Documentation Index
Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
Use this file to discover all available pages before exploring further.
Evidence Collection
Evidence proves a control is implemented and working. In Matproof, every control has an evidence panel that pulls from four different sources:| Source | What it covers |
|---|---|
| Integrations | Cloud, identity, source-control, ticketing systems — automated |
| Device Agent | Endpoint compliance signals from each user’s machine — automated |
| Cloud Tests | Continuous configuration checks against AWS / Azure / GCP — automated |
| Penetration tests | AI-powered or third-party pen-test reports — semi-automated |
| Manual upload | Any document, screenshot, or report that an integration can’t capture |
Automated: integrations
Connect tools you already use and Matproof scans them on a schedule, populating evidence on every control they cover.| Integration | Evidence collected | Controls typically covered |
|---|---|---|
| GitHub / GitLab / Bitbucket | Branch protection rules, PR review requirements, signed-commits policy, access logs, secret scanning status | Change management, secure SDLC, source-code access |
| Google Workspace | User list, role assignments, MFA enforcement, admin audit logs, group memberships | Identity & access, awareness training |
| Microsoft Entra ID (Azure AD) | Conditional access policies, MFA enforcement, admin role assignments, sign-in logs | Identity & access |
| AWS | IAM policies, encryption-at-rest configuration, CloudTrail logging, S3 public-access settings, GuardDuty status | Cryptography, access control, logging, threat detection |
| Azure | RBAC assignments, encryption settings, Defender for Cloud findings, activity logs | Same control families as AWS |
| GCP | IAM policies, encryption settings, Security Command Center findings | Same control families as AWS |
| Okta | User lifecycle, MFA factors, app assignments, audit logs | Identity & access |
| Jira / Linear | Ticket data for incident records, change requests, approval workflows | Incident management, change management |
| Aikido Security | Vulnerability findings ingested as Findings | Vulnerability management |
Connecting an integration
Open Settings → Integrations
Go to Settings → Integrations. Each integration shows whether it’s currently connected and what it covers.
Click Connect
For OAuth integrations (Google Workspace, Okta, GitHub), you’ll be redirected to authorize Matproof on the third-party side and then back. For API-key integrations (AWS, some custom systems), paste credentials with the documented minimum permissions.
Wait for the first scan
The first scan typically takes 5–30 minutes depending on the size of the connected system. You’ll see evidence start appearing on relevant controls as the scan completes.
Automated: Device Agent
The Matproof Device Agent runs on each team member’s macOS or Windows machine and reports endpoint compliance signals every hour: disk encryption, screen lock, OS patch level, antivirus, firewall, MDM enrollment, plus a 6-hourly software inventory that’s matched against the NVD CVE database for vulnerable installed apps. Device-agent evidence flows to controls like:- ISO 27001 A.8.1 (User endpoint devices), A.8.7 (Protection against malware), A.8.8 (Management of technical vulnerabilities)
- SOC 2 CC6.1, CC6.6, CC7.1
- HIPAA 164.308, 164.310, 164.312
- NIS2 Article 21(2)(d), 21(2)(g)
- DORA Article 9
- PCI DSS 6.3.1, 8.6.3
Automated: Cloud Tests
Cloud Tests run continuous configuration checks against your AWS / Azure / GCP environments — separate from the integration scan, focused on misconfigurations rather than identity. Failed checks produce findings; passing checks produce evidence.Automated: Penetration Tests
Penetration Tests generates an AI-powered external pen-test report against a target URL on demand. The resulting findings flow into the Findings module; the report itself can be attached as evidence on annual-pen-test controls. For third-party penetration tests (when an external firm runs the test), upload the report manually as evidence on the relevant control.Manual evidence upload
For controls that can’t be covered by an integration — internal procedures, BCP test results, board minutes, awareness-training screenshots, vendor SOC 2 reports — upload manually:Open the control
Go to Controls (under whichever framework or via the unified controls list) and open the control you want to evidence.
Click Add evidence
Choose between Upload file (any format), Add link (URL to an external system), or Add note (text-only attestation).
Set metadata
- Description — what this evidence demonstrates
- Expiry date — when the evidence becomes stale (defaults are sensible per control type)
- Owner — usually the person responsible for refreshing it
Bulk upload
For initial setup or annual refreshes, upload many files at once:- Go to Evidence → Bulk upload
- Download the evidence-mapping template (CSV)
- Fill in: filename, control IDs, description, expiry date
- Upload the ZIP containing both the template and the files
Evidence expiry
Every piece of evidence has an expiry date. Matproof emails the evidence owner 30 days before expiry so there’s time to collect a refresh. Sensible defaults by evidence type:| Evidence type | Default expiry |
|---|---|
| Access reviews | 6 months |
| Awareness training records | 12 months |
| Penetration test reports | 12 months |
| BCP / DR test results | 12 months |
| Vendor risk assessments | 12 months |
| Policy acknowledgements | 12 months |
| Cryptography algorithm review | 24 months |
| Risk assessment | 12 months |
Evidence Review
Evidence isn’t useful unless someone checks it. The Evidence Review module gives compliance leads a workflow to approve, reject, or request more from each piece of evidence as it arrives. Auditors typically expect this review trail.Controls
Where evidence attaches
Evidence Review
Approve and reject evidence as it arrives
Device Agent
Endpoint evidence
Cloud Tests
Continuous cloud configuration evidence