Skip to main content
These endpoints manage assessments — your organization’s review records — plus their evidence documents and audit log. All routes take an account-id and a vendor-list-id. Reads require viewer; writes require member or above. Base path prefix: /vendor-assessments.

Get assessments

GET /vendor-assessments?account-id={uuid}&vendor-list-id={listId}
Returns all saved assessments for the list. Add vendor-id, vendor-profile-id, or assessment-id to narrow the result.

Create or update an assessment

POST | PUT /vendor-assessments?account-id={uuid}&vendor-list-id={listId}
Upserts an assessment. Identify the vendor via query or body (vendor_id, vendor_profile_id, or vendor_name).
{
  "vendor_name": "1Password",
  "compliance_approval_status": "approved",
  "sponsor_business_department": "Cybersecurity",
  "sponsor_contact": "sponsor@yourco.com",
  "use_case": "Manage employee passwords",
  "data_collected": ["name", "phone"],
  "compliance_comment": "Reviewed SOC 2; approved."
}
Valid compliance_approval_status values: not-started, in-progress, on-hold, approved, conditional approval, rejected. For conditional approvals, include conditional_approval_condition.

Delete an assessment

DELETE /vendor-assessments?account-id={uuid}&assessment-id={id}
Deletes an assessment. assessment-id is preferred; vendor-id / vendor-profile-id are also supported.

Evidence documents

GET /vendor-assessments/documents
Lists documents attached to an assessment.
GET /vendor-assessments/documents/upload-url
Returns a presigned upload URL (member+). Upload the file directly, then it’s attached to the assessment.
GET /vendor-assessments/documents/download-url
Returns a presigned download URL for a document.
DELETE /vendor-assessments/documents?document-id={id}
Removes a document.

Audit log

GET /vendor-assessments/audit-log?assessment-id={id}&page={n}&limit={n}
Returns the approval audit for an assessment.
The response groups related field changes from a single save into one event (event_id, created_at, submitted_by, changes), giving you a clean, event-level history. A flattened logs list is also returned for compatibility.