⚠️ Select your experience
The steps depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
The Evidence page is a centralized workspace for managing all evidence used to support your controls. It helps you streamline evidence collection, maintain version history, and ensure control readiness across audits.
Evidences can be mapped to one or more controls, updated over time, and reused across frameworks. Keeping evidence current and correctly mapped reduces audit gaps and improves overall readiness.
Note: Pre-mapped evidence is available only to SOC 2 or ISO 27001:2022 customers who joined Drata after August 27, 2024.
Access the Evidence page
Go to Compliance > Evidence. This page shows all evidence in your workspace.
From here, you can:
Select an evidence item to view details or add an artifact
Select multiple evidence items to take bulk actions, including:
Delete evidence
Assign or update an evidence owner
Sync evidence to the SafeBase Trust Library (if enabled)
Use this page as your starting point when investigating why a control is not ready or preparing for an audit.
Evidence Status and Readiness Impact
Each evidence item has a status that indicates whether it needs attention and how it affects control readiness.
Needs artifact — The evidence does not have an artifact. Can negatively impact control readiness. Recommended action: Upload an artifact.
Needs renewal — The evidence has an artifact, but the renewal date has passed. Can negatively impact control readiness. Recommended action: Update the artifact.
Upcoming renewal — The evidence has an artifact, and the renewal date is within the next two months. Can positively impact control readiness. Recommended action: Plan to update soon.
Ready — The evidence has a current artifact, or valid test evidence exists. Can positively impact control readiness. No immediate action needed.
Error — The associated test is in an error state. Does not impact control readiness. Recommended action: Review the related test.
Evidence Sources
Each evidence item has a source that indicates how the artifact is provided.
File: Upload a file from your computer or cloud storage. Maximum size: 50 MB per file. Zipped files are automatically unzipped and validated.
URL: Use a link for web-based or sensitive evidence.
Ticket: Link evidence from a connected ticketing system.
Test: Test evidence is automatically generated from monitoring tests and appears with the source labeled Test.
Evidence owner on artifact templates
Each artifact (evidence item) in Drata's Evidence Library has its own Evidence Owner field. This is separate from the control owner field on the mapped DCF control. This separation is intentional because the person responsible for collecting and maintaining evidence may be different from the person who owns the control.
How evidence owner differs from control owner
In practice:
The control owner is assigned at the DCF/control level and is responsible for the control overall.
The evidence owner is assigned at the artifact level and is responsible for uploading and maintaining that specific piece of evidence.
These owners can, and often do, belong to different people, especially in larger or decentralized organizations.
Evidence owner on artifact templates
Artifact templates in the Evidence Library include an Evidence Owner field. This field is distinct from the control owner and designates who is specifically responsible for evidence collection and maintenance for that artifact.
This separation helps teams:
Align control ownership with overall accountability for the control.
Assign evidence collection and maintenance to the right individual or team member.
Support decentralized compliance processes where contributors manage only the evidence they own.
Instructions for the Classic Experience ⬇️
Drata's Evidence Library serves as a repository for all the evidence you need to collect across your controls.
Overview
The Evidence Library page is preloaded with evidence mapped to your controls. These pieces of evidence are commonly requested by auditors and help you prepare for an audit while maintaining compliance. If any evidence does not apply to your organization, you can delete it (individually or in bulk) or remove the mapping from the associated control.
Ensure that all evidence uploaded to the library is valid, up-to-date, and aligns with the control requirements. Valid evidence improves control readiness and reduces the risk of gaps during audits.
Note: Pre-mapped evidence is available only to customers with SOC 2 or ISO 27001:2022 and who joined Drata after August 27, 2024.
Evidence Type: Manual evidence
Manual evidence is evidence created by a user. Users can create evidence and attach a file, URL, or ticket as artifacts.
When you select a manual evidence, you will be redirected to a page with a Details tab with more specific sections such as: Overview, Linked controls, and Current artifact.
Overview section
The Overview section allows you to add a name, description, implementation guidance, and owner for the evidence. This information ensures proper collaboration and tracking.
Linked controls section
This section allows you to specify which controls apply to the evidence. Since there is a many-to-many relationship between evidence and controls, a single piece of evidence can apply to multiple controls.
Current artifact section
The Current Artifact section fulfills the evidence requirement. After creating evidence, you can upload an artifact or specify the creation and renewal dates.
Artifact sources include:
No Artifact: Select this if you plan to fulfill the evidence requirement later.
File: Upload a file from your computer or cloud storage (maximum file size: 50 MB per file). If you're uploading a zipped file, it will be unzipped and verified to confirm that each file does not exceed the 50 MB limit.
URL: Use a link if the evidence is a URL-based resource or contains sensitive information.
Ticketing Provider: Select this option if the evidence is associated with a connected ticketing system.
Evidence Type: Test Evidence
When a monitoring test runs, Drata generates a test evidence PDF. This file lists failed resources along with any exclusions for that test. This PDF is the evidence that goes to the auditors.
Test evidence appears in the Evidence Library and the source is labeled as Test. These items are automatically created and cannot be modified, except for the evidence owner. To update test details or control mappings, you must go to the Monitoring or Controls pages.
Evidence Status and Control Readiness
These are the statuses for evidence and how each applies to control readiness:
Status | Status definition | Control readiness impact |
No Artifact | Manual evidence does not have an artifact. | Can negatively impact control readiness. |
Ready | Manual Evidence contains an artifact and the renewal date has not passed or Test evidence for a failing or a passing test exists. | Can positively impact control readiness. |
Upcoming renewal | Manual evidence contains an artifact and renewal date is within the next 2 months. | Can positively impact control readiness. |
Past Renewal | Manual evidence contains an artifact but renewal date has past. | Can negatively impact control readiness. |
Test disabled | The Test corresponding to this test evidence is currently disabled. | Test evidences do not impact control readiness. Only the corresponding test result does. |
Test error | The Test corresponding to this test evidence is currently in error state. | Test evidences do not impact control readiness. Only the corresponding test result does. |
Test unused | The Test corresponding to this test evidence is currently in the unused state. | Test evidences do not impact control readiness. Only the corresponding test result does. |
Evidence Versions
When you update manual evidence, previous versions appear in the Past artifacts tab, preserving historical records.
Key Notes on Evidence Versions
Past artifacts remain accessible for reference.
Only the current version affects control readiness.
Previous versions cannot be restored as the current version.
You can delete old versions, but the current artifact cannot be deleted. When managing outdated artifacts, consider unlinking them from controls rather than deleting to maintain historical accuracy and audit references.
For test evidences, the evidences for the past test runs are shown in the Past evidences tab.
Add a manual evidence
Best practices include ensuring the uploaded evidence is highly relevant and valid for the associated controls. Avoid using outdated or incorrect artifacts as they may negatively affect control readiness.
You can upload evidence directly from a cloud provider.
Supported File Types:
Direct Upload:
.pdf, .docx, .odt, .xlsx, .ods, .pptx, .odp, .gif, .jpeg, .jpg, .png, .md, .zip, .txt, .csv, .json, .msg, .mp4, .log, .htmlCloud Storage:
.pdf, .docx, .odt, .xlsx, .ods, .pptx, .odp, .gif, .jpeg, .jpg, .png, .msg, .mp4, .log, .html
Supported Cloud Providers: Google Drive, Microsoft OneDrive, SharePoint, Okta Box, Dropbox
File Size Limits: Individual Files: 50 MB · Zipped Files: 100 MB (unzipped, each file must be under 50 MB)
Steps to Add Evidence in Evidence Library:
Navigate to the Evidence Library page.
Select Add Evidence.
Enter a Name, Description, Owner, and Artifact. The Artifact section is where you can add a URL, upload a file, or indicate that this item does not need an artifact.
To upload a file, under the Artifact section select File from the Source dropdown options.
Select Attach file.
Upload directly from your machine or from a preferred cloud file provider. If you selected Google as your cloud provider, allow Drata to access your Google Drive labels.
For cloud providers: browse your files directly from Drata using the search icon.
Once you've uploaded a file, enter the Creation date and Renewal date.
Optionally, link the evidence to controls by selecting Link control. Search and select the controls you want to link.
You can unlink a control by expanding the control tile and clicking the Unlink icon.
Once you select Save, the evidence will be created and linked to the respective controls in Drata.
View or update evidence
On the Evidence Library page, there is a table of evidences. If the evidence status needs attention like upcoming renewal or past renewal, the banner on the top will guide you to the next steps.
You can also use filters to sort by status, source, owner, or framework. You can also search for evidences by name or linked controls.
Select the manual evidence or select Update to modify manual evidence.
Artifact
Under the Artifact section, if you have updated your evidence with a new artifact, the previous artifacts will be shown in the past artifacts tab. Select View file to view the artifact or Update dates to update the creation or the renewal dates.
Bulk assign evidence owners
Users can also bulk reassign evidence owners by selecting one or more test or manual evidences and selecting Assign evidence owner.
Test evidence details like overview or linked controls cannot be updated. The only editable attribute is the evidence owner. To update overview or linked controls, please update the corresponding tests from the Monitoring or the Controls page.
Delete manual evidence
⚠️ Warning: Deleting manual evidence is a permanent action. The evidence will be removed and deleted from all linked controls.
Delete multiple manual evidences:
Navigate to the Evidence Library page.
Select one or more evidences.
Select Delete evidence.
Delete specific evidence:
Navigate to the Evidence Library page.
Click on the evidence you want to delete.
On the evidence details page, click on the 3 dots at the top and click the Delete option.
Test evidences cannot be deleted. If users do not want a test to generate evidence, they can do so by disabling the test.