LET'S TALK
← All work
AuditSOC2Evidence ManagementDeep Prototype

EvidenceVault — Audit Evidence Packet Builder

88 seeded evidence artifacts indexed by control across SOC2, HIPAA, ISO 27001, and PCI DSS. SHA-256 hash, retention period, last-access. Build the packet your auditor asks for by selecting artifacts; export JSON manifest with control coverage. Turns 9-day evidence requests into 90-second downloads.

EvidenceVault — Audit Evidence Packet Builder preview
Open live →

What it is

The vault every SOC2 / HIPAA / ISO / PCI auditor wants and very few companies actually maintain. 88 artifacts indexed by control. Build a packet by checking artifacts; export the manifest your auditor’s portal accepts.

What’s in it

  • 88 seeded artifacts spanning the real evidence types: policies (Information Security Policy v4.2, Access Control Policy, Incident Response Plan, BCP/DR Plan, Vendor Risk Management, Data Classification, Data Retention, Data Deletion), reports (Quarterly access reviews, 2025 penetration test, SOC2 Type II reports, PCI ASV external scans, Risk Assessment workbook, BCP tabletop, HIPAA Risk Analysis, internal audit reports), logs (production access log, admin route audit log, change advisory board log, KMS key rotation, OFAC sanctions screening), screenshots (MFA enrollment, firewall config, encryption-at-rest evidence, TLS configuration scan, hardening evidence, CSP/WAF audit), certificates (executed BAAs with AWS / Datadog / Stripe, ISO 27001 surveillance cert, cyber + D&O policies).
  • Per-artifact metadata: SHA-256 hash (16-char prefix for display), retention period, file size, type, last-updated timestamp, control mapping with framework + specific control ID (CC6.1, §164.308(a)(1), A.9.4.2, etc.).
  • Cross-framework mapping — one artifact (e.g., “MFA enrollment screenshot”) maps to SOC2 CC6.1, ISO 27001 A.9.4.2, and PCI 8.4.2 simultaneously. Auditors request by their framework’s control language; the vault returns the same evidence regardless of which framework asked.
  • Packet builder — select artifacts, see covered controls update live. Export JSON manifest with hash-prefixed file references and full control mapping.
  • Filter by framework, control ID, type, free-text.

Why this shape

The most painful question in any audit is “send me everything related to control X.” The pattern at most companies: stitch together 8 emails, 4 Slack searches, 3 different Drive folders, then hand-write a cover letter explaining what’s what. Each request costs 4-9 days of compliance time.

EvidenceVault makes the same request 90 seconds. The selection-to-export flow shown here is what every GRC platform tries to be — without the GRC platform’s price tag.

How it ships

Single HTML file, ~52KB. Zero dependencies. The 88-artifact seed catalog, cross-framework control mapping, packet state, and JSON manifest export are 380 lines of vanilla JavaScript. Every artifact has a deterministic 16-char SHA-256 prefix simulating real hash-verified storage.

Open the tool →