# Whistic

SureCloud connects to Whistic to retrieve vendor security profiles, risk assessment questionnaire completion status, and vendor review records. This allows SureCloud to verify that third-party vendor risk assessments are being conducted, that vendors have completed the required security questionnaires, and that the overall vendor risk programme is active — providing evidence for third-party risk management controls.

## Authentication and setup

Whistic authenticates API requests using an API key associated with your Whistic account.

{% stepper %}
{% step %}

### Generate an API key in Whistic

Log in to your Whistic account at [whistic.com](https://whistic.com/). Navigate to **Settings → Integrations → API** and click **Generate API Key**. Name it `SureCloud CCM`. Copy the key.
{% endstep %}

{% step %}

### Enter the API key in SureCloud

Navigate to **SureCloud → Integrations → Whistic → Connect**. Paste the API key and click **Save**.
{% endstep %}

{% step %}

### Test the connection

Click **Test Connection**. SureCloud will verify the key and confirm access to vendor and assessment data.
{% endstep %}
{% endstepper %}

{% hint style="warning" %}
Store the API key securely. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate it every 90 days in **Whistic → Settings → Integrations → API** and update it in **SureCloud → Integrations → Whistic → Edit Connection**.
{% endhint %}

## Endpoints

| API Call                   | Use Case                                                                       |
| -------------------------- | ------------------------------------------------------------------------------ |
| `GET /v1/vendors`          | Enumerate vendors under assessment or review                                   |
| `GET /v1/vendors/{id}`     | Retrieve individual vendor detail including risk tier and last assessment date |
| `GET /v1/assessments`      | Retrieve assessment records including questionnaire completion status          |
| `GET /v1/assessments/{id}` | Retrieve individual assessment detail including responses and risk findings    |
| `GET /v1/profiles`         | Retrieve vendor-submitted security profiles and their completeness             |

## Pagination

`GET /v1/vendors` and `GET /v1/assessments` use page-based pagination. SureCloud increments the `page` parameter until the returned count falls below the page size.

```json
GET /v1/vendors?page=2&per_page=100
```

## Required permissions

Whistic API keys are account-scoped and provide read-only access to vendor, assessment, and profile data. No write, approve, or questionnaire-send permissions are required.

## Polling frequency

| Data Type                       | Interval       |
| ------------------------------- | -------------- |
| Vendor inventory and risk tiers | Every 24 hours |
| Assessment completion status    | Every 24 hours |
| Vendor security profiles        | Every 24 hours |

## Troubleshooting

<details>

<summary>Connection test returns 401 Unauthorized</summary>

The API key is invalid or has been revoked. Navigate to **Whistic → Settings → Integrations → API**, regenerate the key, and update it in **SureCloud → Integrations → Whistic → Edit Connection**.

</details>

<details>

<summary>Vendor list returns fewer records than shown in the Whistic console</summary>

SureCloud returns vendors accessible to the account associated with the API key. If the account has restricted access within the Whistic organisation, some vendors may not be returned. Confirm the API key account has full organisation visibility in Whistic.

</details>

<details>

<summary>Assessment records are incomplete</summary>

Assessments in draft status or those awaiting vendor response may not include complete questionnaire data. SureCloud collects assessments in all states, but incomplete assessments will have partial data. This is expected and reflects the current state of the vendor review process.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/whistic.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.