Supergood | Diligent API

Programmatically access Diligent governance, risk, compliance, and audit data with a stable REST API. Supergood builds and operates production-grade, unofficial Diligent integrations so your team can automate GRC and audit workflows without heavy custom engineering.

Plain English: Diligent is enterprise software that unifies board governance, risk management, compliance, audit, ESG, and entity management in one platform. An unofficial API lets you programmatically pull risk registers, controls, audit engagements and findings, policy attestations, vendor assessments, board documents, and tasks—and push new records or updates back into Diligent.

For a tech company integrating with Diligent, this means you can ingest real-time risk and control data to power dashboards, sync audit findings to issue trackers (e.g., Jira, ServiceNow), automate policy attestations from your product, enrich your platform with evidence and approvals, trigger governance updates, and keep stakeholder systems (ERP, analytics, IAM/SSO, ticketing) in lockstep.

What is Diligent?

Diligent (https://www.diligentoneplatform.com/) is a cloud platform for modern governance that centralizes board workflows, risk and compliance operations, internal audit, ESG reporting, and corporate entity management. Teams use Diligent to manage board meetings and materials, build and maintain risk registers, design and test internal controls, run audits from planning through remediation, track compliance obligations and policies with attestations, oversee third-party/vendor risk, and collect ESG metrics across frameworks.

Core product areas include:

• Governance & Board Management (Meetings, Agendas, Minutes, Voting, Questionnaires, Secure Document Distribution)
• Risk & Controls (Risk Registers, Control Libraries, Assessments, Issues/Incidents, Mitigation Plans)
• Audit Management (Audit Plans, Fieldwork, Workpapers, Findings, Recommendations, Remediation Tracking)
• Compliance & Policy (Regulatory Obligations, Policy Lifecycle, Attestations, Certifications, Evidence)
• Third-Party Risk (Vendors, Due Diligence, Risk Ratings, Assessments, Contracts)
• ESG & Entity Management (ESG Data Collection, Framework Mapping, Subsidiaries/Entity Records)

Common data entities:

• Organizations, Users, Roles/Permissions (Board Members, Executives, Risk Owners, Auditors, Compliance Officers)
• Risks (metadata, category, likelihood/impact, scores, status, owner, linked controls/issues)
• Controls (design/operating effectiveness, mappings to frameworks, test plans and results)
• Audits (engagements, objectives, workpapers, findings, recommendations, approvals)
• Issues/Incidents (severity, root cause, remediation plan, due dates, ownership)
• Policies (versions, lifecycle states, attestations, acknowledgements)
• Vendors/Third Parties (profiles, assessments, risk tier, contracts, remediation actions)
• Evidence & Documents (attachments, versions, checksum, access controls)

The Diligent Integration Challenge

GRC and audit teams rely on Diligent daily, but turning portal-based workflows into API-driven automation is non-trivial:

• Role-aware portals: Directors, executives, auditors, risk owners, and vendors each see different data and approval states
• Data lineage: Risks, controls, audits, and issues are interconnected across modules and frameworks (SOX, ISO, NIST, COSO)
• Compliance rigor: Attestations, evidence integrity, approvals, and sign-offs require careful handling and auditability
• Authentication complexity: SSO/MFA and session lifecycles complicate headless automation in regulated environments
• Mixed artifacts: Critical context lives in documents, workpapers, questionnaires, and approval histories, not just tables

How Supergood Creates Diligent APIs

Supergood reverse-engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your Diligent tenant.

• Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
• Maintains session continuity with automated refresh and change detection
• Normalizes responses so you can integrate once and rely on consistent objects across modules
• Aligns with customer entitlements and role-based permissions to ensure compliant access

Use Cases

Risk & Control Data Sync

• Mirror risk registers and control libraries into your internal systems
• Keep likelihood/impact, residual scores, and owners current for analytics and reporting
• Normalize control mappings across frameworks to drive continuous monitoring

Audit & Issue Remediation

• Pull audit findings and route remediation tasks to Jira/ServiceNow with SLAs
• Upload evidence and test results from your product while preserving approvals and lineage
• Track status changes and due dates for dashboards and executive reporting

Policy & Compliance Attestations

• Automate attestations for new policy versions from your app
• Capture proof (IP/device, time, version) and push acknowledgements back to Diligent
• Trigger re-attestation workflows based on role, regulation, or risk tier

Third-Party Risk & Vendor Oversight

• Sync vendor profiles and assessment results to your governance hub
• Drive automated re-assessments and remediation tasks for high-risk third parties
• Consolidate contracts, obligations, and ratings into unified views

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short-lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" }
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_dlg_74a210",
    "name": "Lead Auditor",
    "entitlements": ["risks", "controls", "audits", "policies"]
  }
}

POST /sessions/refresh: Refresh an existing token to keep sessions uninterrupted.

Risks

GET /risks: List risks in the organization's risk register with filters and summary details.

Query parameters

• ownerId: string
• status: open | monitoring | closed | accepted | mitigated
• category: operational | financial | compliance | strategic | cybersecurity | other
• frameworkId: string (e.g., "sox", "iso27001")
• updatedFrom, updatedTo: ISO 8601 timestamps
• tags: array of strings
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "riskId": "risk_8f2139",
      "title": "Unauthorized Access to Financial Systems",
      "category": "cybersecurity",
      "likelihood": 4,
      "impact": 5,
      "inherentScore": 20,
      "residualScore": 8,
      "status": "monitoring",
      "riskOwnerId": "u_dlg_20a551",
      "treatmentPlan": "MFA enforcement, quarterly access reviews",
      "tags": ["SOX", "AccessControl"],
      "nextReviewDate": "2026-03-31",
      "linkedControls": ["ctrl_AC-001", "ctrl_AC-003"],
      "linkedIssues": ["iss_1aa002"],
      "updatedAt": "2026-01-20T13:45:00Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Control Testing

POST /controls/{controlId}/tests: Create a control test result for a defined period with methodology, evidence, and conclusion.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/controls/ctrl_AC-001/tests \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "periodStart": "2025-10-01",
    "periodEnd": "2025-12-31",
    "methodology": "operating",
    "sampleSize": 25,
    "populationDescription": "Provisioned admin accounts in Q4",
    "testerUserId": "u_dlg_74a210",
    "evidence": [
      {"fileName": "q4_access_review.xlsx", "uploadToken": "upl_91ba73"},
      {"fileName": "mfa_audit_log.pdf", "uploadToken": "upl_91ba74"}
    ],
    "conclusion": "effective",
    "deficiencySeverity": "none",
    "remarks": "All samples had MFA and documented approvals.",
    "referenceId": "jira-SEC-1289"
  }'

Example response

{
  "testId": "tst_50c911",
  "status": "submitted",
  "createdAt": "2026-01-21T10:03:11Z"
}

Audit Findings

PATCH /audits/{auditId}/findings/{findingId}: Update finding status, severity, ownership, and remediation plan.

curl --request PATCH \
  --url https://api.supergood.ai/integrations/<integration_id>/audits/aud_2026_Q1/findings/fnd_7c3d21 \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Missing Quarterly Access Review Sign-offs",
    "severity": "high",
    "status": "in_progress",
    "ownerUserId": "u_dlg_20a551",
    "remediationPlan": {
      "actions": [
        {"description": "Implement workflow sign-off", "dueDate": "2026-02-15"},
        {"description": "Retroactively obtain approvals for Q4", "dueDate": "2026-02-05"}
      ],
      "targetDate": "2026-02-28"
    },
    "linkedRiskId": "risk_8f2139",
    "attachments": [
      {"fileName": "remediation_plan.docx", "uploadToken": "upl_7fa223"}
    ],
    "approvals": [
      {"approverUserId": "u_dlg_900021", "status": "pending"}
    ],
    "notes": "Escalated to CISO for visibility."
  }'

Example response

{
  "findingId": "fnd_7c3d21",
  "status": "in_progress",
  "severity": "high",
  "ownerUserId": "u_dlg_20a551",
  "updatedAt": "2026-01-22T08:15:12Z"
}

Policy Attestations

POST /policies/{policyId}/attestations: Record a user's attestation to a policy version with proof metadata.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/policies/pol_IT-Access-2026/attestations \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "userId": "u_dlg_45b100",
    "policyVersion": "v2.3",
    "attestationDate": "2026-01-21T11:20:44Z",
    "method": "portal",
    "proof": {"ipAddress": "203.0.113.42", "device": "MacBookPro, Safari 17"},
    "attachments": [
      {"fileName": "signature.png", "uploadToken": "upl_5aa300"}
    ],
    "metadata": {"department": "Finance", "region": "US"}
  }'

Example response

{
  "attestationId": "att_51af80",
  "status": "recorded",
  "policyId": "pol_IT-Access-2026",
  "policyVersion": "v2.3",
  "createdAt": "2026-01-21T11:21:10Z"
}

Get full API Specs →

Technical Specifications

• Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer-managed credentials
• Response format: JSON with consistent resource schemas and pagination across modules
• Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
• Session management: Automatic reauth and cookie/session rotation with health checks
• Data freshness: Near real-time retrieval of risks, controls, audits, policies, and vendor objects
• Security: Encrypted transport, scoped tokens, and audit logging; respects Diligent role-based permissions and data access controls
• Webhooks: Optional asynchronous delivery for long-running workflows (e.g., approvals, attestations, audit status updates)

Performance Characteristics

• Latency: Sub-second responses for list/detail queries under normal load
• Throughput: Designed for high-volume risk/control sync and audit/policy processing
• Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
• Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

1. Schedule Integration Assessment

Book a 30-minute session to confirm your modules, licensing, and authentication model.

2. Supergood Builds and Validates Your API

We deliver a hardened Diligent adapter tailored to your workflows and entitlements.

3. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as Diligent evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which Diligent modules can this integration cover?

Supergood supports workflows across commonly used modules such as Governance (Boards, Documents), Risk & Controls (Risk Registers, Control Testing), Audit (Engagements, Findings), Compliance & Policy (Policies, Attestations), and Third-Party Risk (Vendors, Assessments), subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you push audit findings and remediation tasks into Jira or ServiceNow?

Yes. We normalize audit findings, issues, and remediation plans to match your ticketing schema, and deliver updates via webhooks or polling while complying with rate and permission constraints. We commonly integrate with Jira and ServiceNow.

Q: Are evidence uploads and approvals supported?

Yes. We support uploading attachments via signed uploads, with checksum validation and time-limited URLs. Approval states and sign-offs are modeled explicitly in our normalized responses with user and timestamp metadata.

Related Integrations

Intralinks API - Programmatically access the Intralinks VDR with Supergood

Ready to automate your Diligent workflows?

Supergood can have your Diligent integration live in days with no ongoing engineering maintenance.

Get Started →