Compliance evidence packs

Evidence packs prepare documentation for audit review. They do not by themselves guarantee compliance.

Last updated 4/4/2026

Evidence packs collect the artifacts an auditor typically needs for a control review — alerts, investigations, approvals, briefs and timeline events — mapped to specific control IDs.

Frameworks supported out of the box

  • SOC 2 Type II
  • ISO 27001 (Annex A)
  • PCI DSS (event-monitoring controls)
  • NIST CSF (Detect and Respond)

What a pack contains

  • A control mapping (e.g. SOC 2 CC7.3 → list of investigations + approvals in scope)
  • Underlying evidence references that are immutable and timestamped
  • An export trail showing who downloaded the pack and when

What evidence packs are not

  • They are not an attestation of compliance. They are a curated set of records that supports an auditor's review.
  • They do not replace the customer's compliance program, control owners or external auditor.
  • They do not modify the underlying evidence — packs are read-only views on top of audit records.
Related articles