FeaturesFrameworksAboutContact
Sign inBook a Demo
All Features

Evidence Management

Tamper-evident proof.
Every file.

Every piece of audit evidence gets SHA-256 hashed on upload and verified on every download. If a file has been touched — by anyone, for any reason — you'll know before your auditor does.

Book a Free DemoSee all features →

What it does

Evidence that proves it's real

SHA-256 integrity hashing

Every file is hashed on upload. The hash is stored and re-verified every time the file is accessed. If a single byte changes, it's detected immediately.

Visual integrity badges

Every file shows one of three badges: Verified (hash matches), Modified (file has changed since upload), or Corrupted (hash mismatch detected). No ambiguity.

Signed URLs

Generate temporary, expiring download links to share specific files with auditors or stakeholders — without giving anyone an account or permanent access.

Row-level security

Every evidence access is enforced by Supabase Row Level Security at the database layer. Cross-tenant isolation is guaranteed — no user can access another org's files.

Organised by risk or control

Evidence is attached directly to the risk or control it supports. During an audit, find the right document instantly — no searching through a shared drive.

Full access audit trail

Every evidence view and download is logged with the user's identity and a timestamp. When an auditor asks 'who accessed this?' you have a complete answer.

How it works

Upload once. Verified forever.

Upload

Drag and drop any document, screenshot, export, or certificate. The SHA-256 hash is computed server-side and stored the moment the file lands. Supported formats include PDF, DOCX, PNG, and more.

Verify

Every time the file is accessed or downloaded, its hash is re-computed and checked against the stored value. A green 'Verified' badge means the file is exactly as it was when uploaded. Any change — intentional or not — shows as 'Modified' or 'Corrupted'.

Share

Generate a signed URL to give an auditor time-limited access to a specific file. No account, no permanent access, no oversharing. The External Auditor Portal gives even more fine-grained control over what gets shared.

Why SHA-256?

The same standard used by major cloud providers

SHA-256 is a cryptographic hash function from the SHA-2 family. It takes any file and produces a unique 256-bit fingerprint. Change even a single character in the file and the fingerprint changes completely.

This makes it impossible to alter evidence without detection — which is exactly what your ISO 27001 auditor is checking for when they ask about evidence integrity controls.

SHA-256 hashing — the same standard as AWS S3, GitHub, and Cloudflare
Row Level Security enforced at the database layer — zero cross-tenant access
Signed URLs expire automatically — no permanent access links

Works seamlessly with

The rest of your compliance workflow

Controls Library

Attach evidence directly to controls. Auditors see exactly which documents support each control — with SHA-256 integrity badges proving nothing has been altered.

Learn more

External Auditor Portal

Share evidence with external auditors through OTP-verified, time-limited portals. Every view is logged. No account creation, no oversharing, no guesswork.

Learn more

PDF Audit Reports

Evidence counts per control feed directly into the audit report. The report shows exactly how much evidence backs each compliance result.

Learn more

Ready to get
audit-ready?

Book a 30-minute demo and see how RiskGuard can get your startup compliant — without the consultant fees.

Book a Free Demo →