Improved notes and observations in Security Reviews

Note: This feature is available in the New Drata Experience only.

Security Reviews now give teams clearer ways to capture internal reasoning and vendor-specific findings during the review process.

Why It Matters

• Teams can document internal reasoning without mixing it with vendor-facing review context.

• Internal Notes support audit defensibility, especially when reviewers override AI-generated assessments.

• Observations remain focused on vendor-specific posture details and can support follow-up risk workflows.

What’s New

• Security Reviews now support two annotation types: Internal Notes and Observations.

• Teams can add notes or observations at either the general review level or the specific criterion level.

• Context is automatically pre-populated based on where the entry is created.

• Both Internal Notes and Observations support up to 30,000 characters.

• For current vendors, observations can be converted into risks after the review is finalized.

Notes

• Internal Notes are private to your organization.

• Observations are visible to review participants but are not shared externally with the vendor.

Learn more: Internal Notes and Observations in Security Reviews (New Experience)