Supergood | Archer API

Programmatically access Archer GRC risk registers, controls, policies, audit workflows, vendor assessments, and issue remediation with a stable REST API. Supergood builds and operates production-grade, unofficial Archer integrations so your team can automate governance, risk, and compliance operations without heavy custom engineering.

Plain English: Archer is governance, risk, and compliance (GRC) software used by enterprises to manage risk registers, controls libraries, policies and standards, audit programs, issues and findings, third‑party risk assessments, and business resilience. An unofficial API lets you programmatically pull risks, controls, policies, issues, findings, audit engagements, assessments, vendor details, and evidence—and push new records, updates, and attachments back into Archer.

For a tech company integrating with Archer, this means you can ingest real-time risk and compliance data to power dashboards, sync issues into ticketing/ITSM (e.g., ServiceNow, Jira), automate third‑party questionnaires and follow-ups from your product, or enrich your platform with audit findings, control tests, and remediation status. You can also trigger policy acknowledgments, create issues from external security tools, attach evidence, and keep stakeholder systems (ERP, analytics, IAM, ITSM) in lockstep.

What is Archer?

Archer (https://www.archerirm.com/) is a cloud and on‑premise platform for integrated risk management (IRM) and GRC. It centralizes enterprise and operational risk, IT & security risk, third‑party governance, audit management, policy & compliance, and business resilience in configurable applications with workflow, approvals, and role-based access.

Core product areas include:

• Enterprise & Operational Risk (Risk Register, Risk Assessments, Loss Events)
• IT & Security Risk (Control Catalogs, Control Testing, Issues/Findings, Vulnerability/Risk Treatment)
• Third‑Party Governance (Vendor Records, Due Diligence, Questionnaires, Continuous Monitoring)
• Audit Management (Audit Planning, Engagements, Tests, Findings, Remediation)
• Policy & Compliance (Policies, Standards, Control Mapping, Attestations)
• Business Resilience (BC/DR Plans, Exercises, Incident Tracking)

Common data entities:

• Organizations, Users, Roles/Permissions
• Risks (titles, categorizations, likelihood, impact, ratings, treatment)
• Controls (framework mapping, owners, testing status)
• Policies & Standards (versions, publication state, acknowledgments)
• Issues/Findings (classification, severity, remediation plan, status)
• Audit Engagements & Tests (scope, procedures, evidence, results)
• Assessments & Questionnaires (templates, sections, responses, scoring)
• Third Parties/Vendors (risk tier, contacts, assessments, residual risk)
• Evidence & Attachments (files, checksums, retention)
• Exceptions & Remediation Tasks (waivers, compensating controls, due dates)

The Archer Integration Challenge

GRC teams rely on Archer every day, but turning portal-based workflows into API-driven automation is non-trivial:

• Configurable applications: Each customer’s Archer instance has custom fields, references, and workflows that vary by module
• Approval rigor: Risks, issues, and audit findings often move through gated workflows with attestation and sign-off requirements
• Role-aware access: Sensitive objects and fields are scoped by business unit, function, and user entitlements
• Authentication complexity: SSO/MFA (SMS, email, TOTP) and session lifecycles complicate headless automation
• Evidence handling: Large attachments, checksum validation, and retention policies require careful treatment
• Cross-linking: Records reference risks, controls, vendors, and audits across modules with standardized relationships

How Supergood Creates Archer APIs

Supergood reverse-engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your Archer tenant.

• Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
• Maintains session continuity with automated refresh and change detection
• Normalizes responses so you can integrate once and rely on consistent objects across configurable applications
• Aligns with customer entitlements and role-based permissions to ensure compliant access

Use Cases

Risk & Control Data Sync

• Mirror risk registers and control catalogs into your internal analytics, data warehouse, or GRC hub
• Keep ratings, treatment, and ownership current across business units
• Normalize risk categories, frameworks (e.g., ISO, NIST), and mappings for multi-tenant operations

Issue & Remediation Automation

• Create Archer issues/findings directly from security tools, scans, or monitoring alerts
• Push remediation tasks and status updates from ITSM/ticketing systems
• Attach evidence and track closure dates to drive SLA alerts and governance reporting

Third‑Party Risk Assessments

• Launch vendor questionnaires from your platform and notify vendor contacts automatically
• Ingest responses, scores, and residual risk; trigger follow-ups
• Escalate overdue assessments and reconcile vendor tiers across systems

Audit Management & Evidence

• Pull audit engagements and findings to power dashboards or external auditor portals
• Update finding dispositions and remediation plans; upload evidence files with checksum validation
• Synchronize test results and issues with engineering and operations tools

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short-lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" }
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_arch_524b91",
    "name": "Compliance Manager",
    "entitlements": ["risks", "controls", "issues", "audits", "third_parties"]
  }
}

POST /sessions/refresh: Refresh an existing token to keep sessions uninterrupted.

Risks

GET /risks: List risks with filters and summary details.

Query parameters

• programId: string
• status: open | accepted | in_treatment | closed
• severity: low | medium | high | critical
• ownerId: string
• updatedFrom, updatedTo: ISO 8601 timestamps
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "riskId": "risk_7f21d0",
      "title": "Third-Party Data Exposure",
      "category": "Vendor Risk",
      "program": "Enterprise Risk",
      "likelihood": "medium",
      "impact": "high",
      "inherentRating": 4,
      "residualRating": 3,
      "treatment": "mitigate",
      "status": "in_treatment",
      "owner": {"id": "u_arch_203a11", "name": "Risk Lead"},
      "dueDate": "2026-03-31",
      "relatedControls": ["ctrl_ism_27001_A.8.2", "ctrl_nist_3.1.1"],
      "updatedAt": "2026-01-20T13:45:00Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Issues & Findings

POST /issues: Create an issue/finding with classification, severity, and remediation metadata.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/issues \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Control Failure: Access Reviews Not Performed",
    "description": "Quarterly access reviews were not completed for Finance systems.",
    "classification": "control_deficiency",
    "source": "audit",
    "severity": "high",
    "riskId": "risk_7f21d0",
    "controlId": "ctrl_iso_27001_A.9.2",
    "ownerId": "u_arch_203a11",
    "dueDate": "2026-02-28",
    "remediationPlan": {
      "summary": "Run overdue reviews, implement automated reminders, and add manager attestations.",
      "milestones": [
        {"name": "Complete Q1 reviews", "targetDate": "2026-02-15"},
        {"name": "Deploy reminders", "targetDate": "2026-02-20"}
      ]
    },
    "attachments": [
      {"fileName": "audit_test_result.pdf", "uploadToken": "upl_a1d73c"}
    ],
    "referenceId": "servicenow-INC0012345"
  }'

Example response

{
  "issueId": "iss_93e412",
  "status": "open",
  "createdAt": "2026-01-21T10:03:11Z"
}

Third‑Party Assessments

POST /third-parties/{vendorId}/assessments: Launch a vendor risk assessment using a questionnaire template.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/third-parties/ven_451293/assessments \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "templateId": "tpl_vra_2026_core",
    "assessmentType": "security",
    "dueDate": "2026-02-10",
    "notifyVendor": true,
    "contacts": [
      {"name": "Vendor Security Lead", "email": "[email protected]"}
    ],
    "scope": {
      "products": ["Payments Gateway", "Reporting Portal"],
      "regions": ["US", "EU"],
      "dataTypes": ["PII", "Financial"]
    },
    "scoringMethod": "weighted",
    "referenceId": "vrm-case-2981"
  }'

Example response

{
  "assessmentId": "asm_51af80",
  "status": "sent",
  "dueDate": "2026-02-10",
  "createdAt": "2026-01-21T11:20:44Z"
}

Audit Findings

PATCH /audits/{engagementId}/findings/{findingId}: Update finding disposition, owner, remediation, and attach evidence.

curl --request PATCH \
  --url https://api.supergood.ai/integrations/<integration_id>/audits/eng_22c9/findings/fnd_7c3d21 \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "status": "under_review",
    "rating": "major",
    "ownerId": "u_arch_9ab441",
    "remediationPlan": {
      "summary": "Implement quarterly access certification with automated controls testing.",
      "targetClosureDate": "2026-03-15"
    },
    "evidence": [
      {"fileName": "access_review_export.csv", "uploadToken": "upl_7fa223"}
    ],
    "notes": "Initial evidence attached; pending control redesign approval."
  }'

Example response

{
  "findingId": "fnd_7c3d21",
  "status": "under_review",
  "rating": "major",
  "updatedAt": "2026-01-22T08:15:12Z"
}

Get full API Specs →

Technical Specifications

• Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer-managed credentials
• Response format: JSON with consistent resource schemas and pagination across Archer applications
• Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
• Session management: Automatic reauth and cookie/session rotation with health checks
• Data freshness: Near real-time retrieval of risks, controls, issues, audits, assessments, vendors, and policy objects
• Security: Encrypted transport, scoped tokens, and audit logging; respects Archer role-based permissions and workflow states
• Webhooks: Optional asynchronous delivery for long-running workflows (e.g., assessment responses, approval transitions)

Performance Characteristics

• Latency: Sub-second responses for list/detail queries under normal load
• Throughput: Designed for high-volume risk register sync, assessment launching, and issue/update processing
• Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
• Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

1. Schedule Integration Assessment

Book a 30-minute session to confirm your modules, licensing, and authentication model.

2. Supergood Builds and Validates Your API

We deliver a hardened Archer adapter tailored to your workflows and entitlements.

3. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as Archer evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which Archer modules can this integration cover?

Supergood supports workflows across commonly used modules such as Enterprise/Operational Risk (Risk Register, Assessments), IT & Security Risk (Controls, Testing, Issues/Findings), Third‑Party Governance (Vendors, Questionnaires), Audit Management (Engagements, Findings, Evidence), and Policy & Compliance (Policies, Attestations), subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you sync issues and remediation tasks to our ITSM/ticketing system?

Yes. We can normalize Archer issues/findings, remediation plans, and evidence to match your ITSM/ticketing schema and deliver updates via webhooks or polling while complying with rate and permission constraints. We commonly integrate with ServiceNow and Jira.

Related Integrations

Intralinks API - Programmatically access the Intralinks VDR with Supergood

Ready to automate your Archer workflows?

Supergood can have your Archer integration live in days with no ongoing engineering maintenance.

Get Started →