Supergood | SAI360 API

Programmatically access SAI360 governance, risk, compliance, audit, and third‑party risk data with a stable REST API. Supergood builds and operates production‑grade, unofficial SAI360 integrations so your team can automate GRC and regtech workflows without heavy custom engineering.

Plain English: SAI360 is enterprise software for Governance, Risk, and Compliance (GRC) that consolidates risk registers, controls, audits, vendor risk, policies, incidents, and ethics & compliance learning. An unofficial API lets you programmatically pull risks, controls, KRIs, audits, findings, issues, vendors, assessments, policies, attestations, incidents, training assignments/completions—and push new records or updates back into SAI360.

For a tech company integrating with SAI360, this means you can ingest real‑time risk and audit data to power dashboards, trigger automated evidence collection, sync remediation tasks into issue trackers (e.g., Jira, ServiceNow), orchestrate vendor questionnaires and due diligence, track policy acknowledgements and training completion, and keep stakeholder systems (IRM, analytics, ERP, ticketing) in lockstep.

What is SAI360?

SAI360 (https://www.sai360.com/) is a cloud platform for Governance, Risk & Compliance and Integrated Risk Management. Organizations use SAI360 to manage enterprise and IT risk, control frameworks, audits and findings, regulatory obligations, policies, third‑party risk assessments, incidents, and ethics & compliance training—often with role‑based portals tailored to risk owners, auditors, compliance managers, and business users.

Core product areas include:

• Enterprise & IT Risk Management (Risk Registers, KRIs, Controls, Assessments)
• Audit Management (Audit Plans, Fieldwork, Findings, Corrective Actions)
• Compliance Management & Regulatory Change (Obligations, Policies, Attestations, Control Mapping)
• Third‑Party Risk Management (Vendors, Assessments, Questionnaires, Issues)
• Ethics & Compliance Learning (Training Assignments, Completions)
• Incident Management & EHS (Incidents, Investigations, CAPA)
• Business Continuity & Resilience (BIAs, Plans, Exercises)

Common data entities:

• Organizations, Users, Roles/Permissions
• Risks (metadata, categories, owners, inherent/residual scores)
• Controls and Control Tests (design/operating effectiveness)
• KRIs and Metrics (thresholds, trend, alerts)
• Audits, Procedures, Workpapers, Findings
• Issues and Corrective Actions (CAPA)
• Vendors/Third Parties, Assessments, Questionnaires
• Policies, Policy Versions, Attestations
• Training Assignments/Completions and Learning Content
• Incidents/Events, Investigations, Root Cause
• Business Impact Analyses (BIAs), Continuity Plans

The SAI360 Integration Challenge

Organizations rely on SAI360 daily, but turning portal‑based workflows into API‑driven automation is non‑trivial:

• Role‑aware workflows: Risk owners, auditors, compliance, vendors, and business users each see different fields, states, and actions
• Regulatory rigor: Risk scoring, control effectiveness, audit evidence, and policy attestation require careful handling and traceability
• Workflow complexity: Multi‑step assessments, approvals, and CAPA lifecycles are optimized for front‑end flows
• Authentication complexity: SSO/MFA, session lifecycles, and vendor portals complicate headless automation
• Data spread: Key objects span risks, controls, audits, vendors, policies, incidents, and training with context across modules

How Supergood Creates SAI360 APIs

Supergood reverse‑engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your SAI360 tenant.

• Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
• Maintains session continuity with automated refresh and change detection
• Normalizes responses so you can integrate once and rely on consistent objects across modules
• Aligns with customer entitlements and role‑based permissions to ensure compliant access

Use Cases

Risk & Control Data Sync

• Mirror risks, controls, and KRIs into your internal IRM or analytics stack
• Keep risk metadata current for reporting and dashboards
• Normalize scoring, categories, and ownership across business units

Vendor Risk & Assessments Automation

• Launch vendor questionnaires (e.g., SIG, ISO 27001) from your platform
• Track assessment status, evidence submissions, and findings
• Push remediation tasks into Jira or ServiceNow and sync closure back to SAI360

Audit & Findings Management

• Ingest audit plans, procedures, and findings for continuous monitoring
• Attach evidence from your data lake and update corrective actions programmatically
• Drive SLA alerts and escalate overdue CAPA items

Policies, Training, & Attestations

• Sync policy catalogs and versions, record staff attestations from your app
• Assign ethics & compliance training and pull completion data for HR/ops
• Reconcile obligations and control mappings for regulatory reporting

Incident & Issue Management

• Create incidents from detection systems and route investigations
• Track root cause, impact, and corrective actions with attachments
• Feed incident data to analytics and resilience programs

Available Endpoints

Authentication

POST /sessions: Establish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short‑lived auth token maintained by the platform.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/sessions \
  --header 'Authorization: Basic <Base64 encoded token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "[email protected]",
    "password": "<password>",
    "mfa": { "type": "totp", "code": "123456" },
    "tenant": "global-risk"
  }'

Example response

{
  "authToken": "eyJhbGciOi...",
  "expiresIn": 3600,
  "user": {
    "id": "u_sai_9821c0",
    "name": "Risk Manager",
    "entitlements": ["risks", "controls", "audits", "vendors", "policies", "incidents", "training"]
  }
}

POST /sessions/refresh: Refresh an existing token to keep sessions uninterrupted.

Risks

GET /risks: List risks with filters, scoring, and KRI summaries.

Query parameters

• domain: enterprise | it | operational | compliance
• status: active | archived | closed
• ownerId: string
• category: string (e.g., "Cybersecurity", "Financial")
• framework: ISO27001 | NIST | COSO | SOC2
• updatedFrom, updatedTo: ISO 8601 timestamps
• page, pageSize: integers for pagination

Example response

{
  "items": [
    {
      "riskId": "risk_ab31f2",
      "title": "Unauthorized Access to Sensitive Systems",
      "domain": "it",
      "category": "Cybersecurity",
      "status": "active",
      "ownerId": "u_sai_9821c0",
      "ownerName": "Risk Manager",
      "inherentScore": 24,
      "residualScore": 12,
      "likelihood": "likely",
      "impact": "major",
      "frameworks": ["ISO27001", "NIST"],
      "controls": [
        {"controlId": "ctl_IA-2", "name": "User Identification and Authentication", "effectiveness": "operating"}
      ],
      "kri": [
        {"metricId": "kri_failed_logins", "name": "Failed Logins/Day", "value": 158, "threshold": 200, "status": "green"},
        {"metricId": "kri_privileged_accounts", "name": "Privileged Accounts", "value": 63, "threshold": 50, "status": "amber"}
      ],
      "lastAssessmentDate": "2026-01-15",
      "updatedAt": "2026-01-21T13:45:00Z"
    }
  ],
  "page": 1,
  "pageSize": 50,
  "total": 1
}

Third‑Party Assessments

POST /third-parties/{thirdPartyId}/assessments: Create a vendor risk assessment with questionnaire assignment, due date, and reviewers.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/third-parties/tp_7d12aa/assessments \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "type": "vendor_risk",
    "framework": "SIG",
    "questionnaireId": "q_sig_2026_v1",
    "title": "2026 Annual Vendor Security Assessment",
    "dueDate": "2026-02-20",
    "scope": ["Access Control", "Incident Response", "Encryption"],
    "evidenceRequired": true,
    "reviewers": [
      {"userId": "u_sai_aud_2391", "role": "audit"},
      {"userId": "u_sai_comp_4210", "role": "compliance"}
    ],
    "externalContact": {"name": "Vendor Security Lead", "email": "[email protected]"},
    "attachments": [
      {"fileName": "nda.pdf", "uploadToken": "upl_08ab73"}
    ],
    "notifyVendor": true,
    "referenceId": "tp-assess-2026-001"
  }'

Example response

{
  "assessmentId": "assess_91bf40",
  "status": "open",
  "questionnaireLink": "https://vendor-portal.sai360.com/a/assess_91bf40",
  "dueDate": "2026-02-20",
  "createdAt": "2026-01-21T10:03:11Z"
}

Audit Findings

PATCH /audits/{auditId}/findings/{findingId}: Update audit finding status, severity, and corrective actions.

curl --request PATCH \
  --url https://api.supergood.ai/integrations/<integration_id>/audits/aud_14c200/findings/fnd_7c3d21 \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "status": "open",
    "severity": "high",
    "riskRating": 4,
    "rootCause": "Insufficient access review cadence",
    "controlId": "ctl_AC-2",
    "correctiveActions": [
      {"actionId": "cap_001", "description": "Implement quarterly access reviews", "ownerId": "u_sai_it_7843", "dueDate": "2026-03-15"},
      {"actionId": "cap_002", "description": "Automate privileged access alerts", "ownerId": "u_sai_sec_3112", "dueDate": "2026-02-28"}
    ],
    "attachments": [
      {"fileName": "evidence_access_review.xlsx", "uploadToken": "upl_7fa223"}
    ],
    "externalTicketKey": "JIRA-IRM-829"
  }'

Example response

{
  "findingId": "fnd_7c3d21",
  "status": "open",
  "severity": "high",
  "riskRating": 4,
  "correctiveActionCount": 2,
  "updatedAt": "2026-01-22T08:15:12Z"
}

Policy Attestations

POST /policies/{policyId}/attestations: Record a user’s acknowledgement of a policy version, with audit metadata.

curl --request POST \
  --url https://api.supergood.ai/integrations/<integration_id>/policies/pol_anti-bribery/attestations \
  --header 'Authorization: Bearer <authToken>' \
  --header 'Content-Type: application/json' \
  --data '{
    "userId": "u_sai_9821c0",
    "policyVersionId": "pol_anti-bribery_v3",
    "acknowledgedAt": "2026-01-22T13:00:00Z",
    "method": "e-sign",
    "ipAddress": "203.0.113.71",
    "device": "Chrome 122 / macOS",
    "locale": "en-US",
    "quiz": {"required": true, "score": 92}
  }'

Example response

{
  "attestationId": "att_52aa10",
  "policyId": "pol_anti-bribery",
  "policyVersionId": "pol_anti-bribery_v3",
  "userId": "u_sai_9821c0",
  "status": "acknowledged",
  "acknowledgedAt": "2026-01-22T13:00:00Z"
}

Get full API Specs →

Technical Specifications

• Authentication: Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer‑managed credentials
• Response format: JSON with consistent resource schemas and pagination across modules
• Rate limits: Tuned for enterprise throughput while honoring customer entitlements and usage controls
• Session management: Automatic reauth and cookie/session rotation with health checks
• Data freshness: Near real‑time retrieval of risks, controls, audits, vendors, policies, incidents, and training objects
• Security: Encrypted transport, scoped tokens, and audit logging; respects SAI360 role‑based permissions
• Webhooks: Optional asynchronous delivery for long‑running workflows (e.g., assessments, CAPA updates, policy attestations)

Performance Characteristics

• Latency: Sub‑second responses for list/detail queries under normal load
• Throughput: Designed for high‑volume risk, audit, and assessment sync with attachment handling
• Reliability: Retry logic, backoff, and idempotency keys minimize duplicate actions
• Adaptation: Continuous monitoring for UI/API changes with rapid adapter updates

Getting Started

1. Schedule Integration Assessment

Book a 30‑minute session to confirm your modules, licensing, and authentication model.

2. Supergood Builds and Validates Your API

We deliver a hardened SAI360 adapter tailored to your workflows and entitlements.

3. Deploy with Monitoring

Go live with continuous monitoring and automatic adjustments as SAI360 evolves.

Schedule Integration Call →

Frequently Asked Questions

Q: Which SAI360 modules can this integration cover?

Supergood supports workflows across commonly used modules such as Risk Management (Risks, Controls, KRIs), Audit Management (Plans, Procedures, Findings, CAPA), Compliance & Policies (Obligations, Policy Attestations), Third‑Party Risk (Vendors, Assessments, Questionnaires), Ethics & Compliance Learning (Assignments, Completions), and Incident/EHS, subject to your licensing and entitlements. We scope coverage during integration assessment.

Q: How are MFA and SSO handled for automation?

We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.

Q: Can you sync audit findings and remediation tasks to our issue tracking system?

Yes. We can normalize findings, CAPA items, and evidence to match your schema and push updates to systems like Jira or ServiceNow while complying with rate and permission constraints. Status changes are reconciled back into SAI360 with webhooks or polling.

Q: Are policy attestations and training completions supported?

Yes. We support recording policy acknowledgements, downloading attestation artifacts, assigning training, and retrieving completion data via normalized responses with checksum validation and time‑limited URLs for attachments.

Related Integrations

Intralinks API - Programmatically access the Intralinks VDR with Supergood

Ready to automate your SAI360 workflows?

Supergood can have your SAI360 integration live in days with no ongoing engineering maintenance.

Get Started →