Regulatory Evidence
Evidence support for control workflows
Attesto provides evidence support for compliance controls. It does not certify legal compliance by itself. Customers remain responsible for legal interpretation, control design, source-system quality, and organizational procedures.
Control mapping methodology
Attesto maps evidence packs to compliance-support areas, not legal conclusions. Every mapping must describe what the evidence proves, what it does not prove, and what the customer must still do.
| Evidence pack | What it supports | Limitation |
|---|---|---|
| Lifecycle readiness | Event -> receipt -> window -> checkpoint -> witness -> anchor -> bundle -> offline verify. | Does not prove source decision correctness. |
| Fork defense | Conflicting history detection and verifier rejection of ambiguity. | Requires witness visibility over the affected stream. |
| Connector assurance | Real connector auth, replay handling, source reference, and revoke behavior. | Does not certify the external provider account or source process. |
| Local Vault assurance | Outbound relay, encrypted spool, source attestation, optional customer witness. | Customer must operate and secure the edge environment. |
EU AI Act support
Attesto evidence streams can support logging, traceability, technical documentation, post-market monitoring, and incident evidence for AI systems. Customers must decide which events are required for their AI system category and legal obligations.
NIS2 support
Attesto can support cybersecurity risk management evidence, supply-chain assurance, auditability, and incident evidence by recording ordered events and connector observations. Customers remain responsible for the actual security controls and governance.
Cyber Resilience Act support
Attesto can support product security evidence, vulnerability handling evidence, secure update evidence, and support-process traceability. It does not decide whether a product satisfies every CRA obligation.
ISO 27001, SOC 2, and eIDAS/evidence support
- ISO 27001: logging, access-control evidence, supplier assurance, incident management, integrity evidence.
- SOC 2: security, availability, processing integrity, confidentiality evidence.
- eIDAS/evidence: timestamps, electronic ledgers, integrity, and non-repudiation support.
For all of these areas, Attesto evidence supports an audit trail. It does not replace legal counsel, auditor judgment, or customer control ownership.