Skip to main content
Evidence is the proof that your controls are implemented and operating effectively. Auditors do not take your word for it — they want screenshots, logs, configuration exports, and reports. Regentra streamlines evidence collection with both automated and manual workflows.

Automated Evidence via Integrations

When you connect a cloud or identity integration, Regentra pulls evidence automatically and attaches it to the relevant controls.
  • MFA enrollment status for all users
  • Conditional access policy configurations
  • Privileged role assignments (standing and PIM-eligible)
  • Sign-in and directory audit logs
  • Device compliance and security defaults
Level.io is integrated for PSA-side asset and ticket sync, not compliance evidence collection. Connecting Level.io populates your Configurations module — it does not currently feed automated evidence to compliance controls.
Automated evidence is refreshed on a schedule. Regentra pulls fresh data from connected integrations so your evidence stays current without manual effort.

Manual Evidence Upload

Not everything can be automated. For controls that require human-generated evidence, you can upload files or add links directly.
1

Open the control

Navigate to the control that needs evidence and open its detail page.
2

Go to the Evidence section

Scroll to the Evidence tab on the control detail page.
3

Upload or link

Click Add Evidence and choose:
  • Upload file — PDFs, screenshots, spreadsheets, configuration exports, or any relevant document
  • Add link — URL to an external dashboard, monitoring tool, or shared document
4

Add context

Provide a description of what the evidence demonstrates and how it relates to the control.
Common types of manual evidence:
  • Signed policy acknowledgment records
  • Meeting minutes from security reviews
  • Vendor assessment questionnaires
  • Physical security photos
  • Training completion certificates

Evidence Attached to Controls

Every piece of evidence in Regentra is attached to one or more controls. This creates a direct audit trail: Framework requirement → Control → Evidence When an auditor asks “How do you satisfy HIPAA § 164.312(a)(1)?”, you can show them the control, its implementation notes, and every piece of evidence supporting it — all in one place. Because controls map across frameworks through the CCF, evidence attached to a shared control counts toward every mapped framework. Upload once, satisfy many.

Monitoring Signals and Compliance Status

Some evidence is not a static document but a live signal — an ongoing check that something is still true. Regentra’s monitoring signals track:
  • MFA enforcement — is MFA still enabled for all users?
  • Encryption status — are storage resources still encrypted?
  • Logging configuration — are audit logs still being captured?
  • Patch compliance — are devices still up to date?
When a monitoring signal detects a change (e.g., MFA was disabled for a user), the associated control’s status is flagged for review.
A control marked as Implemented can be automatically flagged as Needs Review if a monitoring signal detects drift. This ensures your compliance posture reflects reality, not just a point-in-time snapshot.

Evidence Expiration and Refresh Cycles

Evidence does not last forever. Auditors expect to see current proof, not year-old screenshots. Regentra manages evidence freshness through:
  • Expiration dates — set an expiration on any piece of evidence. When it expires, the associated control is flagged for review.
  • Automated refresh — evidence from connected integrations is refreshed on a configurable schedule (daily, weekly, or monthly).
  • Review reminders — the dashboard highlights controls with stale or expired evidence so your team knows where to focus.
Set evidence refresh cycles to match your audit cadence. If you undergo annual SOC 2 audits, ensure all evidence has been refreshed within the audit period. For HIPAA, keep evidence current year-round since OCR investigations can happen at any time.