Evidence Export & Compliance
Volidator provides a self-serve Evidence Export center designed to satisfy auditors and automatically fit into GRC (Governance, Risk, and Compliance) platforms like Vanta, Drata, and Secureframe.
Because Volidator is a zero-knowledge logging service, evidence compilation and decryption happen entirely within your browser—ensuring sensitive plaintext data never touches Volidator’s servers.
How Evidence Export Works
Section titled “How Evidence Export Works”When you request an export in your dashboard under Evidence Export, the following client-side workflow is triggered:
- Framework Selection: You select a compliance framework (e.g., SOC 2 Type II, HIPAA, ISO 27001, PCI-DSS v4, or Custom Export). This applies pre-configured filters to map your logs to specific control criteria.
- Streaming Decryption: The browser retrieves encrypted log chunks from your project API. Using the decryption key loaded in your browser session (via the URL hash fragment), the browser decrypts each row locally.
- Evidence Package Bundling: The browser formats the decrypted data into a ZIP package containing:
audit_log_export.csv: The decrypted audit logs mapped to standard framework controls.evidence_cover_sheet.html: An auditor-friendly summary document detailing the scope, log count, date range, and the cryptographic details of the audit trail.cryptographic_manifest.json(Pro/Scale plans): A tamper-verification file containing the SHA-256 hash of every encrypted row, verifying that the logs haven’t been tampered with or modified.
Framework & Control Mapping
Section titled “Framework & Control Mapping”To simplify your audits, Volidator maps actions to specific controls:
| Framework | Target Controls | Action Filters / Coverage |
|---|---|---|
| SOC 2 Type II | CC6.1, CC6.2, CC6.3, CC7.2, CC8.1, CC9.2 | Logical access, configuration changes, permission grants, exports |
| HIPAA | §164.312(a), §164.312(b), §164.312(c) | PHI access views, data changes, security permissions |
| ISO 27001 | Annex A.9.4, Annex A.12.4 | Access control monitoring, event logging, administrative actions |
| FDA 21 CFR 11 | §11.10(a), §11.10(e), §11.10(k), §11.50 | Electronic signatures, records modification, user authorization |
| PCI-DSS v4 | Requirement 10.2, 10.3, 10.6 | Access to cardholder data, admin actions, credential changes |
Uploading to GRC Platforms
Section titled “Uploading to GRC Platforms”Instead of requiring complex developer API access or platform partnerships, Volidator generates standard files that can be uploaded directly to your GRC portal:
- Vanta: Upload the generated
.zipor.csvunder Evidence → Upload Evidence. Vanta accepts ZIP files up to 50MB. - Drata: Add manually collected evidence under the relevant control or custom connection by uploading the
.csvor.zip. - Secureframe: Navigate to Tests → Manual Evidence and upload the individual files or ZIP package.
Why Volidator Logs Are Compliance-Ready
Section titled “Why Volidator Logs Are Compliance-Ready”Evidence-Grade Audit Tags
Section titled “Evidence-Grade Audit Tags”Every call to volidator.log() produces a cryptographically sealed record with immutable timestamps (UTC) and user context, fulfilling audit criteria out-of-the-box.
Zero-Knowledge Architecture
Section titled “Zero-Knowledge Architecture”Our servers hold only encrypted ciphertext. We cannot view your logs, nor can we selectively disclose them. This enforces strict data minimization and separation of duties controls.
Immutable Chain of Custody
Section titled “Immutable Chain of Custody”Every event is tied to an HMAC-SHA256 blind index chain. Any deletion, gap, or alteration of logs during your audit window is mathematically detectable, proving to auditors that log coverage was continuous.
Scoped Auditor Access Rooms
Section titled “Scoped Auditor Access Rooms”If you prefer not to download files, you can invite your auditor directly to a 7-Day Auditor Access Room:
- Generate a temporary, read-only auditor token in the Evidence Export settings.
- Share the generated link with your auditor. The link contains the decryption key in the URL hash fragment (
#key). - Your auditor views and audits the decrypted logs directly in their browser.
- Volidator servers never receive the decryption key or the cleartext events.
The access room link automatically expires in 7 days, or it can be revoked instantly by rotating your project’s API keys.
https://dash.volidator.com/embed/<token>#<your-encryption-key>Real-Time Forwarding
Section titled “Real-Time Forwarding”For SIEM-based compliance requirements (like continuous threat monitoring or centralized log analysis), configure real-time forwarding to Datadog or Splunk via SIEM Sync.