Skip to content
INFIMA Knowledge Base

Drata

When a client is using Drata for compliance automation (SOC 2, HIPAA, ISO 27001, NIST AI, and so on), every training requirement in their framework needs evidence — usually a completion certificate. The Drata integration handles that automatically: when a user at the client finishes a course you’ve mapped to a Drata training requirement, we push the certificate to Drata as evidence of that requirement, no manual upload, no chasing employees for screenshots.

Unlike the PSA integrations (ConnectWise, Autotask, HaloPSA), Drata is configured per-client — each of your clients has their own Drata tenant. You set up the integration on each client’s Tailor screen separately.

You’ll need

  • The client must have an active Drata account and be already onboarded to whichever framework requires the training evidence (SOC 2, HIPAA, etc.).
  • Admin access in Drata for the client’s tenant — needed to generate an API key.
  • Access to Tailor for the client in INFIMA (a partner-level admin, or an admin scoped to that client).

Walkthrough — Drata side

  1. Sign in to the client’s Drata tenant with an admin account.

  2. Open Settings → API Keys in Drata.

  3. Generate a new API key scoped to the integration’s needs. Give it an identifiable name (e.g., INFIMA Training Sync) so it’s recognizable when rotating later. Copy the key — Drata only shows it in full once.

Walkthrough — INFIMA side

  1. Open the client in INFIMA and navigate to Tailor → Integrations.

  2. Click Connect Drata. A field appears for the Drata API Key. Paste the key from the previous walkthrough.

  3. Click Connect. We validate the key against Drata’s API. If it succeeds, the panel switches to the connected state — status badge, last sync timestamp, and the Course Mappings form below.

  4. Map each Drata training requirement to an INFIMA course:

    • Security Training — pick the INFIMA course that satisfies Drata’s general security training requirement, or leave on Any completed course to count any completed training as evidence (useful when the client is on multiple frameworks and any completion should signal compliance).
    • HIPAA Training — pick the HIPAA-specific course you use for healthcare clients, or leave as Not required if this client isn’t on a HIPAA-bearing framework.
    • NIST AI Training — pick the NIST AI-specific course if the client’s framework includes AI risk management, or leave as Not required.

  5. Click Save Changes at the top right when the mappings differ from what’s saved. The next sync will start pushing certificates for the courses you mapped.

What syncs and when

  • On Sync Now — clicking the button on the integration panel queues an immediate sync. We walk every completed course mapped to a Drata requirement and push the matching certificate to Drata’s API.
  • On course completion — when a user finishes a mapped course going forward, we push the certificate to Drata shortly after the completion event lands.
  • What lands in Drata — the PDF certificate, the user’s identity, the completion timestamp, and which training requirement it satisfies. Drata’s UI lists it under the framework’s training requirement as collected evidence.

We don’t read anything back from Drata — the sync is one-way (INFIMA → Drata). Changing the mapping after some certificates have already synced doesn’t retroactively un-sync them; the historical evidence stays in Drata.

You’ll know it worked when

  • The integration panel shows Connected with a recent Last sync timestamp and no error banner.
  • In Drata, navigate to the framework’s training requirements section — the mapped requirements show your INFIMA users as having submitted training evidence.
  • New users who complete a mapped course show up in Drata’s evidence list within minutes (not days).

Frequently asked

The integration shows “Sync error” with a message about the API key. Drata revoked or rotated the key, or it expired. Generate a new key in Drata (Settings → API Keys), then click Connect Drata in INFIMA and re-paste the new key. The existing course mappings carry over once the new connection is validated.

I changed an INFIMA course mapping. Does Drata get a re-sync of historical completions? No — the sync only handles new completions and re-pushes from the Sync Now button. If you change a mapping and want historical completions for the new course to land in Drata, click Sync Now after saving.

Can I map more than one INFIMA course to a single Drata requirement? Not currently. Each Drata training requirement maps to one INFIMA course (or to “Any completed course” as a catch-all). If your client needs multiple specific courses to both count, the workaround is to pick “Any completed course” and rely on Drata’s reporting to confirm each user has multiple completions.

The mappings I see don’t match the Drata requirements my framework actually asks for. The dashboard surfaces the three most commonly-used Drata training requirements (Security, HIPAA, NIST AI). If your client’s framework has a requirement we don’t surface yet — say, PCI DSS-specific training — contact our support team.

A user appears in Drata but their training completion isn’t showing as evidence. Three things to check, in order: (1) the user completed an INFIMA course that’s currently mapped to a Drata requirement, not one they completed before you set up the mapping; (2) the integration status is Connected (not “Sync error”); (3) at least 10–15 minutes have passed since the completion (the push isn’t instantaneous). If all three look fine, click Sync Now and watch for the timestamp to refresh.

I disconnected the integration accidentally. Did I lose the historical evidence in Drata? No. Disconnecting clears the connection on our side; the certificates already pushed to Drata stay there. Re-connecting with a fresh API key picks up new completions from that point forward.

Can my client see what I’ve mapped? The mapping is configured on your side under Tailor; the client doesn’t see your mapping configuration. They see the result — completion certificates landing in Drata as evidence — but not which INFIMA course you chose to map.

  • Integrations overview — how the per-client integrations like Drata fit alongside partner-level ones like the PSAs.
  • Welcome email and onboarding — how the curriculum gets configured per client, which determines which courses are available to map.
  • Reporting API — the more general-purpose data export option if Drata’s training-requirements model doesn’t fit your client’s needs.