Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Evidence Review workflow ensures that every piece of compliance evidence is validated before it counts toward your control status. Team members submit evidence, reviewers approve or reject it with comments, and every action is recorded in an immutable activity log that auditors can inspect.
Evidence Review is enabled by default. To configure who can approve evidence, go to Settings - Roles and Permissions.

How it works

1
Submit evidence
2
When a team member collects evidence for a control:
3
  • Go to Controls and open the relevant control
  • Click Add evidence
  • Upload the file or link the automated evidence source
  • Add a description explaining what the evidence demonstrates
  • Click Submit for review
    • 4
    The evidence status changes to Pending review and the assigned reviewer is notified.
    5
    Review and decide
    6
    Reviewers see pending evidence in their Review queue (accessible from the sidebar or dashboard):
    7
  • Open the evidence item
  • Review the uploaded file or linked data
  • Check that the evidence actually demonstrates the control requirement
  • Choose one of:
    • Approve - evidence is accepted and the control status updates accordingly
    • Reject - evidence is sent back with a comment explaining what needs to change
    • Request changes - evidence stays in queue with specific feedback for the submitter
    • 8
    Resubmit if needed
    9
    If evidence is rejected or changes are requested:
    10
  • The submitter receives a notification with the reviewer’s comments
  • The submitter uploads corrected evidence or adds clarification
  • The evidence re-enters the review queue

    • Activity audit log

    Every evidence action is recorded in the activity log with:
    FieldDescription
    TimestampExact date and time of the action
    UserWho performed the action
    ActionSubmitted, approved, rejected, requested changes, resubmitted, expired
    CommentAny notes or feedback provided
    Evidence versionWhich version of the evidence the action applies to
    The activity log is immutable - entries cannot be edited or deleted. This provides a complete chain of custody that auditors require. To view the log:
    1. Open any evidence item
    2. Click the Activity tab
    3. The full history is displayed in chronological order
    During audits, export the activity log for specific controls by going to Controls - Export and selecting Include evidence activity log. This gives auditors the evidence chain without needing platform access.

    Review queue

    The review queue aggregates all pending evidence across your organization:
    • Access it from Evidence - Review queue in the sidebar
    • Filter by framework, control, submitter, or date
    • Sort by submission date to process oldest items first
    • Bulk approve multiple items if they share the same review criteria

    Configuring reviewers

    By default, the Owner and Admin built-in roles can approve evidence. Auditor, Employee, and Contractor can submit but not approve. To grant approval rights to additional people without elevating them to Admin, define a custom role with the evidence-approval permission:
    1. Go to Settings → Roles & Permissions
    2. Click New role and grant the Evidence module’s Approve permission (alongside any other permissions the role needs — usually View on Controls and Frameworks)
    3. Assign that custom role to the people you want as reviewers
    4. Optionally, configure per-framework reviewers so that DORA evidence is reviewed by one team and ISO 27001 evidence by another
    See Roles & Permissions for the full role model and how custom roles work.
    Segregation of duties matters for audits. The person who submits evidence should not be the same person who approves it. Configure your roles to enforce this separation.

    Automatic evidence review

    For evidence collected automatically from integrations (GitHub, AWS, Google Workspace, etc.), you can configure auto-approval rules:
    1. Go to Settings - Evidence - Auto-approval
    2. Define rules based on evidence source and type
    3. Automated evidence that matches a rule is approved automatically
    4. A log entry records the auto-approval with the rule that triggered it
    Auto-approval is useful for recurring, well-understood evidence (like MFA status checks or access logs) where manual review adds no value.
    Auto-approved evidence is still visible in the activity log and can be manually revoked if needed.