Evidence packs
An evidence pack is the portable, verifiable export of a KPI's audit record for one evaluation period. It can be shared with an auditor, submitted as a compliance artefact, or archived independently of QAudit — it contains everything needed to verify the KPI result without relying on the live system.
Scope of a pack
Each evidence pack covers exactly one combination of:
- Tenant — the data partition the KPI belongs to.
- KPI — the specific metric being evidenced.
- Period — the closed evaluation period (e.g. "May 2025").
There is no multi-KPI or multi-period evidence pack. For three KPIs across two periods, six packs are produced.
When packs are produced
Packs are produced automatically when a period closes and the KPI's final value is locked. Pack production is not manually requested; it happens as part of the period-close process.
There is no on-demand pack production. Downloads from the dashboard always serve a pre-produced pack. If a pack is not yet available for a period, the download button is not shown. Packs for open (Running) periods do not exist.
What a pack contains
Each pack is a structured archive containing:
| File | Contents |
|---|---|
kpi-summary.json | The final KPI value, period boundaries, tenant and organisation identifiers. |
events/ | The canonical payload of every event that contributed to the KPI computation for that period. Each event file also includes the signature and chain-link hash. |
integrity-manifest.json | Hashes of all files in the pack, signed by the platform. Used to verify that the pack archive has not been tampered with. |
chain-of-custody.json | A log of every QAudit action related to this pack: when it was produced, when it was downloaded, by whom. Each entry is itself a signed platform event. |
reproducibility.md | A human-readable description of the KPI formula and data sources so that a reader can re-derive the KPI value from the source events without any QAudit tooling. |
The pack is self-contained: the reproducibility document explains how to verify the result using only the events files, standard cryptographic tools, and the organisation's public key.
Integrity tiers
QAudit's evidence packs support three integrity tiers. The tier is configured per organisation and determines the level of external attestation attached to the pack's timestamp:
| Tier | Attestation | Notes |
|---|---|---|
| T1 | Platform-internal CA | Default. No external cost or infrastructure dependency. Pack timestamp verified by Serensia's internal certificate authority. |
| T2 | eIDAS-qualified RFC 3161 timestamp | The pack receives an external, legally recognised timestamp from a qualified Trust Service Provider (TSP). |
| T3 | T2 + Qualified Electronic Signature (QES) | In addition to the qualified timestamp, the pack summary document is signed with a QES. Highest level of formal recognition. |
T1 is the default and is active for all Organisations. T2 and T3 are configurable and may carry an additional fee depending on the contract.
Tier is a per-organisation setting; it applies uniformly to all packs produced for all tenants under that organisation.
Individual event signatures prove that an event's content is unaltered, and the chain proves ordering — but neither provides an externally verifiable proof of when the event was received. That temporal proof is what T2/T3 adds: the qualified RFC 3161 timestamp on the pack is issued by an independent Trust Service Provider and proves that the pack — and therefore all the events it contains — existed no later than that timestamp. T1 packs rely on Serensia's internal clock and CA; T2/T3 packs carry attestation that no third party can dispute.
Using a pack for verification
A recipient with access to the organisation's public key (distributed at onboarding and available in the dashboard) can verify the pack independently:
- Verify the
integrity-manifest.jsonsignature to confirm the archive has not been altered. - For each event in
events/, re-compute the signed bytes and verify the Ed25519 signature. - Re-compute the KPI value from the event payloads using the formula in
reproducibility.md. - Confirm the final value in
kpi-summary.jsonmatches the re-computed value.
All four steps use only standard tools (a JSON parser, SHA-256, and an Ed25519 verifier). No QAudit software is required.
Long-term availability
Evidence packs are subject to the same 10-year retention requirement as the underlying events. A pack produced today will be downloadable from the dashboard for at least 10 years. In the event that the QAudit platform is decommissioned before that period ends, packs are migrated to ensure the retention obligation survives. See Data sovereignty.