") - **sentEmail** (string) (required): The recipient email address of the Questionnaire (example: "jdoe@company.com") - **file** (string) (required): The file name of the Questionnaire (example: "questionnaire.pdf") - **respondedAt** (string (date-time)) (required): Date timestamp of the Questionnaire response (example: "2025-07-01T16:45:55.246Z") - **responseId** (number) (required): The response ID of the Questionnaire data file (example: 1) - **isManualUpload** (boolean) (required): Indicates if the Questionnaire was manually uploaded (example: true) - **completedBy** (string) (required): Questionnaire respondent (example: "Acme") - **latestSecurityReviews** (array (VendorSecurityReviewCompactResponsePublicV2Dto)): Latest Security Reviews, only returned when `expand[]=latestSecurityReviews` is passed. Array items: - **id** (number) (required): Vendor Security Review ID (example: 1) - **requestedAt** (string (date-time)) (required): Requested date - **reviewDeadlineAt** (string (date-time)) (required): Review deadline date - **decision** (string (PENDING|APPROVED|APPROVED_WITH_CONDITIONS|REJECTED)) (required) ("PENDING"|"APPROVED"|"APPROVED_WITH_CONDITIONS"|"REJECTED") - **note** (string) (required): Vendor Security Review note - **status** (string (NOT_YET_STARTED|IN_PROGRESS|COMPLETED|NOT_REQUIRED)) (required) ("NOT_YET_STARTED"|"IN_PROGRESS"|"COMPLETED"|"NOT_REQUIRED") - **type** (string (SECURITY|SOC_REPORT|UPLOAD_REPORT)) (required) ("SECURITY"|"SOC_REPORT"|"UPLOAD_REPORT") - **vendorRelationshipContact** (object) - **reviews** (array (VendorReviewResponsePublicDto)): Vendor Reviews, only returned when `expand[]=reviews` is passed. Array items: - **id** (number) (required): Vendor Review ID (example: 1) - **updatedAt** (string (date-time)) (required): Review last updated date (example: "2025-07-01T16:45:55.246Z") - **reviewer** (string) (required): Reviewer name (example: "John Doe") - **reviewDate** (string (date-time)) (required): Review date (example: "2025-07-01T16:45:55.246Z") - **reportIssueDate** (string (date-time)) (required): Report issue date (example: "2025-07-01T16:45:55.246Z") - **socReport** (string (SOC_1|SOC_2|SOC_3)) (required): SOC report type (example: "SOC_1") ("SOC_1"|"SOC_2"|"SOC_3") - **socReportType1** (boolean) (required): Flag that indicates the SOC report type applies to type 1 (example: true) - **socReportType2** (boolean) (required): Flag that indicates the SOC report type applies to type 2 (example: true) - **socType1StartDate** (string (date-time)) (required): Start date for SOC report type 1 (example: "2025-07-01T16:45:55.246Z") - **socType1EndDate** (string (date-time)) (required): End date for SOC report type 1 (example: "2025-07-01T16:45:55.246Z") - **socType2StartDate** (string (date-time)) (required): Start date for SOC report type 2 (example: "2025-07-01T16:45:55.246Z") - **socType2EndDate** (string (date-time)) (required): End date for SOC report type 2 (example: "2025-07-01T16:45:55.246Z") - **reportOpinion** (string (UNQUALIFIED|QUALIFIED|ADVERSE|DISCLAIMER)) (required): Vendor report opinion (example: "UNQUALIFIED") ("UNQUALIFIED"|"QUALIFIED"|"ADVERSE"|"DISCLAIMER") - **encompassBusinessNeeds** (boolean) (required): Do control objectives or trust principles encompass business needs? (example: true) - **followUpActivity** (string) (required): Follow up activity if report opinion is qualified (example: "User must proceed to...") - **hasMaterialImpact** (boolean) (required): Do the findings have any material impact on your control environment? (example: true) - **cpaFirm** (string) (required): CPA firm that performed the audit (example: "CPA firm name") - **cpaProcedurePerformed** (string) (required): Procedures Performed to Assess Reputation of CPA Firm (example: "The following procedures were performed...") - **subserviceOrganization** (string) (required): Subservice Organizations In Report (example: "Subservice Inc.") - **subserviceOrganizationUsingInclusiveMethod** (boolean) (required): Are Subservice Organizations Presented in the Report Using the Inclusive Method? (example: true) - **subserviceOrganizationProcedurePerformed** (string) (required): Procedures Performed to Assess Subservice Organizations (example: "The following procedures were performed...") - **trustServiceCategories** (array (VendorReviewTrustServiceCategoryMapResponsePublicDto)) (required): Procedures Performed to Assess Subservice Organizations Array items: - **id** (number) (required): Vendor review trust service category ID (example: 1) - **category** (number) (required): Vendor review trust service category (example: "AVAILABILITY") - **userControls** (array (VendorReviewUserControlResponsePublicDto)) (required): Procedures Performed to Assess Subservice Organizations Array items: - **id** (number) (required): Vendor review user control ID (example: 1) - **name** (string) (required): Vendor review user control name (example: "End User Control 1") - **inPlace** (boolean) (required): Vendor review user control in place (example: true) - **services** (array (VendorReviewServiceResponsePublicDto)) (required): Procedures Performed to Assess Subservice Organizations Array items: - **locations** (array (VendorReviewLocationResponsePublicDto)) (required): Procedures Performed to Assess Subservice Organizations Array items: - **id** (number) (required): Vendor review location ID (example: 1) - **city** (string) (required): Vendor review location city (example: "San Diego") - **stateCountry** (string) (required): Vendor review location state (example: "CA") - **findings** (array (VendorReviewFindingResponsePublicDto)) (required): Procedures Performed to Assess Subservice Organizations Array items: - **id** (number) (required): Vendor review finding ID (example: 1) - **description** (string) (required): Vendor review finding description (example: "Finding 1") - **customFields** (array (CustomFieldResponsePublicV2Dto)): Custom Fields, only returned when `expand[]=customFields` is passed. 💎 Requires your account have the Custom Fields and Formulas feature. Contact your CSM for help upgrading. Array items: - **customFieldId** (number) (required): The ID of the Custom Field (example: 1) - **name** (string) (required): The name of the Custom Field (example: "Stakeholders") - **value** (string): The value of the Custom Field (example: "Security & IT") #### 400 - Malformed data and/or validation errors **ExceptionResponsePublicV2Dto** - **name** (string) (required) - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 401 - Invalid Authorization **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 402 - You must upgrade your plan to use this feature **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 403 - You are not allowed to perform this action **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 412 - You must accept the Drata terms and conditions to use the API **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) #### 500 - Internal server error **ExceptionResponseDto** - **statusCode** (number) (required) - **message** (string) (required) - **code** (number) (required) - **debugInfo** (object) - **name** (string) (required) - **message** (string) (required) - **stack** (string) ### Example Usage ```bash curl -X POST "https://public-api.drata.com/public/v2/vendors" \ -H "Content-Type: application/json" \ -d '{ "name": "Acme", "hasPii": true, "passwordRequiresNumber": true, "passwordRequiresSymbol": true, "passwordMfaEnabled": true, "passwordRequiresMinLength": true, "isSubProcessor": false, "isSubProcessorActive": false, "category": "ENGINEERING", "risk": "MODERATE", "status": "UNDER_REVIEW", "critical": false, "userId": 1, "url": "https://acme.com", "privacyUrl": "https://acme.com/privacy", "termsUrl": "https://acme.com/terms", "servicesProvided": "Perform security scans once a month", "dataStored": "resulting reports of security scans", "location": "San Diego", "passwordPolicy": "USERNAME_PASSWORD", "passwordMinLength": 8, "contactAtVendor": "John Doe", "contactEmail": "jdoe@company.com", "notes": "Meeting once a month to adjust contract", "renewalDate": "2025-07-01T16:45:55.246Z", "renewalScheduleType": "ONE_YEAR", "confirmed": true, "type": "VENDOR", "accountId": 36, "operationalImpact": "IMPORTANT", "environmentAccess": "READ_ONLY", "impactLevel": "INSIGNIFICANT", "dataAccessedOrProcessedList": [ "FINANCIAL", "GENERAL" ], "integrations": [ 1, 2, 3 ], "cost": "1088", "customFields": [ "value" ] }' ``` ```