> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coverbase.com/llms.txt
> Use this file to discover all available pages before exploring further.
# End-to-end workflows
> Three full lifecycle walkthroughs showing every API and webhook touchpoint.
For AI agents: a documentation index is available at [https://docs.coverbase.com/llms.txt](https://docs.coverbase.com/llms.txt) — this page is also available in markdown by appending .md to the URL.
The walkthroughs below trace three full lifecycle workflows. These are illustrative templates configured per customer during onboarding — the step narration uses conceptual event names for readability. For the authoritative, case-sensitive list of subscribable events and the exact API request/response schemas, always defer to the [event catalog](/integrations/webhooks#event-catalog) and the [API reference](/api-reference/assessments).
Automatic delivery of domain events to subscribed webhook endpoints is not currently wired up in the platform — see the [Webhooks](/integrations/webhooks) page. The "Webhook fired" annotations below describe the intended orchestration, not a guaranteed delivery you can rely on today.
## Workflow A: Vendor onboarding
A new third-party request enters Coverbase from procurement, gets risk-classified, drives the appropriate assessment depth, and produces a decision artifact that flows back to procurement and contract management.
Source system: Ariba, or any procurement intake.
```http theme={null}
POST /v1/import/vendor-intake
```
```json theme={null}
{
"data": [{
"Name": "Acme Corporation",
"External Id": "ariba-req-7821",
"Website": "https://acmecorp.com",
"Status": "intake",
"Business Unit": "Engineering",
"Requested Use": "Customer support ticketing",
"Data Types": ["customer_pii"]
}]
}
```
**Trigger fired:** `vendor.created`.
The workflow inspects `Data Types`, `Requested Use`, and `Business Unit`. Conditions branch:
* If `customer_pii` is present and the vendor has SaaS hosting, route to the full security and privacy assessment path.
* If the engagement is a commodity, with no data access and no system integration, route to a lightweight financial and compliance check and skip directly to procurement approval.
This is a configured branch. The configuration itself is API-readable and API-modifiable.
**Action:** create assessment, send questionnaire to vendor contact.
**Webhook fired:** `evidence.requested`. Payload includes the vendor ID, assessment ID, and the contact email. Your GRC tool receives the webhook and creates a corresponding tracking record.
Vendor uploads SOC 2 and completes the questionnaire through the vendor portal.
**Webhook fired:** `evidence.received`.
**Action:** run Copilot against uploaded evidence. Copilot extracts control evidence from the SOC 2 and reconciles it against questionnaire responses. Evaluations are produced for each control.
**Webhook fired:** `assessment.completed` with score and findings count.
**Action:** each finding is created as an evaluation with status `flagged`. For findings above a configured severity, the workflow assigns a task to the internal risk owner.
**Webhook fired:** `evaluation.flagged`, one per finding. Your Jira instance receives webhooks and creates tickets.
A human reviewer in Coverbase approves the assessment, optionally with mitigations recorded. The vendor transitions from `intake` to `active`.
**Webhook fired:** `assessment.approved` and `vendor.status_changed`. The Ariba integration receives `vendor.status_changed` and unblocks the procurement record. Contract management receives the same event and starts contract drafting with risk context attached.
When the draft MSA is uploaded, either via UI, API, or pulled from your CLM through a separate integration, Contract Guardian runs automatically. Missing clauses, liability deviations, and AI usage provisions are surfaced.
**Webhook fired:** `contract.analyzed`. The redline summary is delivered to the legal team's inbox via the receiving webhook handler.
## Workflow B: Ongoing monitoring and reassessment
After a vendor is active, Coverbase runs continuous monitoring and triggers reassessment work when conditions warrant.
### Continuous monitoring with Supplier Radar
Supplier Radar ingests external signals such as breaches, sanctions, regulatory actions, and threat intelligence, and produces events scoped to specific vendors. When an event lands above a configured severity threshold:
* **Trigger fired:** `monitoring.event_detected`.
* Conditions branch on event type and vendor tier.
* For high-severity events on tier 1 vendors, action: create a targeted incident assessment, page the on-call risk owner, and send a webhook to PagerDuty.
**Webhook fired:** `workflow.checkpoint` with `checkpoint: "incident_response_initiated"`.
### Scheduled reassessment
A schedule trigger fires quarterly for tier 1 vendors and annually for tier 2 and 3.
```http theme={null}
POST /v1/assessments
```
```json theme={null}
{
"vendor_id": "cbvndr_...",
"control_set_ids": ["cbctst_..."],
"trigger_workflow": "scheduled-reassessment-flow"
}
```
Copilot runs delta detection against the prior assessment state and generates follow-up questions only for control areas that have changed.
### Contract renewal trigger
A schedule trigger fires 90 days before contract end date.
**Trigger fired:** `contract.renewal_due`. The workflow optionally launches a renewal-scoped reassessment and sends a webhook to your CLM to start renewal negotiation with current risk context.
## Workflow C: Vendor offboarding
When a relationship ends, Coverbase coordinates the offboarding sequence.
```http theme={null}
PATCH /v1/vendors/cbvndr_e448ba62882143f3ba0c140bb2e30162
```
```json theme={null}
{
"status_id": "cbsts_offboarding_7f8e9d0c"
}
```
**Trigger fired:** `vendor.status_changed`.
**Action:** create a termination assessment focused on data return, access revocation, and exit obligations from the contract. **Action:** send a structured offboarding questionnaire to the vendor covering data destruction certification, access termination confirmation, and return of materials.
**Webhook fired:** `evidence.requested`.
**Webhook fired:** `workflow.checkpoint` with `checkpoint: "internal_access_cleanup_required"`. Your IAM tool receives the event and revokes vendor user accounts, API keys, and SSO entitlements.
**Action:** archive vendor documents to long-term storage with retention metadata derived from the contract and applicable regulations.
**Webhook fired:** `workflow.checkpoint` with `checkpoint: "documents_archived"`.
When all offboarding tasks complete, the vendor transitions to `offboarded`.
**Webhook fired:** `vendor.status_changed`. Procurement and finance systems receive the event and close their respective records.
## Reference diagram
```
External Systems
─────────────────────────────────────────────────────────────────
Ariba · Icertis · ServiceNow · Jira · Slack · IAM · CLM · Warehouse
▼ Inbound API Webhooks ▲
Coverbase API
─────────────────────────────────────────────────────────────────
POST /v1/import/{report} Vendors, Assessments, Services
POST /v1/assessments Start assessment
POST /v1/workflows/{name}/run Invoke named workflow
PATCH /v1/vendors/{id} Lifecycle transitions
POST /v1/webhooks Register outbound endpoints
▼
Workflow Engine
─────────────────────────────────────────────────────────────────
Triggers ▶ Conditions ▶ Actions
Object events IRQ score Create assessment
Schedules Data class Send questionnaire
External calls Tier Run Copilot, Inspect, Guardian
Geography Transition state
Custom logic Fire webhook
▼
Primary Object Store
─────────────────────────────────────────────────────────────────
vendor · service · engagement · assessment · evaluation
document · contract · entity · control · control_set
All accessible via full CRUD API
```