> ## Documentation Index
> Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List vendors

> Retrieve the full vendor register including criticality, DPA status, and DORA Article 28 fields.

The list-vendors endpoint returns your full vendor register — feeding GDPR Article 28 transparency, DORA Article 28-30 ICT third-party risk, and ISO 27001 A.5.19 supplier inventory. Use it to drive procurement-side dashboards, due-diligence reports, or to mirror the register into a parent organization's GRC tool.

## Common use cases

* **Article 28 register export** — pull the full register for GDPR DPA submissions
* **DORA Register of Information (ROI)** — feed the ESAs' XLSX submission format
* **Concentration risk analysis** — pipe the data into a custom analysis (e.g. counting how many critical functions depend on a single hyperscaler)
* **Procurement integration** — sync vendor records bidirectionally with Coupa / Ariba / etc.

## Filtering

Common filters:

| Query parameter         | Values                                | Use                               |
| ----------------------- | ------------------------------------- | --------------------------------- |
| `criticality`           | `critical` / `important` / `standard` | DORA-style criticality slicing    |
| `processesPersonalData` | `true` / `false`                      | GDPR Art. 28 register subset      |
| `ictService`            | `true` / `false`                      | DORA Art. 28 ICT-vendor subset    |
| `category`              | freeform string                       | Industry / category match         |
| `country`               | ISO 3166-1 alpha-2                    | Filter by country of registration |

Combine filters to slice the register narrowly:

```bash theme={null}
# Critical ICT vendors that process personal data
curl "https://api.matproof.com/v1/vendors?criticality=critical&ictService=true&processesPersonalData=true" \
  -H "X-API-Key: ..."
```

## Pagination

Default `perPage` is 50, max 200. For organizations with hundreds of vendors, paginate with `page` and stop when `meta.page === meta.totalPages`.

## DPA status

Each vendor record includes `dpaStatus`: `signed` / `pending` / `not_required`. Filter by `dpaStatus=pending` to surface vendors still missing DPAs — useful for an end-of-quarter DPA cleanup sweep.

## Sub-processors

Sub-processors of each vendor (when collected via the [Article 28 questionnaire](/features/questionnaire-ai)) are returned in the `subProcessors` array. Each sub-processor entry includes name, country, and processing-purpose category.

## Response shape

The interactive playground below renders the full schema. The fields most often consumed by external systems are:

* `id`, `name`, `country`, `category`
* `criticality`, `ictService`, `processesPersonalData`
* `dpaStatus`, `dpaSignedAt`, `dpaUrl`
* `lastReviewedAt`, `nextReviewDue`
* `subProcessors[]` — sub-processor disclosures
* `transferMechanism` — for non-EU vendors handling personal data

For DORA Register of Information submissions, the dedicated **Export → DORA ROI** action in the Matproof UI produces the structured XLSX format ESAs accept — typically more direct than building it from this API yourself.


## OpenAPI

````yaml GET /v1/vendors
openapi: 3.0.0
info:
  title: API Documentation
  description: The API documentation for this application
  version: '1.0'
  contact: {}
servers:
  - url: http://localhost:3333
    description: Local API Server
  - url: https://api.matproof.com
    description: API Server
security: []
tags: []
paths:
  /v1/vendors:
    get:
      tags:
        - Vendors
      summary: Get all vendors
      description: >-
        Returns all vendors for the authenticated organization. Supports both
        API key authentication (X-API-Key header) and session authentication
        (cookies + X-Organization-Id header).
      operationId: VendorsController_getAllVendors_v1
      parameters:
        - name: X-Organization-Id
          in: header
          description: >-
            Organization ID (required for session auth, optional for API key
            auth)
          required: false
          schema:
            type: string
      responses:
        '200':
          description: Vendors retrieved successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      type: object
                      properties:
                        id:
                          type: string
                          description: Vendor ID
                          example: vnd_abc123def456
                        name:
                          type: string
                          description: Vendor name
                          example: CloudTech Solutions Inc.
                        description:
                          type: string
                          description: Vendor description
                          example: >-
                            Cloud infrastructure provider offering AWS-like
                            services
                        category:
                          type: string
                          enum:
                            - cloud
                            - infrastructure
                            - software_as_a_service
                            - finance
                            - marketing
                            - sales
                            - hr
                            - other
                          example: cloud
                        status:
                          type: string
                          enum:
                            - not_assessed
                            - in_progress
                            - assessed
                          example: not_assessed
                        inherentProbability:
                          type: string
                          enum:
                            - very_unlikely
                            - unlikely
                            - possible
                            - likely
                            - very_likely
                          example: possible
                        inherentImpact:
                          type: string
                          enum:
                            - insignificant
                            - minor
                            - moderate
                            - major
                            - severe
                          example: moderate
                        residualProbability:
                          type: string
                          enum:
                            - very_unlikely
                            - unlikely
                            - possible
                            - likely
                            - very_likely
                          example: unlikely
                        residualImpact:
                          type: string
                          enum:
                            - insignificant
                            - minor
                            - moderate
                            - major
                            - severe
                          example: minor
                        website:
                          type: string
                          nullable: true
                          example: https://www.cloudtechsolutions.com
                        assigneeId:
                          type: string
                          nullable: true
                          description: ID of the user assigned to manage this vendor
                          example: mem_abc123def456
                        createdAt:
                          type: string
                          format: date-time
                          description: When the vendor was created
                        updatedAt:
                          type: string
                          format: date-time
                          description: When the vendor was last updated
                  count:
                    type: number
                    description: Total number of vendors
                    example: 12
                  authType:
                    type: string
                    enum:
                      - api-key
                      - session
                    description: How the request was authenticated
                  authenticatedUser:
                    type: object
                    description: User information (only for session auth)
                    properties:
                      id:
                        type: string
                        example: usr_def456ghi789
                      email:
                        type: string
                        example: user@example.com
        '401':
          description: Unauthorized - Invalid authentication or insufficient permissions
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
                    example: Invalid or expired API key
        '404':
          description: Organization not found
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
                    example: Organization with ID org_abc123def456 not found
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
                    example: Internal server error
      security:
        - apikey: []
components:
  securitySchemes:
    apikey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for authentication

````