Skip to content

Compliance · Beta

Drata
API integration

Ship Compliance features without building the integration. Full Drata API access via Proxy, normalized data through Unified APIs, and 160+ MCP-ready tools for AI agents — all extensible to your exact use case.

Built for specific customer use cases. Issues are resolved quickly.

Talk to us
Drata

Use Cases

Why integrate with Drata

Common scenarios for SaaS companies building Drata integrations for their customers.

01

Automate User Access Reviews for SOC 2 Compliance

Identity governance and IAM platforms can pull Drata's user directory — including roles, identities, and compliance status — to orchestrate quarterly access reviews without manual CSV exports or screenshot gathering.

02

Sync Employee Compliance Status into Your Platform

HR, onboarding, or security awareness training tools can read user-level compliance data from Drata to surface which employees have completed background checks, signed policies, or finished required training — directly inside your product.

03

Surface Company-Wide Audit Readiness in Your Dashboard

GRC, risk management, or MSP platforms can pull company-level compliance posture from Drata so their users see a real-time snapshot of audit health alongside data from other tools, without switching contexts.

04

Flag Non-Compliant Users Across Connected Systems

Security platforms can fetch Drata's user list and cross-reference roles and identity data against actual infrastructure permissions, automatically identifying ghost accounts, over-permissioned users, or employees missing required compliance steps.

05

Enrich Incident Response with Personnel Context

SIEM and incident response tools can look up individual Drata users by ID to pull compliance context — role assignments, background check status, agreed terms — when investigating security events tied to specific employees.

What You Can Build

Ship these features with Truto + Drata

Concrete product features your team can ship faster by leveraging Truto’s Drata integration instead of building from scratch.

01

Compliance-Aware User Directory Sync

Continuously import Drata users with their roles, identities, and compliance metadata into your platform using the Unified User Directory API so your customers always have a current personnel view.

02

Automated Quarterly Access Review Reports

Pull all Drata users and their role assignments on a schedule, then generate access review reports that auditors can sign off on without manual data gathering.

03

Employee Compliance Status Widget

Embed a per-user compliance summary — background checks, document signatures, Drata terms agreement — directly in your product's employee profile pages by fetching individual users by ID.

04

Audit Readiness Dashboard Card

Display a company-level compliance health indicator sourced from Drata's company info endpoint, giving your users instant visibility into their organization's overall posture.

05

Non-Compliant Employee Alert Pipeline

Compare Drata's user list against your system's records to automatically flag and notify admins about employees who are missing required compliance steps like background checks or policy acknowledgments.

SuperAI

Drata AI agent tools

Comprehensive AI agent toolset with fine-grained control. Integrates with MCP clients like Cursor and Claude, or frameworks like LangChain.

list_all_drata_users

List drata users matching optional filters. Returns: id, email, firstName, lastName, jobTitle, roles, avatarUrl, drataTermsAgreedAt, createdAt, backgroundChecks, documents, and identities per user record.

get_single_drata_user_by_id

Get the full detail of a single drata user by id. Returns: id, email, firstName, lastName, jobTitle, roles, avatarUrl, drataTermsAgreedAt, createdAt, backgroundChecks, documents, and identities. Required: id.

list_all_drata_assets

List Drata assets by search terms and filters. Returns: id, name, assetType, assetProvider, owner, device, createdAt, updatedAt, externalId, customFields.

create_a_drata_asset

Manually add a new asset to the Drata account. Returns: id, name, description, assetType, assetProvider, owner, createdAt, customFields. Required: name, description, assetClassTypes, assetType, ownerId.

get_single_drata_asset_by_id

Get a single Drata asset by id. Returns: id, name, description, assetType, assetProvider, owner, device, createdAt, updatedAt, externalId, customFields. Required: id.

update_a_drata_asset_by_id

Update an existing Drata asset by id. Returns: id, name, description, assetType, assetProvider, owner, device, createdAt, updatedAt, customFields. Required: id.

delete_a_drata_asset_by_id

Remove a virtual or manually-added Drata asset by id. This is an unrecoverable operation. Returns an empty 204 response on success. Required: id.

list_all_drata_audits

List audits in a Drata workspace. Returns: id, frameworkType, auditType, isInternalAudit, status, startDate, endDate, completedAt, createdAt, updatedAt, auditors, and internalAuditors for each audit record. Required: workspace_id.

get_single_drata_audit_by_id

Get a single Drata audit by id. Returns: id, frameworkType, auditType, isInternalAudit, status, startDate, endDate, completedAt, createdAt, updatedAt, auditors, internalAuditors, and controls. Required: workspace_id, id.

list_all_drata_audit_requests

List audit requests in Drata for a given workspace and audit. Returns: id, code, title, description, status, auditId, createdAt, updatedAt, owners, and messages. Required: workspace_id, audit_id.

get_single_drata_audit_request_by_id

Get a single audit request in Drata by id. Returns: id, code, title, description, status, auditId, createdAt, updatedAt, owners, messages, and controls. Required: workspace_id, audit_id, id.

create_a_drata_background_check

Create a manual Background Check record in Drata and mark the user as compliant for Background Check requirements. Returns: id, employmentStatus, userId, email, createdAt, updatedAt. Required: userId, url, filedAt.

get_single_drata_company_by_id

Get the Drata company profile, including organization details, security configuration, training settings, and feature entitlements. Returns: accountId, domain, name, legalName, year, securityTraining, hipaaTraining, backgroundCheck, securityReport, agentEnabled, manualUploadEnabled, drataSupportAccess, entitlements, createdAt, and updatedAt.

list_all_drata_workspaces

List Drata workspaces representing different products or business lines with distinct compliance requirements. Returns: id, name, primary, description, createdAt, updatedAt, url, logo, howItWorks, and an optional frameworks array when expanded.

list_all_drata_control_library

List drata Control Library templates with optional field and relational filters. Returns: id, code, controlNumber, name, description, question, activity, domain, category, inUse.

get_single_drata_control_library_by_id

Get a single drata Control Library template by id, with optional expansion of related subcollections. Returns: id, code, controlNumber, name, description, question, activity, domain, category, inUse, testTemplates, policyTemplates, evidenceTemplates, requirementTemplates, controlsUsingTemplate. Required: id.

drata_control_library_import

Provision one or more drata tenant Controls from Control Library templates with all-or-nothing semantics — any invalid input rejects the entire request with no writes. Returns: data (array of per-input provisioning results, each containing inputIndex, controlId, code, status, associations, and customFields). Required: data. Max 100 inputs per request spanning no more than 10 distinct workspaceIds.

list_all_drata_control_notes

List control notes in drata for a given control, with optional filtering and sorting. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object when expanded. Required: workspace_id, control_id.

create_a_drata_control_note

Create a new control note in drata for a given control. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object. Required: workspace_id, control_id, comment.

get_single_drata_control_note_by_id

Get a single drata control note by id. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object when expanded. Required: workspace_id, control_id, id.

update_a_drata_control_note_by_id

Update the comment text of a drata control note. Returns: id, ownerId, comment, createdAt, updatedAt, and an optional owner object. Required: workspace_id, control_id, id, comment.

delete_a_drata_control_note_by_id

Delete a drata control note by id. Returns an empty 200 response on success. Required: workspace_id, control_id, id.

list_all_drata_control_owners

List control owners for a Drata control. Returns: id, email, firstName, lastName, createdAt, updatedAt. Required: workspace_id, control_id.

create_a_drata_control_owner

Add a control owner to a Drata control. Returns: id, email, firstName, lastName, createdAt, updatedAt. Required: workspace_id, control_id, ownerId.

drata_control_owners_modify

Modify all owners for a Drata control, replacing the entire owner set with the provided user IDs. Returns: ownerIds. Required: workspace_id, control_id, ownerUserIds.

delete_a_drata_control_owner_by_id

Delete a control owner from a Drata control by id. Returns: data (remaining owner records), pagination. Required: workspace_id, control_id, id.

list_all_drata_controls

List drata controls in a workspace matching the provided filters. Returns: id, name, code, slug, description, activity, frameworkTags, flags, owners, requirements, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id.

create_a_drata_control

Create a new custom drata control in a workspace. Returns: id, name, code, slug, description, activity, frameworkTags, flags, owners, requirements, customFields, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id, name, description, code.

get_single_drata_control_by_id

Get all information for a specific drata control by id. Returns: id, name, code, slug, description, question, activity, frameworkTags, flags, owners, requirements, customFields, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id, id.

update_a_drata_control_by_id

Update an existing drata control by id. Returns: id, name, code, slug, description, question, activity, frameworkTags, flags, owners, requirements, customFields, testIds, evidenceIds, createdAt, updatedAt. Required: workspace_id, id.

drata_controls_list_requirements

List compliance requirements mapped to a specific drata control. Returns: id, name, description, frameworkName, frameworkTag, frameworkSlug, createdAt, updatedAt, longDescription, rationale, additionalInfo, archivedAt. Required: workspace_id, control_id.

drata_controls_reset_requirement_mappings

Reset multiple drata controls to their original requirement mappings from control templates. Returns: results array with controlId, success, and error for each control reset attempt. Custom controls cannot be reset. Required: workspace_id, controlIds. Max 100 control IDs per request.

drata_controls_perform_action

Perform an action on a drata control — markOutOfScope archives it and markInScope restores it. Returns the updated control object including id, name, code, slug, archivedAt, rationale, flags, owners, requirements, and evidenceIds. Returns 204 with no body when the control is already in the requested state. Required: workspace_id, control_id, action.

drata_controls_compare_requirements

Compare requirements for multiple drata controls between tenant mappings and global template mappings. Returns: controlId, alignedRequirements, userMappedRequirements, and templateMappedRequirements per control. Required: workspace_id, controlIds[]. Max 300 control IDs per request.

list_all_drata_custom_connections

List Drata custom connections matching optional filters. Returns: id, clientAlias, providerTypes, createdAt, updatedAt, createdById per connection. Use expand[] to include createdByUser and customResources sub-objects.

create_a_drata_custom_connection

Create a new Drata custom connection. Returns: id, clientAlias, providerTypes, createdAt, updatedAt, createdById, customResources, createdByUser. Required: name, providerTypes. CUSTOM connections also require schema or sampleData, and displayNameKey.

get_single_drata_custom_connection_by_id

Get a single Drata custom connection by id. Returns: id, clientAlias, description, providerTypes, createdAt, updatedAt, createdById. Use expand[] to include createdByUser and customResources sub-objects. Required: id.

update_a_drata_custom_connection_by_id

Update the alias or description of an existing Drata custom connection. Returns: id, clientAlias, description, providerTypes, createdAt, updatedAt, createdById. Required: id.

delete_a_drata_custom_connection_by_id

Delete a Drata custom connection by id. Returns an empty 204 response on success. Required: id.

list_all_drata_custom_data_records

List Custom Data Records for a Drata Custom Connection resource matching the provided filters. Returns: id, attributes (resource-specific fields), sessionId, createdAt, updatedAt. Required: connection_id, resource_id.

drata_custom_data_records_upsert

Create or update Custom Data records for a Drata Custom Connection resource. Accepts a single object or an array of objects; records with matching IDs are updated and new records are created. Returns: id, statusCode, createdAt, updatedAt, and data. Required: connection_id, resource_id, data.

drata_custom_data_records_list_sessions

List Custom Data Sessions for a Drata Custom Connection resource with optional filtering by status. Returns: id, sessionId, status, createdAt, updatedAt, activatedAt, canceledAt. Required: connection_id, resource_id.

drata_custom_data_records_upsert_session

Insert or update Custom Data records in batches for a specific session in Drata. Records remain inactive until the session is completed via the session action endpoint. Returns: id, statusCode, createdAt, updatedAt, and data. Required: connection_id, resource_id, id, data.

drata_custom_data_records_perform_session_action

Perform an action on a Custom Data record session in Drata. Use `complete` to activate all session data and permanently delete records outside the session, or `cancel` to discard the session's data. Returns: sessionId, status, action, connectionId, resourceId. Required: connection_id, resource_id, session_id, action.

update_a_drata_custom_data_record_by_id

Update an existing Custom Data record in Drata by ID. Returns: id, attributes, sessionId, createdAt, updatedAt. Required: connection_id, resource_id, id, data.

delete_a_drata_custom_data_record_by_id

Delete a Custom Data record in Drata by ID. Returns an empty 204 response on success. Required: connection_id, resource_id, id.

list_all_drata_device_documents

List device compliance documents in Drata for a given device. Returns: id, type, name, fileUrl, createdAt, updatedAt for each document. Required: device_id.

drata_device_documents_upload

Upload a new device compliance document to Drata for a given device as multipart form data. Returns: id, type, name, fileUrl, createdAt, updatedAt. Required: device_id, type.

get_single_drata_device_document_by_id

Get a single device compliance document in Drata by id. Returns: id, type, name, fileUrl, createdAt, updatedAt. Required: device_id, id.

delete_a_drata_device_document_by_id

Delete a device compliance document in Drata by id. Returns an empty 200 response on success. Required: device_id, id.

list_all_drata_devices

List all drata devices. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, createdAt, antivirusEnabled, encryptionEnabled, firewallEnabled, and associated asset and compliance data. Optionally filter by externalId, macAddress, serialNumber, sourceType, or personnelId.

drata_devices_list_for_personnel

List drata devices assigned to a specific personnel member. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, createdAt, antivirusEnabled, encryptionEnabled, firewallEnabled, and associated asset and compliance data. Required: personnel_id.

get_single_drata_device_by_id

Get a single drata device by id. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, antivirusEnabled, encryptionEnabled, firewallEnabled, screenLockTime, complianceChecks, asset, apps, personnelId, and externalId. Required: id.

drata_devices_list_for_connection

List drata devices for a specific custom connection. Returns: id, serialNumber, model, macAddress, sourceType, isDeviceCompliant, createdAt, antivirusEnabled, encryptionEnabled, firewallEnabled, and associated asset and compliance data. Required: connection_id.

drata_devices_list_apps

List apps installed on a specific drata device. Returns: id, installedApp. Required: device_id.

drata_devices_upsert

Create or update a device for a drata custom connection; matches an existing device by serialNumber, macAddress, or externalId and updates it if found, otherwise creates a new one. Returns: id, serialNumber, model, osVersion, isDeviceCompliant, antivirusEnabled, encryptionEnabled, firewallEnabled, createdAt, asset. Required: connection_id, personnelId, platformName, platformVersion.

delete_a_drata_device_by_id

Delete a device from a drata custom connection by id. Returns an empty 204 response on success. Required: connection_id, id.

list_all_drata_events

List Drata events matching the provided filters. Returns: id, type, category, source, description, status, createdAt, userId, connectionId, requestDescription, testName, and testId per event. Optionally filter by type, category, source, workspaceId, userId, connectionId, createdAtStartDate, or createdAtEndDate.

get_single_drata_event_by_id

Get details for a single Drata event by id. Returns: id, type, category, source, description, status, createdAt, userId, connectionId, requestDescription, testName, testId, metadata, user, connection, and issues. Required: id.

drata_events_create_download_job

Create an asynchronous PDF download job for a Drata event. Returns: jobId, status, result, createdAt, completedAt, and errorMessage. Poll the get_download_job method with the returned jobId to check progress and retrieve the download URL. Required: event_id.

drata_events_get_download_job

Retrieve the status and result of a Drata event PDF download job. Returns: jobId, status, result, createdAt, completedAt, and errorMessage. Check result for the pre-signed download URL once status indicates completion. Required: event_id, id.

list_all_drata_evidence_library

List evidence library items in Drata, with optional filters by name and status. Returns: id, name, description, evidenceTemplateCode, createdAt, updatedAt, user, versions, renewalSchema, controls. Required: workspace_id.

create_a_drata_evidence_library

Create a new evidence library item in Drata. Returns: id, name, description, evidenceTemplateCode, createdAt, updatedAt, versions, renewalSchema, controls. Required: workspace_id, name. When attaching an artifact source (file, base64File, url, or ticketUrl), filedAt, renewalScheduleType, and ownerId are also required.

get_single_drata_evidence_library_by_id

Get a specific evidence library item by ID in Drata. Returns: id, name, description, implementationGuidance, evidenceTemplateCode, createdAt, updatedAt, user, versions, renewalSchema, controls. Required: workspace_id, id.

update_a_drata_evidence_library_by_id

Update an existing evidence library item in Drata. Returns: id, name, description, evidenceTemplateCode, createdAt, updatedAt, user, versions, renewalSchema, controls. Required: workspace_id, id. When adding a new artifact source (file, base64File, url, or ticketUrl), filedAt and renewalScheduleType are also required.

delete_a_drata_evidence_library_by_id

Delete an evidence library item by ID in Drata. Returns an empty 204 response on success. Required: workspace_id, id.

drata_evidence_library_get_version

Get a specific version of a Drata Evidence Library item by version ID. Returns: id, name, version, current, filedAt, createdAt, updatedAt, and optionally downloadUrl when expanded. Required: workspace_id, evidence_library_id, id.

list_all_drata_frameworks

List Frameworks in a Drata workspace matching optional filters. Returns: id, name, description, slug, tag, pill, isReady, isEnabled, numInScopeControls, numInScopeRequirements, numReadyInScopeRequirements, color, bgColor, activeLogo, inactiveLogo, createdAt, updatedAt. Required: workspace_id.

create_a_drata_framework

Create a new custom compliance Framework in a Drata workspace. Returns: id, name, description, slug, tag, pill, isReady, isEnabled, numInScopeControls, numInScopeRequirements, numReadyInScopeRequirements, color, bgColor, activeLogo, inactiveLogo, createdAt, updatedAt. Required: workspace_id, name, shortName, description.

update_a_drata_framework_by_id

Update an existing custom compliance Framework in a Drata workspace. Returns: id, name, description, slug, tag, pill, isReady, isEnabled, numInScopeControls, numInScopeRequirements, numReadyInScopeRequirements, color, bgColor, activeLogo, inactiveLogo, createdAt, updatedAt. Required: workspace_id, id.

drata_framework_requirements_list_legacy

(Deprecated) List drata framework requirements across all frameworks matching provided filters. Returns: id, name, description, frameworkName, frameworkTag, category, createdAt, updatedAt. Required: workspace_id. Prefer the list method instead.

drata_framework_requirements_update_legacy

(Deprecated) Update custom field values on a drata framework requirement. Returns: id, name, description, frameworkName, frameworkTag, category, createdAt, updatedAt, customFields. Required: workspace_id, id. Prefer the update method which also supports structural-field changes.

list_all_drata_framework_requirements

List requirements scoped to a specific framework in drata. Returns: id, code, name, description, category, createdAt, updatedAt. Required: workspace_id, framework_id.

create_a_drata_framework_requirement

Create or update one or more requirements on a custom drata framework. Returns: data (array of created requirements each with id, code, name, description, category, createdAt, updatedAt). Required: workspace_id, framework_id, data. Duplicate codes or unknown control IDs fail the entire batch.

update_a_drata_framework_requirement_by_id

Update a custom drata framework requirement including core fields, control mappings, and custom field values. Returns: id, code, name, description, category, controls, createdAt, updatedAt. Required: workspace_id, framework_id, id.

list_all_drata_hris_user_identities

List all active HRIS user identities for a Drata custom HRIS connection. Returns: id, identityId, email, firstName, lastName, jobTitle, managerId, managerName, startedAt, separatedAt, isContractor, createdAt, updatedAt. Required: connection_id.

drata_hris_user_identities_upsert

Create or update one or more HRIS user identities in a Drata custom HRIS connection. Each record is keyed by identityId — existing records are updated, new ones are created; partial updates are supported. Returns an array of per-item results including statusCode, data (id, identityId, email, firstName, isContractor, createdAt, updatedAt), and error. Required: connection_id, identityId (per item). Accepts 1–1000 items per batch.

get_single_drata_hris_user_identity_by_id

Get a single HRIS user identity from a Drata custom HRIS connection by id. Returns: id, identityId, email, firstName, lastName, jobTitle, managerId, managerName, startedAt, separatedAt, isContractor, createdAt, updatedAt. Required: connection_id, id.

delete_a_drata_hris_user_identity_by_id

Soft-delete a Drata HRIS user identity by id. Intended for records submitted in error (e.g. test data or duplicates), not for offboarding — use the upsert endpoint with separatedAt to reflect an employee departure. Returns an empty 204 response on success. Required: connection_id, id.

list_all_drata_monitoring_tests

List Drata monitoring tests within a workspace, optionally filtered by result status, system status, check type, or test source. Returns: id, name, checkResultStatus, checkStatus, testSource, testId, createdAt, updatedAt, lastPassedAt, failedSince. Required: workspace_id.

get_single_drata_monitoring_test_by_id

Get a specific Drata monitoring test by its workspace-scoped testId. Returns: id, name, checkResultStatus, checkStatus, testSource, testId, createdAt, updatedAt, lastPassedAt, failedSince, monitorInstances, controls. Required: workspace_id, id (pass the testId value from the list response, not the internal id field).

update_a_drata_monitoring_test_by_id

Update a Drata monitoring test's name, description, and/or enabled state. Returns: id, name, description, checkResultStatus, checkStatus, testSource, testId, createdAt, updatedAt, lastPassedAt, failedSince, monitorInstances, controls. Required: workspace_id, id (pass the testId value from the list response, not the internal id field).

drata_monitoring_tests_list_exclusions

List exclusions for a specific Drata monitoring test. Returns: id, targetId, targetName, exclusionReason, createdAt, updatedAt, connection, exclusionDesignator. Required: workspace_id, test_id.

drata_monitoring_tests_list_failures

List resources currently failing a specific Drata monitoring test; manually excluded failures are omitted by default unless includeExclusions is set to true. Returns: id, providerName, resourceName, accountName, clientId, resourceArn, organizationalUnitId, region, tags, cause. Required: workspace_id, test_id.

drata_monitoring_tests_list_passes

List resources currently passing a specific Monitoring Test in drata. Returns an empty page for tests that do not emit passing-resource data. Returns: id, providerName, resourceName, accountName, clientId, resourceArn, organizationalUnitId, region, tags, cause. Required: workspace_id, test_id.

list_all_drata_personnel

List Drata personnel records with optional filtering by employmentStatus and complianceStatus. Returns: id, userId, employmentStatus, startedAt, separatedAt, createdAt, updatedAt, user, complianceChecks, and customFields per record.

get_single_drata_personnel_by_id

Get a single Drata personnel record by id. Returns: id, userId, employmentStatus, startedAt, separatedAt, statusUpdatedAt, createdAt, updatedAt, user, reasonProvider, complianceChecks, and customFields. Required: id.

update_a_drata_personnel_by_id

Update a single Drata personnel record by id. Returns the updated record including id, userId, employmentStatus, startedAt, separatedAt, statusUpdatedAt, createdAt, updatedAt, user, reasonProvider, complianceChecks, and customFields. Required: id. Manually updated fields no longer receive automatic IdP/HRIS sync.

drata_personnel_perform_action

Perform a sync-reset action on Drata personnel records. Use reset-sync for specific personnel IDs or reset-sync-all to reset all personnel. Returns: count of affected records. Required: action.

list_all_drata_policies

List published drata policies matching the provided filters. Returns: id, name, status, createdAt, renewalDate, version, subVersion, owner, and groups.

create_a_drata_policy

Create a new drata policy with an initial draft version using file upload (UPLOADED) or an existing external file reference (EXTERNAL). Returns: id, name, status, ownerId, renewalDate, createdAt, and latestVersion. Required: name, ownerId, sourceType, renewalDate, description.

get_single_drata_policy_by_id

Get a specific published drata policy by id. Returns: id, name, status, description, createdAt, renewalDate, publishedAt, approvedAt, version, owner, groups, and controls. Required: id.

update_a_drata_policy_by_id

Modify an existing drata policy by id. Returns: id, name, description, status, createdAt, renewalDate, publishedAt, approvedAt, owner, groups, and controls. Required: id.

drata_policies_assign_owner

Assign an owner to a drata policy by policy_id. Returns an empty 204 response on success. Required: policy_id, userId.

drata_policies_get_approval_configuration

Get the approval configuration for a specific policy in Drata. Returns: reviewGroups, each containing name, tier, consensusRule, timeline, and approvers. Required: policy_id.

drata_policies_add_approval_configuration

Append a new review group tier to the end of a policy's approval sequence in Drata. Returns: name, tier, consensusRule, timeline, approvers. Required: policy_id, name, userIds, consensusRule, timeline. Maximum of 6 tiers per policy.

drata_policies_update_approval_configuration

Update a single review group tier by its 1-based tier position within a policy's approval sequence in Drata. Other tiers are not affected. Returns: name, tier, consensusRule, timeline, approvers. Required: policy_id, id, name, userIds, consensusRule, timeline.

drata_policies_remove_approval_configuration

Remove a single review group tier by its 1-based tier position from a policy's approval sequence in Drata. Remaining tiers are renumbered to stay contiguous. Returns an empty 204 response on success. Required: policy_id, id.

drata_policies_list_actions

List available actions the authenticated user can perform on a specific policy in Drata based on its current state. Returns: action, label, description, payloadSchema. Required: policy_id.

drata_policies_perform_action

Execute an action on a drata policy such as submit for approval, approve, request changes, override approve, publish, discard, or reset to template. Returns: success, newStatus, message. Required: policy_id, action.

drata_policies_list_versions

List policy versions for a specific drata policy with optional filters by status, version number, and current flag. Returns: id, policyVersionStatus, version, current, createdAt, renewalDate, subVersion, updatedAt, policy, requiresAcknowledgment. Required: policy_id.

drata_policies_get_version

Get a specific drata policy version by its ID with optional expansion of owner, SLA configurations, and download URLs. Returns: id, policyVersionStatus, version, current, createdAt, updatedAt, renewalDate, subVersion, type, policy, requiresAcknowledgment. Required: policy_id, id.

list_all_drata_risk_documents

List all documents associated with a specific risk in drata. Returns: id, name, downloadUrl, createdAt. Required: risk_register_id, risk_id.

drata_risk_documents_upload

Upload one or more documents for a specific risk in drata. Returns a documents array where each entry includes id, name, downloadUrl, and createdAt. Required: risk_register_id, risk_id, files. Max 10 files, 25MB each.

get_single_drata_risk_document_by_id

Get a specific risk document in drata by its ID. Returns: id, name, downloadUrl, createdAt. Required: risk_register_id, risk_id, id.

delete_a_drata_risk_document_by_id

Delete a specific risk document in drata by its ID. Returns an empty 204 response on success. Required: risk_register_id, risk_id, id.

list_all_drata_risk_library

List risk library items within a Drata risk register, filterable by riskId, title, or description. Returns: id, riskId, title, description, controls, and categories per item. Required: risk_register_id.

get_single_drata_risk_library_by_id

Get a single Drata risk library item by id within a risk register. Returns: id, riskId, title, description, controls, and categories. Required: risk_register_id, id.

drata_risk_library_copy_to_register

Copy risk library items from the Drata risk library to a risk register by specific IDs or predefined groups. Returns data containing an array of copied risk items with id, riskId, title, description, and registerId per record. Required: bulkActionType, riskIds, riskGroups, registerId.

list_all_drata_risk_notes

List risk notes for a specific risk in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id.

create_a_drata_risk_note

Create a new note for a specific risk in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id, comment.

get_single_drata_risk_note_by_id

Get a single risk note by id for a specific risk in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id, id.

update_a_drata_risk_note_by_id

Update a specific risk note by id in drata. Returns: id, comment, createdAt, updatedAt, owner. Required: risk_register_id, risk_id, id, comment.

delete_a_drata_risk_note_by_id

Delete a specific risk note by id in drata. Returns an empty 204 response on success. Required: risk_register_id, risk_id, id.

list_all_drata_risk_registers

List all drata Risk Registers associated with the account. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Supports filtering by name, ownerIds, and workspaceIds, and expanding the workspaces sub-object.

create_a_drata_risk_register

Create a new drata Risk Register. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Required: name.

get_single_drata_risk_register_by_id

Get a single drata Risk Register by id. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Required: id.

update_a_drata_risk_register_by_id

Update a drata Risk Register by id. Returns: id, name, description, owners, workspaces, createdAt, updatedAt. Required: id.

delete_a_drata_risk_register_by_id

Delete a drata Risk Register by id. Returns an empty 204 response on success. Required: id.

list_all_drata_risks

List risks in a drata Risk Register matching optional filters. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt; expanded sub-collections (controls, categories, owners, reviewers, documents, notes, tickets, tasks, customFields) available via expand[]. Required: risk_register_id.

create_a_drata_risk

Create a new custom risk in a drata Risk Register. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt, riskRegister, and associated sub-collections (controls, categories, owners, reviewers, documents, notes, tickets, tasks, customFields). Required: risk_register_id, title, description.

get_single_drata_risk_by_id

Get detail for a single drata risk by id. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt, controls, categories, owners, reviewers, documents, notes, tickets, tasks, riskRegister, and customFields. Required: risk_register_id, id.

update_a_drata_risk_by_id

Update an existing risk in a drata Risk Register by id. Returns: id, riskId, title, status, treatmentPlan, impact, likelihood, score, residualScore, createdAt, updatedAt, and associated sub-collections (controls, categories, owners, reviewers, documents, notes, tickets, tasks, riskRegister, customFields). Required: risk_register_id, id.

drata_risks_get_insights

Retrieve comprehensive analytics for a drata Risk Register including posture distribution, treatment overview, heatmap, and historical trends. Returns: riskPosture, treatmentOverview, riskHeatmap, categoryBreakdown, scored, remaining, riskOverTime. Required: risk_register_id. Requires Risk Management Pro.

list_all_drata_tasks

List Drata tasks in a workspace matching the provided filters. Returns: id, title, status, taskType, dueDate, assigneeId, createdAt, updatedAt, controls, risks, policies. Required: workspace_id.

create_a_drata_task

Create a new Drata task in a workspace. Returns the created task including id, title, status, taskType, dueDate, assigneeId, createdById, createdAt, updatedAt, controls, risks, and policies. Required: workspace_id, title, dueDate.

get_single_drata_task_by_id

Get details for a specific Drata task by id. Returns: id, title, description, status, taskType, dueDate, completedAt, createdAt, updatedAt, assigneeId, createdById, assignee, createdBy, controls, risks, policies. Required: workspace_id, id.

update_a_drata_task_by_id

Update an existing Drata task by id. Returns the updated task including id, title, status, taskType, dueDate, assigneeId, createdById, createdAt, updatedAt, controls, risks, and policies. Required: workspace_id, id.

drata_tasks_perform_action

Perform a complete or uncomplete action on a Drata task. Returns the updated task including id, title, status, taskType, dueDate, completedAt, assigneeId, createdById, createdAt, and updatedAt. Required: workspace_id, task_id, action.

drata_tasks_list_upcoming

List upcoming tasks in a Drata workspace, sourced from policy renewals, vendor reviews, external evidence due dates, library document renewals, control approvals, and custom tasks. Returns: sourceId, name, taskType, dueDate, status, completedAt, assigneeIds. Required: workspace_id.

list_all_drata_user_documents

List user documents in drata for a specific user, with optional filters by name and type. Returns: id, userId, name, type, fileUrl, renewalDate, createdAt, updatedAt. Required: user_id.

drata_user_documents_upload

Upload a user document to drata as manual compliance evidence for a specific user. Returns: id, userId, name, type, fileUrl, renewalDate, createdAt, updatedAt. Required: user_id, type.

get_single_drata_user_document_by_id

Get the full detail of a drata user document by id. Returns: id, userId, name, type, fileUrl, renewalDate, createdAt, updatedAt. Required: user_id, id.

delete_a_drata_user_document_by_id

Delete a drata user document by id. Returns an empty 204 response on success. Required: user_id, id.

list_all_drata_user_assigned_policies

List assigned policies for a Drata user, tracking acknowledgement of policy versions. Returns: id, acceptedAt, sourceType, policyId, policyVersionId, policy, and policyVersion. Required: user_id.

drata_user_assigned_policies_acknowledge

Acknowledge a Drata user's assigned policy version, recording the date of acceptance. Returns: id, acceptedAt, createdAt, updatedAt, sourceType, policyId, policyVersionId, policy, and policyVersion. Required: user_id, policy_id, and acceptedAt. acceptedAt must be within the last year.

list_all_drata_roles

List drata roles matching the provided filters. Returns: id, role, createdAt, updatedAt, and permissions (when expanded via expand[]).

get_single_drata_role_by_id

Get the full detail of a single drata role by id. Returns: id, role, createdAt, updatedAt, permissions. Required: id.

drata_roles_list_users

List all drata users assigned to a specific role. Returns: id, email, firstName, lastName, jobTitle, createdAt, updatedAt, roles, and optionally backgroundChecks, documents, identities when expanded. Required: role_id.

list_all_drata_vendor_documents

List compliance-related vendor documents for a given vendor in drata. Returns: id, name, type, createdAt, updatedAt, and optionally downloadUrl. Required: vendor_id.

drata_vendor_documents_upload

Upload a compliance-related vendor document (such as a SOC report, bridge letter, or questionnaire) to a vendor in drata. Returns the created document including id, name, type, createdAt, and updatedAt. Required: vendor_id, file.

get_single_drata_vendor_document_by_id

Get a single vendor document by id in drata. Returns: id, name, type, createdAt, updatedAt, and downloadUrl. Required: vendor_id, id.

list_all_drata_vendor_types

List all vendor types configured in Drata. Returns: id, name. Supports optional sorting via sort and sortDir, and total-count inclusion via includeTotalCount.

create_a_drata_vendor_type

Create a new vendor type in Drata. Returns: id, name. Required: name.

update_a_drata_vendor_type_by_id

Update an existing vendor type in Drata by id. Returns: id, name. Required: id, name.

delete_a_drata_vendor_type_by_id

Soft delete a vendor type in Drata by id. Returns an empty 204 response on success. Required: id.

list_all_drata_vendor_security_reviews

List all security reviews for a given vendor in drata, cursor-paginated. Returns: id, status, type, decision, title, requestedAt, reviewDeadlineAt, userId, requesterUserId, user, requesterUser, socReviewForm. Required: vendor_id.

create_a_drata_vendor_security_review

Create a new security review for a given vendor in drata. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, user, requesterUser, socReviewForm. Required: vendor_id, reviewDeadlineAt, securityReviewStatus, securityReviewType.

drata_vendor_security_reviews_create_with_file

Create a new vendor security review in drata with an attached file in a single atomic operation. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, socReviewForm. Required: vendor_id, title, reviewDeadlineAt, securityReviewStatus, securityReviewType, file.

get_single_drata_vendor_security_review_by_id

Get a specific vendor security review by id in drata. For SOC_REPORT reviews the response includes full socReviewForm data. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, user, requesterUser, socReviewForm. Required: vendor_id, id.

update_a_drata_vendor_security_review_by_id

Update a vendor security review in drata. The title field applies to all review types; socForm is only processed when the review type is SOC_REPORT. Returns: id, status, type, decision, title, note, requestedAt, reviewDeadlineAt, userId, requesterUserId, socReviewForm. Required: vendor_id, id.

drata_vendor_security_reviews_upload_questionnaire

Upload one or more security questionnaire files to a vendor in drata. Returns: id, completedBy, recipientEmail, isCompleted, dateSent, isManualUpload, responseId, title. Required: vendor_id, files.

drata_vendor_security_reviews_list_questionnaires

List security questionnaires belonging to a vendor security review in drata. Returns: id, completedBy, recipientEmail, isCompleted, dateSent, isManualUpload, responseId, title. Archived or soft-deleted questionnaires are excluded. Required: vendor_id, security_review_id.

drata_vendor_security_reviews_upload_questionnaire_for_review

Upload one or more security questionnaire files to a vendor for a specific security review in drata. Returns: id, completedBy, recipientEmail, isCompleted, dateSent, isManualUpload, responseId, title. Required: vendor_id, security_review_id, files.

drata_vendor_security_reviews_list_actions

List available actions for a vendor security review in drata based on its current state (e.g. Finalize, Reopen). Returns: action. Required: vendor_id, security_review_id. Currently only SOC report type security reviews are supported.

drata_vendor_security_reviews_perform_action

Execute an action on a vendor security review in drata. Finalize marks the review as complete; reopen returns a completed review to in-progress. Returns: success, newStatus, message. Required: vendor_id, security_review_id, action. Currently only SOC report type security reviews are supported.

list_all_drata_vendors

List Drata vendors matching provided filters. Returns vendor records including id, name, category, risk, status, type, location, hasPii, createdAt, and updatedAt. Supports filtering by category, status, risk, type, impactLevel, and renewalDate.

create_a_drata_vendor

Create a new vendor in Drata. Returns the created vendor object including id, name, category, risk, status, type, hasPii, createdAt, and updatedAt. Required: name.

drata_vendors_get_stats

Retrieve vendor statistics for specified scopes in Drata. Returns aggregated key-count breakdowns including reminder, hasPii, businessUnits, passwordPolicy, status, risk, and impactLevel. Required: expand.

get_single_drata_vendor_by_id

Get a single Drata vendor by id. Returns the full vendor record including id, name, category, risk, status, type, location, hasPii, passwordPolicy, createdAt, and updatedAt. Required: id.

update_a_drata_vendor_by_id

Update Drata vendor details by id. Returns the updated vendor object including id, name, category, risk, status, type, location, cost, createdAt, and updatedAt. Required: id.

delete_a_drata_vendor_by_id

Delete a drata vendor by id. Returns an empty 204 response on success. Required: id.

drata_vendors_list_questionnaires

List questionnaires sent to a drata vendor. Returns: vendorId, sendAt, sentEmail, file, respondedAt, responseId, isManualUpload, completedBy. Required: vendor_id.

drata_vendors_send_questionnaire

Send a questionnaire to a drata vendor contact. Returns: vendorId, sendAt, sentEmail, file, respondedAt, responseId, isManualUpload, completedBy. Required: vendor_id.

drata_vendors_get_questionnaire

Get a specific questionnaire for a drata vendor by id. Returns: vendorId, sendAt, sentEmail, file, respondedAt, responseId, isManualUpload, completedBy. Required: vendor_id, id.

Why Truto

Why use Truto’s MCP server for Drata

Other MCP servers give you a static tool list for one app. Truto gives you a managed, multi-tenant MCP infrastructure across 550+ integrations.

01

Auto-generated, always up to date

Tools are dynamically generated from curated documentation — not hand-coded. As integrations evolve, tools stay current without manual maintenance.

02

Fine-grained access control

Scope each MCP server to read-only, write-only, specific methods, or tagged tool groups. Expose only what your AI agent needs — nothing more.

03

Multi-tenant by design

Each MCP server is scoped to a single connected account with its own credentials. The URL itself is the auth token — no shared secrets, no credential leaking across tenants.

04

Works with every MCP client

Standard JSON-RPC 2.0 protocol. Paste the URL into Claude, ChatGPT, Cursor, or any MCP-compatible agent framework — tools are discovered automatically.

05

Built-in auth, rate limits, and error handling

Tool calls execute through Truto’s proxy layer with automatic OAuth refresh, rate-limit handling, and normalized error responses. No raw API plumbing in your agent.

06

Expiring and auditable servers

Create time-limited MCP servers for contractors or automated workflows. Optional dual-auth requires both the URL and a Truto API token for high-security environments.

Unified APIs

Unified APIs for Drata

Skip writing code for every integration. Use Truto’s category-specific Unified APIs out of the box or customize the mappings with AI.

Unified User Directory API

Roles

The Role object represents a role of a User.

View Docs

Users

The User object represents a User.

View Docs

How It Works

From zero to integrated

Go live with Drata in under an hour. No boilerplate, no maintenance burden.

01

Link your customer’s Drata account

Use Truto’s frontend SDK to connect your customer’s Drata account. We handle all OAuth and API key flows — you don’t need to create the OAuth app.

02

We handle authentication

Don’t spend time refreshing access tokens or figuring out secure storage. We handle it and inject credentials into every API request.

03

Call our API, we call Drata

Truto’s Proxy API is a 1-to-1 mapping of the Drata API. You call us, we call Drata, and pass the response back in the same cycle.

04

Unified response format

Every response follows a single format across all integrations. We translate Drata’s pagination into unified cursor-based pagination. Data is always in the result attribute.

FAQs

Common questions about Drata on Truto

Authentication, rate limits, data freshness, and everything else you need to know before you integrate.

What operations does the Drata integration support through Truto?

The integration currently supports three read operations: listing all company info, listing all users, and fetching a single user by ID. These map to Truto's Unified User Directory API resources (Users, Roles).

What user data can I pull from Drata via Truto?

Each Drata user record includes fields like email, jobTitle, roles, identities, backgroundChecks, documents, and drataTermsAgreedAt — giving you both identity and compliance-specific metadata per employee.

Does Truto handle authentication with Drata?

Yes. Truto manages the full auth flow for Drata. Your end users connect their Drata account through Truto's embedded linking experience, and Truto handles token management and secure credential storage.

Does Truto handle pagination when listing Drata users?

Yes. Truto abstracts away Drata's pagination logic. When you call list_all_drata_users, Truto manages page cursors and rate limits behind the scenes so you receive a complete dataset through a consistent interface.

Can I write data back to Drata through this integration?

The currently available tools are read-only — list company info, list users, and get a user by ID. Write operations are not included in the current tool set. Contact Truto if you need push capabilities.

How does Drata data map to Truto's Unified User Directory API?

Drata users and their role assignments are normalized into Truto's unified Users and Roles resources. This means you can query Drata user data using the same schema you use for other identity providers connected through Truto.

Drata

Get Drata integrated into your app

Our team understands what it takes to make a Drata integration successful. A short, crisp 30 minute call with folks who understand the problem.