This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Evidence and proof

Are evidence links compatible with Google Drive?

• Yes, evidence links are compatible with Google Drive as long as the sharing settings are configured to “Anyone with the link.”

Besides collecting evidence, what else does the main POC need to do?

• The main POC must track, organize, and store all evidence to ensure both the organization and auditor remain aware of what has been provided, accepted, reviewed, or is still outstanding.

Can you query data/evidence through an API call?

• Yes, you can query evidence using Secureframe's API by calling the appropriate endpoints.

  Here's how:

  Use /evidences/{id} to retrieve a specific evidence item

  Use /controls or /tests to access related evidence and compliance data

  Use /users/{user_id}/evidences to get evidence tied to a specific user

  Authenticate with your API key and secret in each request

  Apply filters or pagination if needed for large datasets

  First, you will need to setup an API key at https://support.secureframe.com/hc/en-us/articles/38295501741459-Secureframe-Developer-Portal-API

  Once your API key is setup, you can visit our API Developer portal which provides documentation and tools to help developers integrate Secureframe with their existing systems.

Do auditors expect fresh evidence even if nothing has changed since last year?

• Yes. Auditors typically require evidence that has been updated within the current audit observation window, even if the content hasn’t materially changed. Re-uploading recent versions helps avoid delays.

Do evidence links work with Google Drive?

• Yes, google drive link for evidence are acceptable, but consider the share preferences are set to public or you have shared this to a specific set of people.

Does Secureframe use customer proprietary information from AI features (e.g., evidence validation) for AI model training? Can you provide details or terms governing this use?

• No — Secureframe does not use customer data to train AI models. Data processed by AI features, such as evidence validation, is only used for the specific purpose of delivering the requested service (e.g., validating audit evidence) and is not repurposed for AI model training.

  If needed, we can provide our Secureframe AI/ML Data Sheet, which outlines all specifics on data handling and use. For more information, please refer to our Terms and Conditions for details on data usage and AI features.

How do organizations collect evidence without Secureframe?

• They manually gather data from multiple systems, request documents from various teams, and track everything using spreadsheets, leading to inefficiencies and delays.

How do you provide evidence of Organizational chart distribution?

• If the chart is in Rippling or Gusto, screenshot where it is kept and who has access. If it’s in a Google Doc or Sheet, screenshot the doc showing access for all users. If only one person is in the company, explain that and see if it’s sufficient.

How does Secureframe automate evidence collection?

• Secureframe integrates with tech stacks, tracks compliance status, and organizes evidence for audits.

How does Secureframe automate evidence mapping?

• Secureframe pre-maps framework requirements, controls, and tests out of the box, eliminating manual mapping and reducing duplicate efforts.

How does Secureframe streamline evidence collection?

• Secureframe automates evidence collection, organizes and maps it against compliance requirements, and presents it in an audit-ready format to save time and reduce audit stress.

How does Secureframe streamline evidence management?

• Secureframe allows users to export evidence, organize it in a data room, and create audit-specific folders to securely manage and share compliance documentation.

How is audit evidence collected?

• Evidence can be collected through documentation submission, live observations, meetings, interviews, and system exports.

Is there a way to archive evidence in bulk?

• Not at this time, but our Product Team is actively working on a few automated features to handle bulk evidence archiving.

  I will have your Customer Success Manager share this information once that feature is released.

  Alternatively, you can keep an eye out here on our Product Release page. https://secureframe.com/product-updates

What challenges do companies face with evidence collection without Secureframe?

• Manual evidence collection requires gathering data from multiple sources, managing inconsistent records, and responding to auditor requests through unsecured methods like email and shared folders.

What happens after the auditor has all the necessary evidence?

• The auditor begins drafting the final report or certification. The type of final deliverable depends on the framework (e.g., SOC 2 report, ISO 27001 certification).

What happens if evidence is delayed?

• Delayed evidence can cause delays in the audit report, which may impact compliance deadlines and business needs.

What is the evidence we can show from Secureframe about the off-boarding checklist for employees and contractors?

• A documented checklist or ticket (if a ticket system is used) works as evidence. Secureframe also provides a template for this in the user access tracking test.

What kind of evidence is needed for Special interest groups?

• Evidence would be a subscription to stay updated on security issues (e.g., new zero-day attacks). Subscribing to CISA and providing a CISA subscription or an example email newsletter would suffice.

What kind of evidence is required for Sensitive data handling after authorization?

• Sensitive authentication data (CVV, Stripe data, and PINs) should not be stored after authorization. Evidence should show that sensitive data is not being stored post-authorization.

What kind of evidence would satisfy Physical intrusion detection systems? (e.g., burglar alarm system and keycard logs)

• Yes, a monthly bill from the alarm company and an excerpt from the keycard system logs would suffice. However, it’s a good idea to confirm if the location is in scope.

What should evidence provided to customers by multi-tenant service providers include?

• Evidence provided to customers can include redacted penetration testing results but needs to include sufficient information to prove that all elements of Requirements 11.4.3 and 11.4.4 have been met on the customer’s behalf.

What type of evidence is needed for inactive user accounts?

• Acceptable evidence includes: audit logs showing last login, automated deactivation settings (e.g., 90-day inactivity), and reports from your identity provider (e.g., Okta, Azure AD) showing disabled users. [PCI DSS Req. 8.2.8]

What type of evidence is required for the Segregated production and development environments?

• Any screenshot showing that different environments (development, staging, QA, production) are created for different functions. This can be within their version control tool or CSP, and auditors will accept either.

What type of evidence to satisfy Independent approval for infrastructure?

• There should be an internal ticket or request for infrastructure changes. Evidence would be proof that you're tracking those requests. If you don't have a ticket, evidence of a meeting or documentation that supports authority approval would work.

What type of evidence to satisfy internal and external communications channels?

• For internal communication, a screenshot of internal tools (Teams, Slack) showing communication intent is sufficient. For external communication, an email example or a page on the website would work.

What type of evidence to satisfy Nonconformity tracking?

• You need to keep track of nonconformities (gaps found during audits). A log should be maintained, and a template is available in Secureframe.

What type of evidence to satisfy Privacy Page and/or Security Page?

• As long as there is verbiage about confidentiality on the website or in terms of service, MSA, or equivalent document, that is sufficient evidence.

What type of evidence to satisfy System change tracking and resolution?

• Any documentation or internal tickets showing communication regarding system changes.

Why is hashing and freezing evidence important after an audit?

• Post-audit, evidence should be preserved in a static, unaltered state to meet regulatory requirements. If files remain “live” in a syncing system, any changes—even metadata updates—can alter the hash and invalidate the preserved evidence. A snapshot and hash process ensures compliance and audit defensibility.

Why is it important to provide evidence ahead of time?

• Providing evidence early allows auditors to review it in advance, reducing delays and making the audit process more efficient.

Why must evidence collection be done before the audit?

• Many auditors will not start the audit without a majority of the evidence available for review. If someone doesn’t have all their evidence ready due to a lack of understanding, it creates a bottleneck in the audit process.

What is an evidence request list (ERL)?

• It is a list provided by the auditor outlining the evidence needed to complete the audit.

What should be captured in documented evidence of responses to security failures?

• ctions and responses to the failure.

What should documented evidence provide?

• Documented evidence (for example, records within a problem management system) should provide support that processes and procedures are in place to respond to security failures.

What can you do inside the Enclave — can you run code, open secure attachments, and use a CAC?

• Yes to all three, with one caveat.

  For example, you could execute Golang or Python code inside the Enclave just as you would on a normal laptop or desktop.

  You can also securely open attachments sent via secure email or SAFE. For CAC (Common Access Card) support, it depends on whether your computer application supports it — if it does, CAC will work inside the Enclave as well.

How can I find the justification or reason for a Pass with Upload status?

• When a test is marked as Pass with Upload, there is no separate justification field. The uploaded document(s) itself is the justification, as it serves as the evidence demonstrating that the test is passing.

Do you have access to https://developer.secureframe.com?

Yes! We’ve uploaded all the URLs and content from our Developer Portal. You can now ask direct questions about Secureframe’s API, endpoints, authentication, webhooks, and more—and we’ll help guide you to the right documentation.

How do I satisfy Deletion and retention of customer data?

Use Secureframe’s data deletion template for requested deletions. If no deletion requests have been made, upload the blank template as evidence.

How does Secureframe ensure its platform meets real-world compliance needs?

Secureframe has gone through its own compliance audits, applying lessons learned to improve the platform’s workflows, evidence management, and framework mappings based on both internal experience and assessor feedback.

How does Secureframe help with compliance?

Secureframe automates compliance processes, integrates with tech stacks, manages evidence, and simplifies audits.

Can Secureframe help us with HITRUST E1 compliance?

Yes, Secureframe can support your HITRUST E1 (and i1) journey.

While we don’t yet offer a turnkey HITRUST solution, we can help you build a custom framework in the platform that aligns with HITRUST E1 requirements.

We partner closely with A-LIGN, a certified HITRUST assessor, who will handle the evidence upload and mapping to MyCSF—so you don’t need to log into MyCSF or manage that process directly. A-LIGN's support is included in the cost of the assessment, and they offer competitive pricing compared to other HITRUST assessors.

Once the E1 or i1 framework is built within Secureframe (targeting completion by end of September), customers will be able to view the health status of their HITRUST controls directly in Secureframe, avoiding the need to monitor compliance in multiple platforms.

While competitors like Vanta offer a direct sync with MyCSF, the result is effectively the same: in both cases, your evidence gets mapped to MyCSF without manual effort—and A-LIGN’s hands-on approach ensures a smooth, guided experience.

How are assets tracked without Secureframe?

Organizations manually track assets using spreadsheets and other documentation, making it difficult to maintain compliance and generate evidence for audits.

If a Company already has policies in place, can they simply upload those policies to Secureframe and use them in place of our out-of-box policies?

Yes, but there is a risk that their existing policies may not meet all compliance needs. We recommend reconciling their policies with our templates to fill any gaps.