Supergood | OneTrust API

Programmatically access OneTrust privacy programs, consent records, data subject rights requests, vendor risk assessments, and policy attestations with a stable REST API. Supergood builds and operates production-grade, unofficial OneTrust integrations so your team can automate GRC, regtech, and audit workflows without heavy custom engineering.

Plain English: OneTrust is trust intelligence software that helps companies run privacy, security, data governance, and compliance programs—think GDPR/CCPA consent, DSAR fulfillment, vendor risk, controls, and policies—in one place. An unofficial API lets you programmatically pull data subject requests, consent and preference records, processing activities (RoPA), vendor profiles and risk metrics, policies and attestations, incidents, and tasks—and push new requests, consents, questionnaires, approvals, and evidence back into OneTrust.

For a tech company integrating with OneTrust, this means you can ingest real-time DSAR queues into your case management, sync consent and preferences to your marketing stack, trigger vendor questionnaires from procurement, automate control testing and policy attestations from your audit platform, or enrich your GRC dashboards with risks, findings, and audit logs. You can also initiate breach workflows, attach evidence and documents, and keep stakeholder systems (ERP, analytics, CRM, ticketing) aligned with privacy and compliance data.

What is OneTrust?

OneTrust (https://www.onetrust.com/) is a cloud platform for privacy, security, data governance, and GRC that centralizes consent and preference management, data subject rights fulfillment, third‑party risk, policy management, controls, and audit evidence. Teams use OneTrust to manage data maps and RoPA, govern cookies and tracking, process DSARs, assess vendors, run risk registers and control testing, manage incidents and breaches, and capture policy acknowledgments—supported by workflows, portals, and detailed audit trails.

Core product areas include:

• Privacy & Data Governance (Data Mapping, RoPA, Data Discovery, Data Transfers)
• Consent & Preference Management (Web/Mobile Consent, Cookie Compliance, Preference Centers)
• Data Subject Rights (Intake, Verification, Fulfillment, Artifact Tracking)
• Third‑Party Risk (Vendor Inventory, Risk Scoring, Due Diligence Questionnaires)
• GRC & Policy Management (Controls, Risks, Policies, Attestations, Audit Evidence)
• Incident & Breach Management (Detection, Triage, Notification Workflows)

Common data entities:

• Organizations, Users, Roles/Permissions, Workspaces
• Data Subjects (identities, contact info, jurisdiction)
• DSAR Requests (type, status, due dates, verification, linked systems)
• Consents & Preferences (channels, lawful basis, versions, cookie categories)
• Processing Activities (RoPA), Systems/Assets, Data Categories
• Vendors/Third Parties (profiles, engagements, risk ratings, controls)
• Assessments/Questionnaires (templates, responses)
• Risks, Controls, Policies, Attestations
• Incidents, Tasks, Evidence, Documents, Audit Trails

The OneTrust Integration Challenge

Privacy, GRC, and audit teams rely on OneTrust every day, but turning portal‑based workflows into API‑driven automation is non‑trivial:

• Role‑aware and workspace‑scoped data: Admins, privacy analysts, business users, and vendors see different objects, fields, and states
• Regulatory nuance: Jurisdiction‑specific requirements (GDPR, CCPA/CPRA, LGPD) affect workflows, deadlines, and lawful basis modeling
• Consent context: Web/app consent, cookies, and preference centers capture granular channel/category states and versions
• DSAR rigor: Identity verification, linked systems, and fulfillment artifacts require careful handling and auditability
• Vendor risk complexity: Questionnaire templates, evidence attachments, and scoring models vary by program
• Authentication complexity: SSO/MFA and session lifecycles complicate headless automation across different tenants

How Supergood Creates OneTrust APIs

Supergood reverse‑engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your OneTrust tenant.

• Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
• Maintains session continuity with automated refresh and change detection
• Normalizes responses so you can integrate once and rely on consistent objects across modules
• Aligns with customer entitlements and role‑based permissions to ensure compliant access

Use Cases

DSAR Intake & Case Orchestration

• Mirror DSAR requests into your case/ticketing system and drive SLA alerts
• Automate verification steps and track fulfillment artifacts
• Synchronize status changes back to OneTrust with audit‑safe updates

Consent & Preference Sync

• Pull user consent and preferences to enrich CDP/marketing automation
• Upsert consent states and lawful basis across web/mobile channels
• Normalize versions and jurisdictional nuances for consistent enforcement

Vendor Risk & Procurement Automation

• Trigger due diligence questionnaires when procurement creates a new vendor engagement
• Pull risk scores and control gaps to feed your GRC dashboards
• Attach evidence, assign reviewers, and reconcile results across systems

Policy Attestation & Audit Evidence

• Ingest policies and acknowledgment events to meet audit requirements
• Link controls and testing results to your audit platform
• Store artifacts with checksums and timestamps for end‑to‑end traceability

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short‑lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" }
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_ot_729c10",
    "name": "Privacy Analyst",
    "entitlements": ["dsar", "consents", "vendors", "policies"]
  }
}

Data Subject Rights

GET /dsr/requests: List data subject requests with filters and summary details.

Query parameters

• status: received | in_verification | in_review | fulfilled | rejected
• type: access | deletion | correction | portability | objection
• jurisdiction: gdpr | ccpa | cpra | lgpd | other
• updatedFrom, updatedTo: ISO 8601 timestamps
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "requestId": "dsr_2a91f0",
      "type": "access",
      "jurisdiction": "gdpr",
      "status": "in_review",
      "submittedAt": "2026-01-20T13:45:00Z",
      "dueDate": "2026-02-17",
      "subject": {
        "subjectId": "subj_88b32e",
        "email": "[email protected]",
        "country": "DE",
        "verificationLevel": "document_verified"
      },
      "assignedToUserId": "u_ot_729c10",
      "linkedSystems": [
        {"systemId": "sys_crm_01", "name": "CRM", "status": "queried"},
        {"systemId": "sys_marketing_02", "name": "Marketing", "status": "pending"}
      ],
      "scope": {
        "personalDataCategories": ["contact", "engagement", "preferences"]
      },
      "updatedAt": "2026-01-21T10:03:11Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Consents & Preferences

POST /subjects/{subjectId}/consents: Upsert consent and preference records across channels with lawful basis and versioning.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/subjects/subj_88b32e/consents \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "source": "web",
    "jurisdiction": "gdpr",
    "lawfulBasis": "consent",
    "consentedAt": "2026-01-21T10:15:00Z",
    "preferences": [
      {"categoryKey": "email_marketing", "channel": "email", "status": "granted", "version": "v3"},
      {"categoryKey": "analytics", "channel": "web", "status": "denied", "version": "v3"}
    ],
    "cookieConsent": {"necessary": true, "analytics": false, "advertising": false},
    "policyVersion": "privacy_policy_v5",
    "proof": {"ipAddress": "203.0.113.42", "userAgent": "Mozilla/5.0"},
    "context": {"siteId": "site_eu_01"}
  }'

Example response

{
  "consentId": "cons_90e412",
  "subjectId": "subj_88b32e",
  "status": "active",
  "version": "v3",
  "preferencesCount": 2,
  "effectiveAt": "2026-01-21T10:15:00Z"
}

Vendor Risk Assessments

POST /vendors/{vendorId}/assessments: Create a vendor due‑diligence assessment based on a questionnaire template and assign reviewers.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/vendors/ven_451293/assessments \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "title": "Marketing Platform Annual Review",
    "questionnaireTemplateId": "tmpl_security_baseline_v2",
    "dueDate": "2026-02-10",
    "scope": {"dataCategories": ["contact", "behavioral"], "processingActivities": ["profiling", "email_campaigns"]},
    "reviewers": ["u_ot_729c10", "u_ot_9812aa"],
    "references": {"contracts": ["ctr_2024_102"], "dpiaId": "dpia_7fa223"},
    "notifyVendor": true
  }'

Example response

{
  "assessmentId": "assess_51af80",
  "vendorId": "ven_451293",
  "questionnaireTemplateId": "tmpl_security_baseline_v2",
  "status": "in_progress",
  "createdAt": "2026-01-21T11:20:44Z"
}

Get full API Specs →

Technical Specifications

• Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer‑managed credentials
• Response format: JSON with consistent resource schemas and pagination across modules
• Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
• Session management: Automatic reauth and cookie/session rotation with health checks
• Data freshness: Near real‑time retrieval of DSARs, consents/preferences, vendor objects, and policy artifacts
• Security: Encrypted transport, scoped tokens, and audit logging; respects OneTrust role‑based permissions and workspace boundaries
• Webhooks: Optional asynchronous delivery for long‑running workflows (e.g., DSAR fulfillment, consent changes, assessment updates)

Performance Characteristics

• Latency: Sub‑second responses for list/detail queries under normal load
• Throughput: Designed for high‑volume DSAR, consent, and vendor assessment synchronization
• Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
• Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

1. Schedule Integration Assessment

Book a 30‑minute session to confirm your modules, licensing, and authentication model.

2. Supergood Builds and Validates Your API

We deliver a hardened OneTrust adapter tailored to your workflows and entitlements.

3. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as OneTrust evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which OneTrust modules can this integration cover?

Supergood supports workflows across commonly used modules such as Privacy & Data Governance (RoPA, Data Mapping), Consent & Preference Management (web/mobile, cookies), Data Subject Rights (intake, verification, fulfillment), Third‑Party Risk (vendors, questionnaires), and GRC/Policy Management (controls, policies, attestations), subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you sync consent records to our marketing or CRM systems?

Yes. We normalize consent and preference records (channels, categories, versions, lawful basis) and can deliver updates via webhooks or polling while complying with rate and permission constraints.

Q: Do you support RoPA exports and data mapping synchronization?

Yes. We can extract processing activities, systems/assets, and data categories to align with your data catalog and governance tools, and push updates back when appropriate.

Q: How do you handle audit trails and evidence?

We capture timestamps, actors, and checksums for attachments and state transitions, preserving OneTrust’s audit trail semantics while providing normalized event data.

Related Integrations

Intralinks API - Programmatically access the Intralinks VDR with Supergood

Ready to automate your OneTrust workflows?

Supergood can have your OneTrust integration live in days with no ongoing engineering maintenance.

Get Started →