Help Center / Evidence attachments
Evidence attachments
Attach a vendor's compliance evidence — SOC 2 / ISO 27001 / pen-test reports and the executed BAA — directly to its record. The attachment metadata lives with the vendor; the file bytes go to cloud object storage when you're signed in, or stay in the browser session otherwise.
Attaching a document
- Open the vendor → Evidence attachments card.
- Choose the kind:
soc2,iso27001,pentest,baa,questionnaire, orother. - For time-bound attestations (SOC 2 / pen-test), set Valid until so you can track when the evidence goes stale.
- Choose the file and click Attach document.
| Rule | Value |
|---|---|
| Allowed file types | pdf, png, jpg, jpeg, csv, xlsx, docx |
| Maximum size | 25 MB |
| Empty files | Rejected ("empty file") |
The two storage modes
| Mode | When | Behavior |
|---|---|---|
| Cloud (R2) cloud | Signed in to the cloud tier | The browser gets a short-lived presigned upload URL and PUTs the bytes straight to Cloudflare R2 (browser → R2; the bytes never pass through a Dosanjh Labs server). Only metadata (object key, size, kind, expiry) is recorded on the vendor. Opening uses a presigned download URL. The row shows · R2. |
| Local stub free / offline | Signed out or offline | The file stays as a session-only object in your browser so Open works this session. The row shows · local (not uploaded). |
Local stub bytes don't survive a reload. In stub mode, only the metadata persists. After you reload the page, clicking Open on a stub attachment shows: "This stub attachment's bytes were dropped on reload. Re-attach to view, or sign in to Cloud to store it in R2." This is intentional — bytes are never silently persisted locally.
Deferred: the live R2 path is gated behind a signed-in transport. The presigned-URL endpoints on the cloud side are wired as a clean boundary and will be enabled with the hosted storage backend; until then, signing in injects the transport but the live upload depends on that backend being reachable. The local-stub path always works.
Executed BAA documents
Attaching a file with kind baa records the executed BAA document for the vendor. Combined with the BAA's Term end date, this drives the executed-document expiry flag (current / expiring / expired). See BAA tracking → Executed-document tracking.
Opening & removing
- Open resolves a URL (presigned R2 in cloud mode; the session object URL in stub mode) and opens it in a new tab.
- ✕ removes the attachment and revokes the local object URL.
Not yet available: automatic evidence extraction from uploaded PDFs and a BAA template merge-engine / e-sign are planned for a later wave. Today you attach finished documents and track them.