Evidence & reports
Everything the platform records — enrollments, publishes, rollouts, rollbacks, incident steps, vulnerability triage — feeds a small set of exports you can hand to an assessor, a buyer, or a regulator. Each one is computed from the recorded audit log and registry, never asserted ahead of it.
The audit log
Every meaningful action is written to an append-only log where each entry is hash-chained to the one before it. Altering any stored row — even by a database administrator — breaks the chain, and the break is detectable.
You can export the full log as line-delimited JSON. The chain is verified during export and the verdict travels with it: the export states how many events it covers, whether the chain verified, and the head hash. When export signing is configured, a detached signature over the whole export is appended, and the verifying public key is published so a notified body or auditor can check it without trusting the inline copy.
Framework readiness report
The readiness report evaluates a framework's requirement set against your recorded facts and renders the result as a branded PDF — the document an assessor or buyer files. Each requirement carries an honest status:
| Status | Meaning |
|---|---|
| Met | A computed check confirms it. |
| Partial | Evidenced, but needs attention. |
| Manual | A control the platform provides; you operate it. |
| Gap | Not yet available in the platform. |
The report includes the underlying evidence counts — devices under management, artifacts published, rollouts performed, automatic rollbacks, SBOM coverage, audit events recorded and chain integrity, plus any overdue incident steps. The EU CRA profile is the default; the same recorded reality renders against the other supported frameworks too.
When signing is configured, the report carries a provenance page: the evidence is bound into a canonical payload, and the report identifier and signature derive from its digest, so a tampered fact no longer matches the signature.
Vulnerability report
A companion PDF summarises the current vulnerability posture across your artifacts — open findings, severity breakdown, and the per-artifact picture drawn from the vulnerability watch. Like the readiness report, it can be signed.
Keeping reports current
Reports reflect a moment in time, and your fleet keeps moving. Two mechanisms keep the evidence honest:
- Freshness tells you whether the live evidence still matches the last archived report, or whether it has drifted and is due for a refresh.
- Archiving snapshots a report — but only when the underlying evidence actually changed (a new payload digest). That keeps the history a meaningful series of material changes rather than a pile of identical PDFs. A scheduler can archive on an interval, building the evidence series automatically, and a quiet period costs nothing.
Archived reports are retained and can be re-downloaded by their identifier.
A note on framing
These reports assemble and evidence; they do not certify. Submission and certification remain the manufacturer's act, and each report says so plainly. The platform only ever handles metadata — the contents your application processes are never inspected, copied or exported.