Article 12: Evidence, Attestation & Audit Certificates
Evidence
What evidence is for
Evidence files are supporting documentation that reviewers can attach to a review to justify their decisions. Common examples: access logs exported from the application, usage reports, approval emails for access grants, screenshots of account configuration.
Evidence gives auditors something concrete to examine beyond the decision itself.
How to upload evidence
Evidence is uploaded at the review level — one set of files covers all the accounts in your assigned account set. To upload:
Open your assigned review in the employee portal
Find the Evidence section in the review view
Drag and drop files, or click to browse
Supported file types: PDF, PNG, JPG, CSV, XLSX (Excel). Files are uploaded securely and stored against the review record.
Who can see evidence
Evidence files are visible to:
The reviewer who uploaded them (and any other reviewers assigned to the same review)
Admins who can view the review
Anyone with access to the generated compliance certificate
Evidence files uploaded as images (PNG, JPG) are embedded directly in the PDF compliance certificate. Other file types (PDF, CSV, XLSX) are referenced in the certificate record but are accessed via secure download link rather than embedded.
Attestation
What attestation is
Attestation is the formal sign-off step that converts a completed review into a compliance record. When an admin approves a set of account decisions, Ploy creates an attestation entry capturing:
Field | What is captured |
|---|---|
Approver name | The full name of the admin who approved |
Approver email | Their email address |
Timestamp | Exact date and time of approval (ISO 8601) |
IP address | The network address from which the approval was made |
This information is tied to the specific review and preserved permanently. It cannot be altered after the fact.
Why IP address is captured
IP address capture is a standard audit practice — it allows an investigator to confirm not just who approved but from where, which matters in the event of a disputed approval or a security incident. It's the same reason banks record IP addresses on financial transactions.
Compliance certificates
What a certificate is
When a review is fully approved, Ploy generates a compliance certificate as a PDF document. The certificate is a self-contained, tamper-evident record of the complete review — designed to be handed to an auditor or stored in your evidence management system.
What a certificate contains
Campaign and cycle metadata (name, frequency, review period dates)
A complete record of every account reviewed, including:
Employee name, email, department, job title (as they were at review time)
Application, access level, and entitlement details
The decision made and any notes
The reviewer's identity and the timestamp of their decision
Any image evidence uploaded by reviewers
The attestation block: approver name, email, timestamp, and IP address
Outcome summary counts (how many accounts approved, revoked, adjusted, etc.)
Tamper verification
Every certificate includes a SHA-256 cryptographic hash of its contents, stored separately in Ploy. This hash is calculated at the time the certificate is generated and cannot be changed.
If you ever need to confirm a certificate is genuine and unaltered, Ploy can verify the document against the stored hash.
Accessing certificates
Certificates are available from the cycle detail view in the admin dashboard once a review is complete. Each approved review generates its own certificate — a cycle with twelve reviews produces twelve certificates.