Evidence is the documentation that backs up your answers — policies, screenshots, reports, signed agreements. Auditors expect to see it, so attach it as you go.
Upload files directly on a question, finding, or remediation task, or from the Evidence library. Accepted types include PDF, Office documents, images, text, CSV, and ZIP.
Evidence can carry a review date and an expiry date. The library flags items that are Review due, Expired, or Review soon, and a scheduled reminder notifies the uploader (or an admin) ~30 days before either date — so a 13-month-old SOC 2 report doesn't quietly go stale.
When an item is Expired or Review due, a one-click Refresh button appears next to it. Refresh opens the upload form already pointed at that evidence: you just pick the new file, and on upload it inherits the old item's links and review/expiry schedule, bumps the version, and marks the old row superseded — so the freshness panel clears, the attachment stays in place, and the full history is preserved rather than lost.
In the evidence library, Summarize asks Sherpa to read a file and describe what it is — and to suggest which assessment questions it supports. Each suggestion appears as a one-click link button: confirm it and the file is attached to that question's answer in your most recent open assessment. You always confirm each link; nothing is attached automatically. Document contents are treated as untrusted data and no patient data is used to train the model.