Supergood | Hyperproof API

Programmatically access Hyperproof compliance programs, frameworks, controls, evidence, risks, and audit workflows with a stable REST API. Supergood builds and operates production-grade, unofficial Hyperproof integrations so your team can automate GRC operations without heavy custom engineering.

Plain English: Hyperproof is compliance, risk, and audit management software used by security, compliance, and risk teams to design controls, collect evidence, manage audits, assess risks, and maintain continuous compliance across frameworks like SOC 2, ISO 27001, HIPAA, and PCI. An unofficial API lets you programmatically pull programs, frameworks and requirements, controls, control tests and health, evidence items, audit request lists, risks, issues, and tasks—and push new records or updates back into Hyperproof.

For a tech company integrating with Hyperproof, this means you can ingest real-time control and evidence data to power dashboards, orchestrate automated evidence collection from your systems (e.g., Okta, AWS, Jira, GitHub), sync audit request lists and findings into your workflow tools, trigger risk assessments and remediation tasks, or enrich your platform with control health, risk scoring, and compliance status. You can also initiate review cycles, attach documents, manage exceptions, and keep stakeholder systems (ticketing, IAM, cloud, analytics) in lockstep.

What is Hyperproof?

Hyperproof (https://hyperproof.io/) is a cloud platform for GRC that centralizes compliance operations, continuous controls monitoring, risk management, and audit coordination. Teams use Hyperproof to map controls to frameworks, collect and validate evidence, run internal audits, manage external audit PBC lists, track risks and remediation, and maintain ongoing compliance across security and regulatory obligations.

Core product areas include:

• Compliance Management (Programs, Frameworks, Requirements, Controls, Policies, Tasks)
• Continuous Controls Monitoring (Automated Evidence Collection, Integrations, Control Health)
• Audit Management (Audits, Request Lists/PBCs, Findings, Review/Approval Workflows)
• Risk Management (Risk Register, Assessments, Mitigations, Issues)
• Collaboration & Governance (Owners, Roles/Permissions, Notifications, Reporting)

Common data entities:

• Users, Teams, Roles/Permissions (Admins, Control Owners, Auditors)
• Programs (e.g., SOC 2, ISO 27001), Frameworks, Requirements
• Controls (metadata, mappings, owners, frequency, health)
• Control Tests and Evidence (periods, methods, attachments, reviewers)
• Policies and Exceptions
• Risks (likelihood, impact, score, treatment, linked controls)
• Audits (audit plans, request lists/PBC items, findings, statuses)
• Issues and Remediation Tasks

The Hyperproof Integration Challenge

Security and compliance teams rely on Hyperproof daily, but turning portal-based workflows into API-driven automation is non-trivial:

• Role-aware portals: Admins, control owners, and auditors each see different objects, states, and permissions
• Compliance rigor: Evidence periods, review states, and control health require careful modeling and status transitions
• Portal-first features: Audit requests, findings, and attestations are optimized for front-end flows
• Authentication complexity: SSO/MFA and session lifecycles complicate headless automation
• Data spread: Key objects span frameworks, controls, evidence, risks, and audits with context across multiple views

How Supergood Creates Hyperproof APIs

Supergood reverse-engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your Hyperproof tenant.

• Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
• Maintains session continuity with automated refresh and change detection
• Normalizes responses so you can integrate once and rely on consistent objects across modules
• Aligns with customer entitlements and role-based permissions to ensure compliant access

Use Cases

Controls & Framework Data Sync

• Mirror programs, frameworks, requirements, and controls into your internal systems
• Keep control metadata current for analytics, reporting, and board dashboards
• Normalize owners, frequencies, and mappings across multi-framework compliance

Evidence Automation & Continuous Monitoring

• Create evidence items programmatically from your systems (Okta logs, AWS CloudTrail, Jira tickets)
• Schedule control tests, track review states, and push results back to Hyperproof
• Attach documents, enforce checksum validation, and retain audit trails

Risk Register & Issues Automation

• Populate risks with scores from your platform’s detections or assessments
• Link risks to mitigating controls and assign remediation tasks
• Update residual risk after mitigation and drive SLA alerts

Audit Management & PBC Coordination

• Generate audit request lists and route tasks to owners
• Sync evidence submissions and approval status into your workflow tools (e.g., ServiceNow, Jira)
• Track findings and exceptions, drive follow-ups, and update audit progress

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short-lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" }
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_hpf_9c27b1",
    "name": "Compliance Lead",
    "entitlements": ["frameworks", "controls", "evidence", "risks", "audits"]
  }
}

POST /sessions/refresh: Refresh an existing token to keep sessions uninterrupted.

Controls

GET /controls: List controls with filters, framework mappings, owners, and health.

Query parameters

• programId: string
• frameworkId: string
• ownerUserId: string
• status: active | draft | deprecated | archived
• health: pass | warn | fail | unknown
• updatedFrom, updatedTo: ISO 8601 timestamps
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "controlId": "ctrl_41e2a9",
      "title": "User Access Reviews",
      "objective": "Access to critical systems is reviewed quarterly and inappropriate access is removed.",
      "category": "Access Management",
      "frequency": "quarterly",
      "status": "active",
      "ownerUserId": "u_hpf_9c27b1",
      "tags": ["SOC2", "ISO27001", "IAM"],
      "frameworkRefs": [
        {"frameworkId": "fw_soc2", "requirementId": "req_cc6_3", "requirementKey": "CC6.3"},
        {"frameworkId": "fw_iso27001", "requirementId": "req_a_9_2", "requirementKey": "A.9.2"}
      ],
      "controlHealth": "warn",
      "lastEvidenceAt": "2026-01-15T20:30:00Z",
      "nextDueDate": "2026-03-31",
      "updatedAt": "2026-01-20T13:45:00Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Evidence

POST /controls/{controlId}/evidence: Create an evidence item linked to a control with collection details, period coverage, and attachments.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/controls/ctrl_41e2a9/evidence \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Q4 Access Review Sign-off",
    "description": "Evidence of access review approvals for Okta-administered applications.",
    "periodStart": "2025-10-01",
    "periodEnd": "2025-12-31",
    "sourceType": "integration",
    "integration": "okta",
    "sourceRef": {"groupId": "00g1abcdEFGH", "reportUrl": "https://okta.example.com/reports/123"},
    "attachments": [
      {"fileName": "access_review_q4.pdf", "uploadToken": "upl_08ab73"}
    ],
    "collectedAt": "2026-01-10T09:12:00Z",
    "testedByUserId": "u_hpf_4b1e20",
    "testResult": "pass",
    "testNotes": "Reviewed by IAM team; exceptions remediated within SLA.",
    "confidentiality": "internal"
  }'

Example response

{
  "evidenceId": "ev_90e412",
  "linkedControlId": "ctrl_41e2a9",
  "status": "under_review",
  "reviewers": ["u_hpf_4b1e20"],
  "createdAt": "2026-01-21T10:03:11Z"
}

Risks

POST /risks: Create a risk entry with scoring, treatment plan, and links to mitigating controls.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/risks \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Unauthorized Access to Production Data",
    "category": "Information Security",
    "description": "Risk of unauthorized access due to misconfigured IAM policies.",
    "likelihood": "high",
    "impact": "high",
    "score": 9,
    "ownerUserId": "u_hpf_9c27b1",
    "treatment": "mitigate",
    "plannedMitigation": "Implement quarterly access reviews and enforce least privilege.",
    "dueDate": "2026-02-15",
    "tags": ["IAM", "Production"],
    "linkedControls": ["ctrl_41e2a9", "ctrl_77db10"]
  }'

Example response

{
  "riskId": "risk_51af80",
  "status": "open",
  "score": 9,
  "createdAt": "2026-01-21T11:20:44Z"
}

Audit Requests

POST /audits/{auditId}/requests: Create an audit PBC request with due dates, assignees, and linkage to frameworks/controls.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/audits/aud_2026_soc2/requests \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Provide Q4 Access Review Evidence",
    "description": "Upload signed access review approvals and exception logs.",
    "requestType": "evidence",
    "dueDate": "2026-01-25",
    "assignedToUserId": "u_hpf_9c27b1",
    "frameworkRefs": [{"frameworkId": "fw_soc2", "requirementKey": "CC6.3"}],
    "linkedControls": ["ctrl_41e2a9"],
    "checklistItems": [
      {"text": "Signed approval by control owner", "required": true},
      {"text": "Exception log with remediation status", "required": true}
    ],
    "attachments": [
      {"fileName": "request_details.txt", "uploadToken": "upl_7fa223"}
    ],
    "notifyAssignee": true
  }'

Example response

{
  "requestId": "req_7c3d21",
  "status": "open",
  "dueDate": "2026-01-25",
  "assignedToUserId": "u_hpf_9c27b1",
  "createdAt": "2026-01-22T08:15:12Z"
}

Get full API Specs →

Technical Specifications

• Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer-managed credentials
• Response format: JSON with consistent resource schemas and pagination across modules
• Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
• Session management: Automatic reauth and cookie/session rotation with health checks
• Data freshness: Near real-time retrieval of frameworks, controls, evidence, risks, and audit objects
• Security: Encrypted transport, scoped tokens, and audit logging; respects Hyperproof role-based permissions
• Webhooks: Optional asynchronous delivery for long-running workflows (e.g., evidence reviews, audit request updates)

Performance Characteristics

• Latency: Sub-second responses for list/detail queries under normal load
• Throughput: Designed for high-volume control/evidence sync and risk/audit processing
• Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
• Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

1. Schedule Integration Assessment

Book a 30-minute session to confirm your modules, licensing, and authentication model.

2. Supergood Builds and Validates Your API

We deliver a hardened Hyperproof adapter tailored to your workflows and entitlements.

3. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as Hyperproof evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which Hyperproof modules can this integration cover?

Supergood supports workflows across commonly used modules such as Compliance Management (Programs, Frameworks, Requirements, Controls, Policies), Continuous Controls Monitoring (Evidence, Control Tests, Health), Audit Management (Audits, PBC Request Lists, Findings), and Risk Management (Risk Register, Issues), subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you sync evidence and audit requests with our workflow and cloud systems?

Yes. We commonly integrate with systems such as Okta, AWS, Jira, GitHub, and ServiceNow. We normalize evidence metadata and request states to match your schema, deliver updates via webhooks or polling, and honor rate and permission constraints.

Q: Do you model control health, periods, and review states explicitly?

Yes. Control health, evidence periods, test results, and review/approval states are modeled consistently in our normalized responses, with status transitions guarded by idempotency and validation rules.

Related Integrations

Intralinks API - Programmatically access the Intralinks VDR with Supergood

Ready to automate your Hyperproof workflows?

Supergood can have your Hyperproof integration live in days with no ongoing engineering maintenance.

Get Started →