Skip to main content
POST
/
controls
Create custom control
curl --request POST \
  --url https://api.vanta.com/v1/controls \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "externalId": "<string>",
  "name": "<string>",
  "description": "<string>",
  "effectiveDate": "2023-11-07T05:31:56Z",
  "domain": "ARTIFICIAL_&_AUTONOMOUS_TECHNOLOGY",
  "sections": [
    {
      "frameworkId": "AU_E_8",
      "sectionId": "<string>"
    }
  ],
  "role": "BOTH",
  "customFields": [
    {
      "label": "<string>",
      "value": "<string>"
    }
  ]
}
'
{
  "id": "a2f7e1b9d0c3f4e5a6c7b8d9",
  "externalId": "CRY-104",
  "name": "Data encryption utilized",
  "description": "Access reviews are performed to ensure that access is appropriate for the user's role and responsibilities.",
  "source": "Vanta",
  "domains": [
    "CRYPTOGRAPHIC_PROTECTIONS"
  ],
  "owner": {
    "id": "65e1efde08e8478f143a8ff9",
    "emailAddress": "example-person@email.com",
    "displayName": "Example Owner"
  },
  "role": "CONTROLLER",
  "customFields": [
    {
      "label": "Additional context",
      "value": "This control is critical for GDPR compliance"
    }
  ],
  "creationDate": null,
  "modificationDate": null
}

Documentation Index

Fetch the complete documentation index at: https://vanta.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json
externalId
string
required

The control's external ID.

name
string | null
required

The control's name.

description
string
required

The control's description.

effectiveDate
string<date-time>
required

The effective date of the control.

domain
enum<string>
required

The control's category.

Available options:
ARTIFICIAL_&_AUTONOMOUS_TECHNOLOGY,
ASSET_MANAGEMENT,
BUSINESS_CONTINUITY_&_DISASTER_RECOVERY,
CAPACITY_&_PERFORMANCE_PLANNING,
CHANGE_MANAGEMENT,
CLOUD_SECURITY,
COMPLIANCE,
CONFIGURATION_MANAGEMENT,
CONTINUOUS_MONITORING,
CRYPTOGRAPHIC_PROTECTIONS,
DATA_CLASSIFICATION_&_HANDLING,
EMBEDDED_TECHNOLOGY,
ENDPOINT_SECURITY,
HUMAN_RESOURCES_SECURITY,
IDENTIFICATION_&_AUTHENTICATION,
INCIDENT_RESPONSE,
INFORMATION_ASSURANCE,
MAINTENANCE,
MOBILE_DEVICE_MANAGEMENT,
NETWORK SECURITY,
PHYSICAL_&_ENVIRONMENTAL_SECURITY,
PRIVACY,
PROJECT_&_RESOURCE MANAGEMENT,
RISK_MANAGEMENT,
SECURE_ENGINEERING_&_ARCHITECTURE,
SECURITY_AWARENESS_&_TRAINING,
SECURITY_OPERATIONS,
SECURITY_&_PRIVACY_GOVERNANCE,
TECHNOLOGY_DEVELOPMENT_&_ACQUISITION,
THIRD-PARTY_MANAGEMENT,
THREAT_MANAGEMENT,
VULNERABILITY_&_PATCH_MANAGEMENT,
WEB_SECURITY,
ADMINISTRATIVE,
PHYSICAL,
TECHNICAL,
BASIC,
DERIVED
sections
object[] | null

The framework sections that the control maps to.

role
enum<string>

The GDPR role of the control, which specifies whether the data is being "collected" or "processed". This field should only be included for controls that are to be mapped to the GDPR framework.

Available options:
BOTH,
CONTROLLER,
PROCESSOR
customFields
object[]

The control's values for custom fields.

Response

201 - application/json

Custom Control created

id
string
required

The control's unique ID.

externalId
string | null
required

The control's external ID.

name
string
required

The control's name.

description
string
required

The control's description.

source
enum<string>
required

The control's source, either "VANTA" or "CUSTOM".

Available options:
Vanta,
Custom
domains
string[]
required

The security domains that the control belongs to.

owner
object
required

The control's owner.

customFields
object[]
required

The control's custom field values, if control custom fields is included in your Vanta instance.

creationDate
string<date-time> | null
required

When the control was created. Returns null for Vanta library controls.

modificationDate
string<date-time> | null
required

When the control was last modified. Returns null for Vanta library controls.

role
string | null

The control's GDPR role, if the control is a GDPR control.