Evidence uploads, metadata, and the chain back to controls

Any file you'd hand to an auditor belongs in Evidence. Supported categories cover documents, screenshots, reports, certificates, audit logs, configurations, and training records.

Every evidence record should point at something. Each piece of evidence can be linked to a control or a policy — or both — so auditors can trace the chain from framework section → control → supporting evidence. Unlinked evidence is just cloud storage.

Validity tracking. Use valid_from / valid_until for things that expire (certifications, pen-test reports, training attestations). The dashboard's "Expiring & overdue" panel surfaces evidence nearing or past its valid_until so nothing lapses silently.

Files are stored in encrypted Cloudflare R2 scoped to your tenant. Download URLs are authenticated — you need a valid JWT to retrieve.