Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coverbase.com/llms.txt

Use this file to discover all available pages before exploring further.

The Export API is the backbone for automating your third-party risk management program. It enables secure, direct retrieval of vendor profiles, risk assessments, control evaluations, and related compliance data.

What you can do

Replace spreadsheets

Swap manual spreadsheet tracking for live system data pulled directly from Coverbase.

Feed dashboards

Pipe vendor and assessment information into internal compliance dashboards.

Automate reporting

Generate regulatory reports by pulling structured control evaluations on a schedule.

Trigger workflows

Drive remediation in ServiceNow, Jira, or other internal tools when evaluations surface issues.
The API uses a RESTful design with a predictable URL structure and communicates entirely in JSON. All interactions are authenticated and encrypted.

Setup

The Export API requires you to first create a Report in the dashboard. A report defines the URL of the endpoint, the data it returns, and the field labels it uses on the way out. To configure the report, you first pick a base object that the report returns. When you call the API endpoint, it returns an array of JSON objects, each representing one instance of that base object.

Base objects

The following base objects are currently supported.

Vendor

Vendor records include metadata such as name, website, ownership, risk level, and tags.Example: A supplier record for “Acme Corp, Payments API” might differ from “Acme Corp, Cloud Hosting” if both are used by different teams.
An assessment is an analysis of a vendor’s documents, questionnaires, and contextual data against one or more control sets. Assessments are automatically populated, reviewed, and scored by Coverbase’s AI engine.Example: Reviewing Acme Corp’s SOC 2 and CAIQ to determine whether they meet your encryption and access control expectations.
Assessments produce evaluations. Each evaluation is the result of analyzing a single control. There are as many evaluations as there are controls being assessed. Evaluations with weaknesses are considered issues. Each one carries context, evidence citations, and optional recommended mitigations.Example: “Encryption control unmet, no evidence of data-at-rest encryption found in SOC 2.”
An atomic requirement used to evaluate a supplier’s security, legal, or operational posture. Each control has an expectation, guidance, weight, and supporting evidence references.Example: “Vendor must encrypt customer data at rest with AES-256 or stronger.”
A collection of controls representing a full evaluation standard. Control sets may include sections (such as “Data Security” or “Business Continuity”) and are versioned for auditability.Example: A custom control set derived from your internal security questionnaire.