Overview
Evidence in SecurAtlas proves that a control is implemented and effective. Evidence flows through a lifecycle from upload to validation, and can originate from manual uploads or automated integration syncs.
Upload or Collect
Evidence enters the system via manual upload or integration auto-collection.
Classify
AI classifies the evidence and suggests control mappings.
Link
Evidence is linked to one or more controls.
Review
A reviewer validates or rejects the evidence.
Maturity Sync
Accepted evidence triggers a control maturity recalculation.
Manual Upload Flow
1. Create Evidence Item
// Server action creates the evidence record
const item = await createEvidenceItem({
tenant_id,
title: 'Annual Security Training Records',
description: 'Completion certificates for all employees',
evidence_type: 'document',
});
2. Attach Evidence Object
Files are uploaded to Supabase Storage and linked via evidence_objects:
const object = await attachEvidenceObject({
evidence_item_id: item.id,
storage_path: `evidence/${tenant_id}/${file.name}`,
file_name: file.name,
mime_type: file.type,
});
The evidence_signed_upload and evidence_finalize_upload Edge Functions handle presigned URL generation and post-upload finalization for large files.
3. AI Classification
The evidence_classify Edge Function analyzes the uploaded file and returns:
- Suggested control mappings
- Evidence category tags
- Confidence scores
// Called automatically after upload finalization
const classification = await supabase.functions.invoke('evidence_classify', {
body: { evidence_item_id: item.id },
});
Integration Auto-Collection
Integrations automatically generate evidence through the materialization process:
-- Materialize evidence from integration entities and findings
SELECT rpc_materialize_integration_evidence(p_tenant_id := 'uuid-here');
- Scans
integration_entities for evidence-worthy items (e.g., MFA policies, encryption settings)
- Creates
integration_evidence_items records
- Links them to the appropriate controls via
control_evidence_links
Integration evidence is automatically re-materialized during each sync cycle, keeping evidence current without manual intervention.
Validation Lifecycle
Evidence moves through these statuses:
uploaded → linked → under_review → accepted | rejected
| Status | Meaning |
|---|
uploaded | File uploaded, not yet linked to controls |
linked | Linked to one or more controls |
under_review | Submitted for reviewer validation |
accepted | Reviewer confirmed evidence is valid |
rejected | Reviewer rejected with comments |
Validation Records
Each review action creates an evidence_validations record:
evidence_validations (
id uuid PRIMARY KEY,
evidence_item_id uuid REFERENCES tenant_evidence_items,
reviewer_id uuid REFERENCES auth.users,
status text, -- 'accepted', 'rejected'
comments text,
reviewed_at timestamptz
)
Control Maturity Sync
When evidence is accepted, a trigger recalculates the linked control’s maturity level:
-- Trigger fires on evidence_validations INSERT
CREATE TRIGGER sync_control_maturity
AFTER INSERT ON evidence_validations
FOR EACH ROW
WHEN (NEW.status = 'accepted')
EXECUTE FUNCTION fn_sync_control_maturity();
- Not Implemented: No evidence
- Planned: Evidence uploaded but not validated
- Implemented: Validated evidence present
- Managed: Multiple validated evidence items with recent dates
- Optimized: Full coverage with automated evidence collection
Evidence Certificates
Tenants can generate compliance certificates from validated evidence:
evidence_certificates (
id uuid PRIMARY KEY,
tenant_id uuid REFERENCES tenants,
framework_id uuid REFERENCES compliance_frameworks,
generated_at timestamptz,
valid_until timestamptz,
certificate_data jsonb
)
Certificates are point-in-time snapshots. If evidence is later rejected or controls change, existing certificates are not automatically invalidated.
Key Tables
| Table | Role |
|---|
tenant_evidence_items | Core evidence records |
evidence_objects | File storage references |
evidence_validations | Review workflow records |
evidence_certificates | Generated certificates |
control_evidence_links | Evidence-to-control mappings |
integration_evidence_items | Auto-materialized integration evidence |