Check compliance for your organization or third parties with Evidence Locker – Help Center

Managing compliance evidence is a job in itself. Whether you are vetting potential vendors, or you are a vendor trying to demonstrate compliance to a prospect, curating multiple files that make up compliance evidence takes a lot of time and effort. With SecurityScorecard's Evidence Locker, you can view and manage these files simply and show them in strategically visible locations.

If you are vendor: Showcase your compliance evidence in one place and reduce the time you spend sending artifacts to customers and prospects.

If your focus is vendor risk management: Use Evidence Locker to quickly vet your vendors' or potential vendors' compliance artifacts. See this video for a quick understanding of the capabilities:

Use Evidence Locker as a vendor

Post an evidence artifact
Track artifact history with the Activity Log

As you work through the security and compliance questionnaire process with prospects, you can use Evidence Locker to store all your evidence files and display them as badges for quick identification. This is also a good way to showcase your compliance for people from other companies who may browse your scorecard.

The badges appear in the headers of the scorecard, portfolio, and the company profile pages.

Post an evidence artifact

You can post attestations, certifications, or reports from your computer, or import them from Atlas if you have an Atlas license. Acceptable file formats include:

.pdf
.csv
.xlsx
.jpg
.png

Note: You cannot upload .exe files or archive formats, such as .zip.

You also can post links to a public URL for a file or a site.

You can choose whether to keep your posting private, make it visible to anyone using SecurityScorecard, or share it with people in specific organizations.

Note: Your company is responsible for verifying any certifications or attestations. SecurityScorecard does not perform any validation.

To post an evidence artifact:

Click the Compliance tab on your company's scorecard.
On the Compliance page, click the greyed badge for the artifact you want to post, and select a posting option.
- Upload the file from your local drive.
- Provide an externallink to a publicly accessible site or file.
- Import the file from Atlas.
Depending on how you chose to post the artifact, take one of the following actions:
- To upload a file, drag it from your local drive into the upload box, or click Browse files, and then select the file on your local drive. Then, click Submit.
- To share a link, copy the URL from your browser navigation tab, and paste it in the text box. Then, click Add link.
- To import a file from Atlas, select the file, and then click Import.
To provide a date range for which the artifact is valid, click in the date fields and use the calendar tool to select start and end dates.

Tip: If the validity term is indefinite, select not applicable.
Select whether, and how, you want to share the artifact:
- Make your posted content private, so that only your organization can see or access it.
- Make your content publicly accessible, so that SecurityScorecard users can view or download it.
- Share your content with individuals from specific organizations.
If you selected the Private or Public option, skip to the final step to finish the posting.
If you selected the Share option:
- Enter email address for each person you want to share the artifact with, then click Next.
- To provide a date range for which the invitation is open, click in the date fields, and use the calendar tool to select start and end dates. If the invitation is open for an indefinite period, select not applicable. Then, click Next.
- On the confirmation page, review your email addresses and click Confirm. Your selected individuals will receive email invitations from SecurityScorecard to download the artifact.
  
  Note: SecurityScorecard scans posted artifact files for malware, and makes your selected recipients aware of this in the invitation email.
Finish the posting by clicking one of the following buttons, depending on your posting method:
- Click Submit for an upload.
- Click Add link for a shared hyperlink.
- Click Import to for a file imported from Atlas.

After you successfully post the file, the badge darkens, and you see the option to download or delete the file.

If the upload fails, see Troubleshooting artifact uploads.

Note: You cannot delete a file imported from Atlas in Evidence Locker. You can only delete it in Atlas.

Troubleshooting artifact uploads

If your upload fails, take one of the following actions, depending on the error message:

Error message	What you can do
We could not upload <file-name> because it exceeds the 50 MB file size limit.	Reduce file size, confirm that the new or updated file meets the 50 MB size limit, and try uploading the file again: For a .pdf file, compress the existing file, export a new file at a smaller size setting, or, if possible, remove any unnecessary text or images from the source file and export to .pdf again. For .jpg or .png graphic, reduce the file to the minimum 72 pixels per inch (ppi). For a Word document, follow Microsoft recommendations for file reduction. For an Excel spreadsheet, follow Microsoft recommendations for file reduction. For a .csv file, if possible, remove any unnecessary content. If you are unable to reduce the size of the file, and if the contents are not sensitive, consider posting the file where it can be accessed on the internet and then share the link. Otherwise, submit a Support request for help.
We could not upload <file-name> because it has an unsupported format.	Use one of the supported file formats. We do not accept .exe files or archive formats, such as .zip.
We could not upload <file-name> because of a network error.	Wait a few minutes and try uploading the file again. If you get another network error message, submit a Support request for help.
We could not upload <file-name>.	For an error messages with no additional information, submit a Support request for help.

Track artifact history with the Activity Log

Use the Activity Log to keep track of your artifact postings. Note when files were uploaded or deleted for your audit records. Or see which artifacts VRMs are downloading most frequently to understand which compliance frameworks concern them the most.

To use the Activity Log:

On the Compliance page, click Activity Log.
On the Activity Log page, select any column heading to sort artifacts, or enter part of an artifact name to filter the entries by that name.

View evidence requests

If you get multiple requests for evidence artifacts, it is helpful to view them in one place so that you can prioritize your responses.

To view all pending requests, go to the Evidence Locker tab on your Scorecard and then select the Requests tab.

Any requests that you have yet to respond to appear in the Pending section.

Once you fulfill a request, it automatically moves to the Archived requests section.

Tip: If you want to personally respond to a requester, for example, to point out that a requested artifact has already been posted or that you are unable to share that artifact, you can click the link to contact them directly from the request.

Survey an organization's uploaded evidence

If you are with a vendor risk management (VRM) team, you can browse compliance evidence for any organization that you are vetting as a vendor. You also can ask an organization to post evidence if you do not see it.

Do the following to see an organization's posted evidence and download any files made accessible by the organization.

Access Evidence Locker

Access an organization's Evidence Locker from several different locations:

On a Scorecard, click the Evidence Locker tab.
On a Scorecard header, click any displayed evidence icons and then click View Evidence Locker.
In a Portfolio table, see which organizations have items in their Evidence columns. For those that do, click the link to view evidence artifacts.

View evidence in detail

In Evidence Locker, scan the displayed evidence icons.
Click any icon to see information about the evidence.

If the document or artifact is public, or if the organization has made it accessible to you, you can download or view it.

Tip: If an evidence artifact is inaccessible for viewing or download, you can contact the organization to ask them to share it with you.

Request evidence from an organization

Tip: In addition to requesting evidence in Evidence Locker using the following steps, you also can request evidence through any organization's public Scorecard.

If you do not see a specific compliance artifact in an organization's Evidence Locker, you can ask them to share it with you.

On the Evidence Locker page for a Scorecard, click Request Documents.
In request form, edit the standard note if you would like to personalize your message or add more context.
Select the documents you are requesting. For additional documents, select Other and enter a name or description of documents you want to see.
Click Continue.

A confirmation message indicates that your message was sent.

The organization you contacted receives a request email with an explanation of what Evidence Locker is.

Note: If the organization does not have a SecurityScorecard account yet, the email also includes a description of SecurityScorecard and a link to join for free.

Get help

If you need help or have additional questions, submit a Support request.