Requesting Evidence Packs

Use this page to ask vendors for Evidence Packs, verify packs you receive, and compare them year over year.

Get the email template Verify a pack →

Why this format

An Evidence Pack is a ZIP file with a manifest that lists every document and its SHA-256 hash. This structure means you can compare packs across vendors, see exactly what changed year over year, and validate that files match what the manifest says.

Consistent

Same structure from every vendor

Comparable

Diff packs to see what changed

Complete

Manifest lists every file included

Ask vendors to send packs

Most vendors will send an Evidence Pack if you ask. The format is simple for them to produce and the email below explains what you need. Send it during onboarding or at renewal time.

Email template

Hi,

We're standardizing how we collect security evidence from vendors using Evidence Packs.

An Evidence Pack is a ZIP file containing your security artifacts (SOC 2 report, pentest summary, etc.) plus a manifest that lists each file with its SHA-256 hash. This makes it easy for us to see exactly what's included and compare what changed year-over-year.

You can build a pack in your browser in under a minute:
evidencepack.org/sharing-packs.html

Could you send your next evidence delivery as a pack?

Thanks

Verify a pack

When you receive a pack, drop it here to confirm the files match the manifest. You can also compare two packs side by side to see what changed between releases.

Your files never leave your device

Client-side only

Drop an Evidence Pack here

ZIP file with manifest.json

Want to see how it works?

Automate collection

Once vendors publish packs, you can pull them automatically on a schedule using your existing tools. No more manual requests at renewal time.

CLI & SDK

Also see

For vendors For auditors For tool builders
Locktivity

Initiated by

Locktivity

We built Evidence Packs in the open because portable, verifiable assurance is a problem bigger than any one vendor.

Governance
Get support · About the initiator