For Auditors

Show the work behind your opinion.

When you attest to an Evidence Pack, your signature is tied to a specific set of artifacts. Relying parties don't just trust your judgment. They can see what informed it.

Your review, documented

Every file you examined is listed with its cryptographic hash. No ambiguity about scope.

Comparable over time

When the same vendor sends next year's pack, anyone can diff exactly what changed.

Rigor that's visible

A thorough review looks the same as a cursory one until you can show what's underneath.

Your signature includes the list

When you attest to an Evidence Pack, your signature covers the manifest. The manifest lists every file and its hash. Anyone who receives the pack can see exactly what you reviewed.

attestation.json

signer: Jane Doe, CPA

date: 2025-01-15

reviewed:

soc2-type2-report.pdf

pentest-summary.pdf

aws-config-export.json

vuln-scan-q4.pdf

access-control-matrix.xlsx

Anyone who receives the pack can see exactly what informed your opinion.

What you might review

Evidence Packs can include more than just the final report. A thorough review might cover supporting artifacts that demonstrate the controls in practice.

• SOC 2 Type II report (PDF)

• Pentest executive summary

• Cloud posture verification

• Vulnerability scan summaries

• Access control policies

• Incident response procedures

The manifest records exactly which artifacts you examined. When you sign it, relying parties see the full scope of your review. Packs can optionally declare a profile, letting you verify completeness before diving in.

How it works

The workflow is simple. You receive a pack, review it as you normally would, and sign the manifest when you're satisfied.

Vendor sends the pack

You receive a ZIP with artifacts and a manifest listing every file with its hash.

You review it

Same process as always. Read the reports, check the controls, form your opinion.

Your signature goes on the manifest

Now anyone who receives that pack can see exactly what you reviewed and that it hasn't changed.

When every audit looks the same on paper, showing your work is how you stand out.

Evidence Packs make that easy. Your signature, tied to exactly what you reviewed, shareable with anyone who needs to see it.

Continuous evidence, continuous attestation

When vendors publish evidence on a schedule, you can attest to each pack as it arrives. Your signature becomes part of the ongoing compliance record.

CLI & SDK

Also see

For vendors For security teams For tool builders

Initiated by

Locktivity

We built Evidence Packs in the open because portable, verifiable assurance is a problem bigger than any one vendor.

Governance

Get support · About the initiator