Vendor assessments API is now GA
GET /v1/vendors/{vendorId}/assessments and GET /v1/vendors/{vendorId}/assessments/{assessmentId} are now generally available. Both responses include the assessment-level owner (id, type, displayName, email), so you can attribute assessments to users or teams without a second lookup. See the Manage Vanta API reference.List deactivated controls
A newGET /v1/controls/deactivated-controls endpoint returns paginated deactivated controls with a dedicated, clearly named path. GET /v1/controls/controls-library will be deprecated in a future release — migrate to the new endpoint when you can. See the Manage Vanta API reference.Clearer webhook reference for information requests and evidence
The webhooks reference now covers the full partner-visible status set, lifecycle, and payload shape forv1.information-request.* events, and clarifies that evidence.created and evidence.deleted fire once per piece of evidence. The v1.evidence.status-changed example has been corrected to a real NOT_READY_FOR_AUDIT → READY_FOR_AUDIT transition; INITIALIZED is not emitted to partners as a creation signal.404 on writes to soft-deleted comments
The following endpoints now return404 when the target comment has already been soft-deleted, instead of 200 or 422:PATCH /audits/{auditId}/controls/{controlId}/comments/{commentId}PATCH /audits/{auditId}/information-requests/{informationRequestId}/comments/{commentId}DELETE /audits/{auditId}/information-requests/{informationRequestId}/comments/{commentId}
changedSinceDate now see a consistent not-found response for deleted comments. See the Audits API reference.Trust Center compliance frameworks
New endpoints let you manage the compliance frameworks shown on your Trust Center: list, create, update, and delete frameworks, plus upload a badge image for each framework. See the Manage Vanta API reference.Trust Center chatbot conversations
Two new endpoints let you read Trust Center chatbot activity:GET /trust-centers/{slugId}/chatbot/conversations lists conversations and GET /trust-centers/{slugId}/chatbot/conversations/{conversationId} returns the messages in a conversation. Useful for surfacing chatbot activity in your own analytics or support tooling.Bulk operations on Trust Center controls
New endpoints make it easier to manage Trust Center controls at scale:- Bulk add tags to Trust Center controls
- Bulk remove tags from Trust Center controls
- Bulk edit controls in a category
- Reorder controls within a Trust Center control category
- Reorder Trust Center control categories
More Trust Center customization endpoints
Additional endpoints round out Trust Center management:- List and set the data collected shown on your Trust Center
- Upload a Trust Center favicon
- Set Trust Center videos
- Send a Trust Center viewer invite reminder
- Full CRUD for Trust Center FAQ categories (add, update, delete)
Create data deletion requests
A newPOST /customer-trust/deletion-requests endpoint lets you create a data deletion request from your own systems — useful for automating privacy workflows triggered by your app.Issues API
Two new endpoints expose your Vanta issues:GET /issues lists issues and GET /issues/{issueId} returns a single issue. Use them to sync issues into your ticketing system or dashboards. See the Manage Vanta API reference.Control domain for webhooks
Webhook events now include a Control domain covering audit control comment events. Like the Information Request and Evidence domains, Control events are auditor-specific and are only delivered to Audit Partner accounts during an active audit engagement. See the Webhooks overview.Audit control comments API
Auditors can now create, update, and delete comments on a control during an audit:POST /audits/{auditId}/controls/{controlId}/commentsPATCH /audits/{auditId}/controls/{controlId}/comments/{commentId}DELETE /audits/{auditId}/controls/{controlId}/comments/{commentId}
GET list endpoint and are delivered only to Audit Partner accounts during an active audit engagement. See the Audits API reference.Audit integrations and organization endpoints
Three new read endpoints give auditors more context during an engagement:GET /audits/{auditId}/integrations— integrations connected for the auditGET /audits/{auditId}/organization/information— the audited organization’s informationGET /audits/{auditId}/organization/notifications— the organization’s notification settings
Assessment type and owner on security reviews
GET /v1/vendors/{vendorId}/security-reviews responses now include assessmentType and owner (id, type, displayName, email). owner is null when unassigned; email is populated for user owners and null for team owners.Audit duplication trail on information request history
Information request history activities now include two new fields:sourceInformationRequestId (the request this one was copied from) and sourceAuditId (the audit it was duplicated from). Both are populated only for audit-duplication activities and null otherwise. See the Audits API reference.New event log actions
The event log reference addsUNDELETE_PROGRAM_SEGMENT and REMOVE_DATA_SUBJECT_REQUEST_RELATIONSHIP_OPTION to the list of action types. PROVIDE_JUSTIFICATION_FOR_AUDIT_CONTROL_ASSESSMENT was removed.Integration category and tag enums renamed
On the audit integrations endpoint, two schemas were renamed to match how the fields are described in the API:AuditIntegrationCategory→AuditIntegrationTag(values likeACCESS,COMPUTERS)AuditIntegrationServiceCategory→AuditIntegrationCategory(values likeCLOUD_PROVIDER,HR_PROVIDER)
tagsMatchesAny and categoriesMatchesAny query parameters are unchanged. Update generated clients that reference the old schema names.Issue sort field values changed to camelCase
IssueSortField enum values on the Issues endpoints changed from DUE_DATE, CREATED_AT, DETECTED_AT, LAST_MODIFIED_AT, STATUS, SEVERITY to dueDate, createdDate, detectedDate, lastModifiedDate, status, severity. Update any clients that hardcoded the old values.Vendor accountManagerEmail max length reduced
The maxLength on the Vendor accountManagerEmail field was reduced from 2000 to 100 characters. Requests with longer values will be rejected.Issue detectedDate is now non-nullable
The detectedDate field on issue responses is no longer marked nullable in the OpenAPI spec. Every issue has a detected timestamp.Manage controls on risk scenarios
New endpoints let you link and manage controls on a risk scenario:GET /risk-scenarios/{riskScenarioId}/controls— list a scenario’s controlsPOST /risk-scenarios/{riskScenarioId}/controls— add a control to a scenarioPATCH /risk-scenarios/{riskScenarioId}/controls/{controlId}— change a control’scontrolTypeDELETE /risk-scenarios/{riskScenarioId}/controls/{controlId}— remove a control from a scenario
Trust Center resource categories
Five new endpoints let you organize Trust Center resources into categories: list, add, reorder, update, and delete. Use them to model the same category structure customers see in your Trust Center. See the Manage Vanta API reference.Update Trust Center viewers
A newPATCH /trust-centers/{slugId}/viewers/{viewerId} endpoint updates a viewer’s access on a Trust Center without removing and re-adding them.Trust Center FAQ category on responses
Trust Center FAQ endpoints now return the FAQ’scategory (id and name) so you can group FAQs in your own UI.Richer test snapshot evidence
The test-snapshot evidence detail endpoint now returns two new fields.apiRequests lists HTTP requests captured during API introspection tests. outOfScopeResources lists resources excluded at the test level (customer-disabled) and the framework level (segment configuration). See the Audits API reference.More filters on audit issues
GET /audits/{auditId}/issues/items now accepts createdAfterDate, createdBeforeDate, detectedAfterDate, and detectedBeforeDate query parameters, and orderBy now accepts detectedAt.Code changes date filter rename
ThestartDate and endDate query parameters on GET /audits/{auditId}/assets/code-changes were renamed to closedAfterDate and closedBeforeDate for consistency with other Auditor API endpoints. Update any clients that hardcoded the old names.More event log actions and targets
The event log reference now lists new action types covering Trust Center FAQ and resource categories, program segments, risk register updates, subscription renewals, in-app purchases, and Trust Center viewer reminders. It also adds three new target types:TRUST_CENTER_FAQ_CATEGORY, TRUST_CENTER_RESOURCE_CATEGORY, and QUESTIONNAIRE_AUTOMATION.Legacy Auditor API list endpoints
The following endpoints are deprecated and at end of life. They work for legacy audits only and do not support controlled audit view. They remain available for existing legacy audits for now, but will be removed once legacy audits are fully phased out — don’t build new integrations on them.GET /audits/{auditId}/monitored-computersGET /audits/{auditId}/peopleGET /audits/{auditId}/vendorsGET /audits/{auditId}/vulnerabilitiesGET /audits/{auditId}/vulnerability-remediationsGET /audits/{auditId}/vulnerable-assets
personnel/people for people, personnel/computers for monitored computers, and managed-vendors for vendors). These are not drop-in replacements: which endpoint you use depends on whether the audit is in controlled audit view.Code changes population for auditors
A newGET /audits/{auditId}/assets/code-changes endpoint returns the pull requests visible to auditors during an audit engagement. Each record includes the PR title, identifier, repository, source (GitHub, GitLab, Bitbucket, or Azure DevOps), and opened/closed dates. Supports search, source filtering, date-range filtering, and cursor pagination. See the Audits API reference.Event logs API
A newGET /event-logs endpoint lets you list audit events from your Vanta account, including the actor, date, and event type. Useful for streaming activity into your SIEM or building custom audit trails. See the Manage Vanta API reference.Audit issue snapshots
Two new endpoints surface the issues an auditor sees during an audit: list snapshotted issues and list audit snapshots. See the Audits API reference.Test snapshot evidence detail
A new endpoint returns rich detail for a single test-snapshot evidence row attached to an information request, including test metadata, integrations, SLA remediation policy, and the raw test data captured at snapshot time. See the Audits API reference.Trust Center categories on Knowledge Base resources
Knowledge Base resource endpoints now include acategoryId field, so you can read and set the Trust Center category a resource is filed under when creating or updating webpage and document resources. Pass null to keep a resource uncategorized. Only valid for REQUEST_ACCESS and PUBLIC resources.Identification date on risk scenarios
Risk scenario responses now includeidentificationDate, matching the “Identified Date” field in the Vanta UI. The value defaults to the scenario’s creation time when not explicitly set.Stricter validation for Knowledge Base webpage resources
Webpage resourcetitle now requires at least one character, and url is validated as a URI. Existing valid payloads are unaffected.