Evidence Collection
Evidence is the foundation of compliance. Claw GRC gives you multiple ways to gather it — manual uploads, drag-and-drop, API submissions, and automated collection from your integrations.
Evidence Types
Claw GRC accepts a wide variety of evidence formats. When uploading, you'll select the evidence type to help auditors understand what the document represents. The type also affects which controls the evidence can be mapped to.
| Evidence Type | Description |
|---|---|
| policy | Written policies (PDF, DOCX) — e.g., Information Security Policy, Acceptable Use Policy |
| procedure | Step-by-step operational procedures documenting how controls are implemented |
| screenshot | Visual evidence of system configurations, dashboard settings, or access controls |
| log | System, application, or audit logs demonstrating activity monitoring |
| configuration | Configuration files, Terraform plans, or exported cloud configuration reports |
| certificate | Security certificates, penetration test reports, third-party audit reports |
| training_record | Records of security awareness training completion for employees |
| vendor_assessment | Vendor SOC 2 reports, security questionnaires, or third-party reviews |
| code_review | Code review records, PR approval histories, or signed commit logs |
| system_report | Automated reports from integrated systems (auto-collected via integrations) |
| test_result | Penetration test results, vulnerability scan outputs, or DR test reports |
| contract | Data processing agreements, BAAs, or vendor contracts with security clauses |
Uploading Evidence
Manual upload
Navigate to Dashboard → Evidence → Upload Evidence, or use the quick action from the dashboard. The upload form accepts:
- Drag-and-drop files directly into the upload zone
- Click to select from your file system
- Multiple files in a single upload (batch upload)
Supported file formats: PDF, DOCX, XLSX, PNG, JPG, WEBP, TXT, CSV, JSON, YAML, ZIP. Maximum file size is 50 MB per file, 500 MB per batch.
Presigned URL upload flow
For programmatic uploads (from CI/CD pipelines, agent tools, or custom scripts), Claw GRC uses a presigned URL pattern. This lets you upload directly to cloud storage without proxying through the API, keeping the API fast while supporting large files.
# Step 1: Request a presigned upload URL
curl -X POST https://api.clawgrc.com/api/v1/evidence/upload-url -H "Authorization: Bearer YOUR_TOKEN" -H "Content-Type: application/json" -d '{
"filename": "access-control-policy.pdf",
"content_type": "application/pdf",
"evidence_type": "policy",
"control_ids": ["ctrl_cc6_1", "ctrl_cc6_2"]
}'
# Response:
# {
# "upload_url": "https://storage.googleapis.com/claw-evidence/...",
# "evidence_id": "ev_01J8X3...",
# "expires_at": "2026-03-14T13:34:00Z"
# }
# Step 2: Upload directly to the presigned URL
curl -X PUT "https://storage.googleapis.com/claw-evidence/..." -H "Content-Type: application/pdf" --data-binary @access-control-policy.pdf
# Step 3: Confirm upload complete
curl -X POST https://api.clawgrc.com/api/v1/evidence/ev_01J8X3.../confirm -H "Authorization: Bearer YOUR_TOKEN"
# Step 4: Download evidence later
curl https://api.clawgrc.com/api/v1/evidence/ev_01J8X3.../download -H "Authorization: Bearer YOUR_TOKEN"
# Returns: { "download_url": "https://storage.googleapis.com/..." }Presigned URLs expire in 15 minutes
Always complete the upload within 15 minutes of requesting the presigned URL. If the URL expires before upload, request a new one — theevidence_id is reserved and will be reused.Linking Evidence to Controls
Evidence becomes useful only when it's linked to the controls it satisfies. You can link evidence during upload or afterward:
- Open any evidence item from Evidence → [Evidence Name]
- Click Link to Controls in the sidebar
- Search for controls by name, ID, or category
- Select one or more controls and click Link
You can also link in bulk from the Control view — open a control, go to theEvidence tab, and attach any previously uploaded evidence items.
Auto-Collection from Integrations
When you connect integrations (GitHub, AWS, Okta, etc.), Claw GRC automatically collects evidence on a schedule. Auto-collected evidence is flagged with aautobadge in the evidence list.
| Integration | Auto-Collected Evidence |
|---|---|
| GitHub | Branch protection status, PR approval logs, code signing status, dependency scan results, secrets scanning results |
| AWS CloudTrail | Access logs, CloudTrail events, Config compliance reports, IAM credential reports, S3 access control reports |
| Okta | MFA enrollment status, password policy reports, privileged access logs, user provisioning/deprovisioning events |
| Slack | Security awareness training completion notifications, policy acknowledgment records |
| Jira / Linear | Ticket resolution records, change management approvals, incident response timelines |
| Snyk / Dependabot | Dependency vulnerability scan results, remediation timelines |
Evidence Freshness
Evidence has an expiry system to ensure you're always showing auditors current data. "Fresh" evidence contributes fully to your compliance score. "Stale" evidence triggers alerts and degrades the contribution of the associated control.
Default freshness thresholds
| Evidence Type | Default Threshold | |
|---|---|---|
| policy | Stale after 365 days — policies should be reviewed annually | 365 days |
| screenshot | Stale after 90 days — system configurations can change frequently | 90 days |
| log | Stale after 30 days — logs should be from the current audit period | 30 days |
| certificate | Stale after 365 days or at cert expiry, whichever is sooner | 365 days |
| training_record | Stale after 365 days — annual training required | 365 days |
| system_report | Stale after 30 days — auto-collected, should refresh monthly | 30 days |
Customize thresholds at Settings → Evidence → Freshness Thresholds. Per-control overrides are also available from the control detail view.
Stale evidence alerts
When evidence becomes stale, the assigned control owner receives an email/Slack notification. 7 days before expiry, a warning notification is sent. On the day of expiry, the control score contribution drops and the control is flagged as needing attention in the dashboard.Hash Verification
Every evidence file stored in Claw GRC is SHA-256 hashed at upload time. The hash is stored in the database alongside the evidence record. This provides two security properties:
- Integrity verification — Auditors can verify that an evidence file hasn't been tampered with since upload by comparing the stored hash against a fresh hash of the file
- Tamper detection — If an evidence file is modified after upload (at the storage layer), the hash mismatch will be detected during audit report generation and flagged as a potential integrity violation
The SHA-256 hash for each evidence item is visible in the evidence detail view underFile Integrity. You can retrieve the hash via the evidence detail API:
curl https://api.clawgrc.com/api/v1/evidence/ev_01J8X3... -H "Authorization: Bearer YOUR_TOKEN"
# The response includes the sha256 hash in the evidence metadata:
# {
# "id": "ev_01J8X3...",
# "filename": "access-control-policy.pdf",
# "sha256": "a3f1d7c2...",
# "uploaded_at": "2026-03-10T09:15:00Z",
# ...
# }