Skip to content

Evidence Export & Compliance

Volidator provides a self-serve Evidence Export center designed to satisfy auditors and automatically fit into GRC (Governance, Risk, and Compliance) platforms like Vanta, Drata, and Secureframe.

Because Volidator is a zero-knowledge logging service, evidence compilation and decryption happen entirely within your browser—ensuring sensitive plaintext data never touches Volidator’s servers.


When you request an export in your dashboard under Evidence Export, the following client-side workflow is triggered:

  1. Framework Selection: You select a compliance framework (e.g., SOC 2 Type II, HIPAA, ISO 27001, PCI-DSS v4, or Custom Export). This applies pre-configured filters to map your logs to specific control criteria.
  2. Streaming Decryption: The browser retrieves encrypted log chunks from your project API. Using the decryption key loaded in your browser session (via the URL hash fragment), the browser decrypts each row locally.
  3. Evidence Package Bundling: The browser formats the decrypted data into a ZIP package containing:
    • audit_log_export.csv: The decrypted audit logs mapped to standard framework controls.
    • evidence_cover_sheet.html: An auditor-friendly summary document detailing the scope, log count, date range, and the cryptographic details of the audit trail.
    • cryptographic_manifest.json (Pro/Scale plans): A tamper-verification file containing the SHA-256 hash of every encrypted row, verifying that the logs haven’t been tampered with or modified.

To simplify your audits, Volidator maps actions to specific controls:

Framework Target Controls Action Filters / Coverage
SOC 2 Type II CC6.1, CC6.2, CC6.3, CC7.2, CC8.1, CC9.2 Logical access, configuration changes, permission grants, exports
HIPAA §164.312(a), §164.312(b), §164.312(c) PHI access views, data changes, security permissions
ISO 27001 Annex A.9.4, Annex A.12.4 Access control monitoring, event logging, administrative actions
FDA 21 CFR 11 §11.10(a), §11.10(e), §11.10(k), §11.50 Electronic signatures, records modification, user authorization
PCI-DSS v4 Requirement 10.2, 10.3, 10.6 Access to cardholder data, admin actions, credential changes

Instead of requiring complex developer API access or platform partnerships, Volidator generates standard files that can be uploaded directly to your GRC portal:

  • Vanta: Upload the generated .zip or .csv under EvidenceUpload Evidence. Vanta accepts ZIP files up to 50MB.
  • Drata: Add manually collected evidence under the relevant control or custom connection by uploading the .csv or .zip.
  • Secureframe: Navigate to TestsManual Evidence and upload the individual files or ZIP package.

Every call to volidator.log() produces a cryptographically sealed record with immutable timestamps (UTC) and user context, fulfilling audit criteria out-of-the-box.

Our servers hold only encrypted ciphertext. We cannot view your logs, nor can we selectively disclose them. This enforces strict data minimization and separation of duties controls.

Every event is tied to an HMAC-SHA256 blind index chain. Any deletion, gap, or alteration of logs during your audit window is mathematically detectable, proving to auditors that log coverage was continuous.


If you prefer not to download files, you can invite your auditor directly to a 7-Day Auditor Access Room:

  1. Generate a temporary, read-only auditor token in the Evidence Export settings.
  2. Share the generated link with your auditor. The link contains the decryption key in the URL hash fragment (#key).
  3. Your auditor views and audits the decrypted logs directly in their browser.
  4. Volidator servers never receive the decryption key or the cleartext events.

The access room link automatically expires in 7 days, or it can be revoked instantly by rotating your project’s API keys.

https://dash.volidator.com/embed/<token>#<your-encryption-key>

For SIEM-based compliance requirements (like continuous threat monitoring or centralized log analysis), configure real-time forwarding to Datadog or Splunk via SIEM Sync.