Documents
Documents in ConcertoGRC are managed within the modules they support rather than in a standalone document library. Files are stored in AWS S3 with presigned URLs for secure access, and each module provides contextual document management tailored to its workflow.
Where Documents Live
| Module | Document Types | Management Location |
|---|---|---|
| Evidence Library | Screenshots, reports, logs, configurations, attestations, policy documents | Evidence tab in the detail sidecar |
| Policies | Policy and procedure documents with formal approval workflows | Document tab in the policy sidecar |
| Vendor Management | Contracts, SOC 2 reports, ISO certificates, BAAs, insurance certificates | Attachments tab in the vendor sidecar |
| Trust Center | Gated compliance documents (SOC 2, pentest summaries, ISO certs) | Documents section in Trust Center settings |
| Incident Response | Incident evidence, forensic screenshots, communications | Evidence tab in the incident workspace |
| Assessments | Audit artifacts, evidence submissions, finding documentation | Evidence tab in the assessment workspace |
Evidence Files
The most common document type. Evidence files attach to Evidence Requests and track the artifacts that demonstrate compliance.
Supported Formats
PDF, DOCX, DOC, TXT, JSON, PNG, JPEG, CSV, XLSX — up to 25 MB per file.
Evidence Types
| Type | Description |
|---|---|
| Screenshot | Screen captures of configurations or settings |
| Report | Generated or third-party reports |
| Log | System or application logs |
| Configuration | Configuration files or exports |
| Policy Document | Policy or procedure documents |
| Attestation | Signed attestations or declarations |
| Other | Any other supporting document |
Uploading Evidence
- Open an Evidence Request from the Evidence Library
- Navigate to the Evidence tab
- Upload files — each upload resets the evidence expiration clock
- Files are stored in S3 with access controlled by tenant isolation
Evidence files can also be uploaded automatically through integrations (AWS, identity providers) and collection cycles.
Policy Documents
Policies have a formal document lifecycle with version tracking:
- Draft — Document is being authored or revised
- In Review — Document is submitted for approval
- Approved — Document is finalized and active
- Archived — Previous version retained for audit history
See Policies for the full approval workflow.
Trust Center Documents
Gated documents are published on your Trust Center for external visitors to request access to. Each document can require NDA acceptance before download, with configurable access expiry and download limits.
See Trust Center for document access controls.
Cross-Module Linking
Documents attached in one module can be referenced from others. Evidence files uploaded to an Evidence Request are visible from any Framework Control or Recurring Activity that maps to that evidence request, creating a single source of truth across your compliance program.