Evidence cards

The core review artifact for procurement, security, and legal.

Every vendor package becomes an evidence card — documents received, missing items, risk lane, owners, and recommended decision. Every AI conclusion links to source documents.

See demo cards
Evidence Card FieldContent
Vendor nameLegal entity and product name
Vendor categorySaaS · infrastructure · AI · financial · critical
Data classificationPII, PHI, financial, confidential, public
Documents receivedSOC 2, ISO, DPA, pen test, insurance, questionnaires
Missing evidenceGaps flagged before approval
Questionnaire statusSIG / CAIQ / custom responses reviewed
Risk laneLow-risk SaaS through critical infrastructure
Recommended decisionApprove · conditional · reject · hold
OwnerProcurement, security, legal, or GRC reviewer
Audit trailUpload, extraction, review, and approval events

Example evidence card — Lattice (SaaS · HR)

FieldLattice example
VendorLattice · lattice.com · HR performance management
Service typeSaaS · HRIS · employee performance management
Business ownerprocurement@acme.io · People Ops
Data access levelMedium · employee PII · US + EU
PII processingYes · names, reviews, compensation bands
Security evidenceSOC 2 Type II (Oct 2025) · Lattice_SOC2_TypeII_2025.pdf p.4
Privacy evidenceDPA v3 · Lattice_DPA_v3.pdf §3.2
Contract evidenceMSA pending · DPA executed 2026-01-28
Insurance evidenceNot in package · flagged missing
Missing filesPen test attestation · BCP summary
Expiration datesSOC 2 expires 2026-10-31 · DPA no expiry
AI summaryProcesses employee PII · sub-processor clause needs legal review · source: DPA §4.2
Human review statusSecurity review · pending pen test
Recommended decisionConditional approve — pending pen test attestation
Ownersecurity@acme.io · backup: grc@acme.io
Last updated2026-03-20 11:04 UTC

Upload real vendor packages and generate evidence cards.

  • Upload vendor docs
  • → Extract fields with AI
  • → Flag missing evidence
  • → Route for review
  • → Export audit-ready cards
Start vendor queue