Get all vendors
Sample endpoints
List vendors
Retrieve the full vendor register including criticality, DPA status, and DORA Article 28 fields.
GET
Get all vendors
The list-vendors endpoint returns your full vendor register — feeding GDPR Article 28 transparency, DORA Article 28-30 ICT third-party risk, and ISO 27001 A.5.19 supplier inventory. Use it to drive procurement-side dashboards, due-diligence reports, or to mirror the register into a parent organization’s GRC tool.
Combine filters to slice the register narrowly:
Common use cases
- Article 28 register export — pull the full register for GDPR DPA submissions
- DORA Register of Information (ROI) — feed the ESAs’ XLSX submission format
- Concentration risk analysis — pipe the data into a custom analysis (e.g. counting how many critical functions depend on a single hyperscaler)
- Procurement integration — sync vendor records bidirectionally with Coupa / Ariba / etc.
Filtering
Common filters:| Query parameter | Values | Use |
|---|---|---|
criticality | critical / important / standard | DORA-style criticality slicing |
processesPersonalData | true / false | GDPR Art. 28 register subset |
ictService | true / false | DORA Art. 28 ICT-vendor subset |
category | freeform string | Industry / category match |
country | ISO 3166-1 alpha-2 | Filter by country of registration |
Pagination
DefaultperPage is 50, max 200. For organizations with hundreds of vendors, paginate with page and stop when meta.page === meta.totalPages.
DPA status
Each vendor record includesdpaStatus: signed / pending / not_required. Filter by dpaStatus=pending to surface vendors still missing DPAs — useful for an end-of-quarter DPA cleanup sweep.
Sub-processors
Sub-processors of each vendor (when collected via the Article 28 questionnaire) are returned in thesubProcessors array. Each sub-processor entry includes name, country, and processing-purpose category.
Response shape
The interactive playground below renders the full schema. The fields most often consumed by external systems are:id,name,country,categorycriticality,ictService,processesPersonalDatadpaStatus,dpaSignedAt,dpaUrllastReviewedAt,nextReviewDuesubProcessors[]— sub-processor disclosurestransferMechanism— for non-EU vendors handling personal data
Authorizations
API key for authentication
Headers
Organization ID (required for session auth, optional for API key auth)