How to Manage Your Evidence

Compliance evidence is supporting documentation, such as emails, screenshots, records, system export logs, business contracts, or statements, that demonstrate an organization or individual has met or is meeting the requirements of relevant laws, regulations, frameworks, standards, and industry best practises.

Access control

Evidence management is restricted to roles with the Manage evidence permission. Roles without this permission may only interact with evidence that they have uploaded themselves as a procedure step.

Task completion

Whenever you complete a task that requires you to upload a file, that file gets added to your evidence library. You can sort your evidence by file type, attached procedure, or attached clause.


Need to clear up some evidence? You can archive selected evidence easily. This moves the selected evidence to the Archived Evidence page.

Archiving selected evidence.

Archiving selected evidence.



Deleting of evidence is intentionally disabled to preserve the integrity of your procedures and maintain an audit trail.


Unarchiving evidence is just as easy, only it is done from the Archived Evidence page.


If you have the proper permissions, you can download evidence files either individually or in bulk by selecting the desired evidence and clicking the Download Selected button.

Activity audit

When a person downloads an evidence file, it is logged in the organization's Activity Tracking log. This allows you to see who downloaded what evidence, and when.

Vendor Agreements

Use this section to upload your specific vendor agreements as they relate to the secure handling and processing of your organization's data.

An example of the types of agreements you should be evaluating.

An example of the types of agreements you should be evaluating.

Whenever an organization uses a third-party vendor to process personal data (health or otherwise) on its behalf, there should be a binding agreement in writing.

Vendor agreement examples:

  • Business Associate Agreements (BAA)
  • Data Processing Agreements
    • Mandatory for GDPR
  • Data Protection Agreements
  • Data Processing Addendums

MedStack Vendor Agreements

All of MedStack's vendor agreements can be found on our legal documentation page. Notable agreements include, but aren't limited to:

Bulk Evidence

You can upload evidence independent of tasks and procedures and then link them back to your defined procedures and clauses. This is useful for evidence like security assessments and reports which may satisfy multiple conditions for clauses or procedures at once.

MedStack's Privacy Impact Assessment (PIA), Threat Impact Assessment (TRA), and SOC 2 Type 2 report uploaded as bulk evidence.

MedStack's Privacy Impact Assessment (PIA), Threat Impact Assessment (TIA)/Threat Risk Assessment (TRA), and SOC 2 Type 2 report uploaded as bulk evidence.