Skip to main content
GET
/
v1
/
vendors
Get all vendors
curl --request GET \
  --url http://localhost:3333/v1/vendors \
  --header 'X-API-Key: <api-key>'
{
  "data": [
    {
      "id": "vnd_abc123def456",
      "name": "CloudTech Solutions Inc.",
      "description": "Cloud infrastructure provider offering AWS-like services",
      "category": "cloud",
      "status": "not_assessed",
      "inherentProbability": "possible",
      "inherentImpact": "moderate",
      "residualProbability": "unlikely",
      "residualImpact": "minor",
      "website": "https://www.cloudtechsolutions.com",
      "assigneeId": "mem_abc123def456",
      "createdAt": "2023-11-07T05:31:56Z",
      "updatedAt": "2023-11-07T05:31:56Z"
    }
  ],
  "count": 12,
  "authenticatedUser": {
    "id": "usr_def456ghi789",
    "email": "user@example.com"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

The list-vendors endpoint returns your full vendor register — feeding GDPR Article 28 transparency, DORA Article 28-30 ICT third-party risk, and ISO 27001 A.5.19 supplier inventory. Use it to drive procurement-side dashboards, due-diligence reports, or to mirror the register into a parent organization’s GRC tool.

Common use cases

  • Article 28 register export — pull the full register for GDPR DPA submissions
  • DORA Register of Information (ROI) — feed the ESAs’ XLSX submission format
  • Concentration risk analysis — pipe the data into a custom analysis (e.g. counting how many critical functions depend on a single hyperscaler)
  • Procurement integration — sync vendor records bidirectionally with Coupa / Ariba / etc.

Filtering

Common filters:
Query parameterValuesUse
criticalitycritical / important / standardDORA-style criticality slicing
processesPersonalDatatrue / falseGDPR Art. 28 register subset
ictServicetrue / falseDORA Art. 28 ICT-vendor subset
categoryfreeform stringIndustry / category match
countryISO 3166-1 alpha-2Filter by country of registration
Combine filters to slice the register narrowly: 
# Critical ICT vendors that process personal data
curl "https://api.matproof.com/v1/vendors?criticality=critical&ictService=true&processesPersonalData=true" \
  -H "X-API-Key: ..."

Pagination

Default perPage is 50, max 200. For organizations with hundreds of vendors, paginate with page and stop when meta.page === meta.totalPages.

DPA status

Each vendor record includes dpaStatus: signed / pending / not_required. Filter by dpaStatus=pending to surface vendors still missing DPAs — useful for an end-of-quarter DPA cleanup sweep.

Sub-processors

Sub-processors of each vendor (when collected via the Article 28 questionnaire) are returned in the subProcessors array. Each sub-processor entry includes name, country, and processing-purpose category.

Response shape

The interactive playground below renders the full schema. The fields most often consumed by external systems are:
  • id, name, country, category
  • criticality, ictService, processesPersonalData
  • dpaStatus, dpaSignedAt, dpaUrl
  • lastReviewedAt, nextReviewDue
  • subProcessors[] — sub-processor disclosures
  • transferMechanism — for non-EU vendors handling personal data
For DORA Register of Information submissions, the dedicated Export → DORA ROI action in the Matproof UI produces the structured XLSX format ESAs accept — typically more direct than building it from this API yourself.

Authorizations

X-API-Key
string
header
required

API key for authentication

Headers

X-Organization-Id
string

Organization ID (required for session auth, optional for API key auth)

Response

Vendors retrieved successfully

data
object[]
count
number

Total number of vendors

Example:

12

authType
enum<string>

How the request was authenticated

Available options:
api-key,
session
authenticatedUser
object

User information (only for session auth)