Archer API
Archer is governance, risk, and compliance (GRC) software used by enterprises to manage risk registers, controls libraries, policies and standards, audit programs, issues and findings, third‑party risk assessments, and business resilience. An unofficial API lets you programmatically p
What is Archer?
Archer is a cloud and on‑premise platform for integrated risk management (IRM) and GRC. It centralizes enterprise and operational risk, IT & security risk, third‑party governance, audit management, policy & compliance, and business resilience in configurable applications with workflow, approvals, and role-based access.
Core product areas include:
- Enterprise & Operational Risk (Risk Register, Risk Assessments, Loss Events)
- IT & Security Risk (Control Catalogs, Control Testing, Issues/Findings, Vulnerability/Risk Treatment)
- Third‑Party Governance (Vendor Records, Due Diligence, Questionnaires, Continuous Monitoring)
- Audit Management (Audit Planning, Engagements, Tests, Findings, Remediation)
- Policy & Compliance (Policies, Standards, Control Mapping, Attestations)
- Business Resilience (BC/DR Plans, Exercises, Incident Tracking)
Common data entities:
- Organizations, Users, Roles/Permissions
- Risks (titles, categorizations, likelihood, impact, ratings, treatment)
- Controls (framework mapping, owners, testing status)
- Policies & Standards (versions, publication state, acknowledgments)
- Issues/Findings (classification, severity, remediation plan, status)
- Audit Engagements & Tests (scope, procedures, evidence, results)
- Assessments & Questionnaires (templates, sections, responses, scoring)
- Third Parties/Vendors (risk tier, contacts, assessments, residual risk)
- Evidence & Attachments (files, checksums, retention)
- Exceptions & Remediation Tasks (waivers, compensating controls, due dates)
The Archer Integration Challenge
GRC teams rely on Archer every day, but turning portal-based workflows into API-driven automation is non-trivial:
- Configurable applications: Each customer’s Archer instance has custom fields, references, and workflows that vary by module
- Approval rigor: Risks, issues, and audit findings often move through gated workflows with attestation and sign-off requirements
- Role-aware access: Sensitive objects and fields are scoped by business unit, function, and user entitlements
- Authentication complexity: SSO/MFA (SMS, email, TOTP) and session lifecycles complicate headless automation
- Evidence handling: Large attachments, checksum validation, and retention policies require careful treatment
- Cross-linking: Records reference risks, controls, vendors, and audits across modules with standardized relationships
How Supergood Creates Archer APIs
Supergood reverse-engineers authenticated browser flows and network interactions to deliver a resilient API endpoint layer for your Archer tenant.
- Handles username/password, SSO/OAuth, and MFA (SMS, email, TOTP) securely
- Maintains session continuity with automated refresh and change detection
- Normalizes responses so you can integrate once and rely on consistent objects across configurable applications
- Aligns with customer entitlements and role-based permissions to ensure compliant access
Getting Started
- Schedule Integration Assessment
Book a 30-minute session to confirm your modules, licensing, and authentication model.
- Supergood Builds and Validates Your API
We deliver a hardened Archer adapter tailored to your workflows and entitlements.
- Deploy with Monitoring
Go live with continuous monitoring and automatic adjustments as Archer evolves.
API Endpoints
Authentication
/sessionsEstablish a session using credentials. Supergood manages MFA (SMS, email, TOTP) and SSO/OAuth when enabled. Returns a short-lived auth token maintained by the platform.
Authentication
/sessions/refreshRefresh an existing token to keep sessions uninterrupted.
Risks
/risksList risks with filters and summary details.
Issues & Findings
/issuesCreate an issue/finding with classification, severity, and remediation metadata.
Third‑Party Assessments
/third-parties/{vendorId}/assessmentsLaunch a vendor risk assessment using a questionnaire template.
Audit Findings
/audits/{engagementId}/findings/{findingId}Update finding disposition, owner, remediation, and attach evidence.
Use Cases
Risk & Control Data Sync
- Mirror risk registers and control catalogs into your internal analytics, data warehouse, or GRC hub - Keep ratings, treatment, and ownership current across business units - Normalize risk categories, frameworks (e.g., ISO, NIST), and mappings for multi-tenant operations
Issue & Remediation Automation
- Create Archer issues/findings directly from security tools, scans, or monitoring alerts - Push remediation tasks and status updates from ITSM/ticketing systems - Attach evidence and track closure dates to drive SLA alerts and governance reporting
Third‑Party Risk Assessments
- Launch vendor questionnaires from your platform and notify vendor contacts automatically - Ingest responses, scores, and residual risk; trigger follow-ups - Escalate overdue assessments and reconcile vendor tiers across systems
Audit Management & Evidence
- Pull audit engagements and findings to power dashboards or external auditor portals - Update finding dispositions and remediation plans; upload evidence files with checksum validation - Synchronize test results and issues with engineering and operations tools
Technical Specifications
Authentication
Username/password with MFA (SMS, email, TOTP) and SSO/OAuth where enabled; supports service accounts or customer-managed credentials
Response format
JSON with consistent resource schemas and pagination across Archer applications
Rate limits
Tuned for enterprise throughput while honoring customer entitlements and usage controls
Session management
Automatic reauth and cookie/session rotation with health checks
Data freshness
Near real-time retrieval of risks, controls, issues, audits, assessments, vendors, and policy objects
Security
Encrypted transport, scoped tokens, and audit logging; respects Archer role-based permissions and workflow states
Webhooks
Optional asynchronous delivery for long-running workflows (e.g., assessment responses, approval transitions)
Latency
Sub-second responses for list/detail queries under normal load
Throughput
Designed for high-volume risk register sync, assessment launching, and issue/update processing
Reliability
Retry logic, backoff, and idempotency keys minimize duplicate actions
Adaptation
Continuous monitoring for UI/API changes with rapid adapter updates
Frequently asked questions
Supergood supports workflows across commonly used modules such as Enterprise/Operational Risk (Risk Register, Assessments), IT & Security Risk (Controls, Testing, Issues/Findings), Third‑Party Governance (Vendors, Questionnaires), Audit Management (Engagements, Findings, Evidence), and Policy & Compliance (Policies, Attestations), subject to your licensing and entitlements. We scope coverage during integration assessment.
We support username/password + MFA (SMS, email, TOTP) and can operate behind SSO/OAuth when enabled. Sessions are refreshed automatically with secure challenge handling.
Yes. We can normalize Archer issues/findings, remediation plans, and evidence to match your ITSM/ticketing schema and deliver updates via webhooks or polling while complying with rate and permission constraints. We commonly integrate with ServiceNow and Jira.