Get Started with Evidence Vault

Two paths: use the dashboard (no code), or integrate via SDK/API. Both use the same cryptographic engine.

Why Manual Upload Is a Strength, Not a Limitation

Automated connectors pull data on their own schedule and transform it behind the scenes. You lose visibility into what was collected and when. Manual upload puts you in complete control of your evidence chain — you decide exactly which artifacts enter the vault, you choose the evidence type and control tags, and you see the KMS-signed receipt the moment each artifact is committed.

Full provenance

You know exactly which file, from which system, at which point in time.

No credential sharing

No OAuth tokens or IAM roles granted to a third party.

Works with any source

Any PDF, screenshot, JSON, CSV, or scan report from any tool you already use.

Assessor-friendly

C3PAOs and auditors see artifacts you deliberately submitted — not opaque sync dumps.

Dashboard Setup

1 Create Your Account

Go to app.prolixotech.com/sign-up. Enter your work email and create a password, or sign in with Google SSO. You will receive a verification email — click the link to activate your account.

No credit card is required. Every new account starts on the Starter plan (1,000 events/month, 7-day active access, 1 workspace). You can upgrade to Pro or Enterprise at any time from the billing page.

2 Complete Onboarding

After verifying your email and signing in for the first time, you will land on the onboarding screen. Fill in:

  • Company name — your organization's legal or doing-business-as name
  • Compliance frameworks — select CMMC, AI Governance, or both

This creates your first workspace and assigns it a unique tenant_id. The workspace is your evidence container — all artifacts, signed receipts, Merkle chain entries, and exports are scoped to it.

3 Understand Your Workspace

Once onboarding is complete you land on the Dashboard. Here's what you see:

  • Evidence tab — all uploaded artifacts and logged events in one timeline
  • Exports tab — generate SSP, POA&M, or evidence index packages
  • Verify tab — look up any event by ID and confirm its KMS signature and Merkle chain status
  • SPRS Score tab — (CMMC module) live calculation of your self-assessment score based on uploaded evidence
  • Settings — workspace name, API keys, billing, and account management
4 Get Your API Key

Navigate to Settings > API Keys and click "Generate New Key." Your key will be displayed once — copy it immediately and store it securely (e.g., a password manager).

You need this key in two scenarios:

  • 1. If you later switch to the SDK/API path to automate evidence logging
  • 2. To test verification endpoints directly via cURL or Postman

The key is sent as an X-Api-Key header on every API call to api.prolixotech.com.

5 Upload Your First Artifact

Click "Upload Evidence" in the Evidence tab. You'll see a drag-and-drop area. Drop a file or click to browse. Supported file types:

PDF PNG JPG JSON CSV TXT DOCX — max 100 MB per file.

Before uploading, select the evidence type that best describes the artifact:

  • policy_document
  • procedure_document
  • access_review
  • audit_log
  • vulnerability_scan
  • penetration_test
  • configuration_report
  • screenshot
  • training_record
  • incident_report
  • risk_assessment
  • model_card (AI Gov)
  • bias_assessment (AI Gov)
  • human_oversight_plan (AI Gov)

The evidence type determines which controls the system auto-maps. For example, selecting policy_document auto-maps to AC-1, SC-1, PL-1 (CMMC) and Article 9, Article 11 (EU AI Act). You can also add an explicit control tag to override or supplement the auto-mapping.

6 Finalize & Receive Your Receipt

After upload, click "Finalize." This triggers the cryptographic pipeline:

  • 1. SHA-256 hash is computed over the file content, producing a unique 32-byte digest
  • 2. KMS signing — the digest is sent to AWS KMS, which signs it with an ECDSA P-256 key inside a hardware security module. The signing key never leaves the HSM.
  • 3. Control mapping — the artifact is matched to applicable NIST 800-171 / EU AI Act / NIST AI RMF / Colorado AI Act controls based on its evidence type
  • 4. Ledger write — an immutable record (event ID, hash, signature, timestamp, control mappings) is written to the evidence ledger
  • 5. Merkle chain — a daily scheduled job collects all new ledger entries and builds a Merkle tree. Your artifact's hash becomes a leaf node, and the tree root is published as a daily attestation.

You'll see the signed receipt appear in the Evidence tab immediately. The merkle_linked field will show false until the next daily attestation runs, then it updates to true with the chain position.

7 Verify Any Artifact

Go to the Verify tab and enter an event ID, or click the verification link on any artifact in the Evidence tab. The system checks three things:

  • KMS signature — re-verifies the ECDSA signature against the stored hash using the public key. Confirms the artifact content has not changed since signing.
  • Merkle chain position — confirms the artifact's hash is a valid leaf in its daily Merkle tree and traces back to the published root.
  • Shard integrity — validates the chain of daily roots is unbroken.

Every artifact also has a public verification URL (api.prolixotech.com/public/verify/{event_id}) that anyone can open — no login, no API key. This is the link your C3PAO assessor or auditor will use.

8 Upload More Evidence (Build Your Trail)

A single artifact isn't a compliance program. For CMMC Level 2, you need evidence across 14 control families and 110 controls. Here's a practical checklist of what to upload:

  • Access control policy (AC-1)
  • User account list / access review (AC-2, AC-6)
  • Security awareness training completion records (AT-2)
  • Audit log exports from your SIEM or cloud console (AU-2, AU-3)
  • Baseline configuration screenshots (CM-2, CM-6)
  • Incident response plan and reports (IR-1, IR-4, IR-6)
  • Vulnerability scan results (RA-5)
  • Penetration test reports (CA-8)
  • Risk assessment documentation (RA-1, RA-3)
  • System security plan (PL-1, SC-1)

For AI Governance, upload model cards, bias assessments, human oversight plans, risk assessments, and training records. Each gets the same KMS-signed receipt and maps to the appropriate EU AI Act articles, NIST AI RMF functions, and Colorado AI Act provisions.

9 Export Your Evidence Package

Go to the Exports tab and choose an export type:

  • Evidence Index — a JSON file listing every artifact grouped by control family. Each entry includes the artifact name, SHA-256 hash, KMS signature status, control mappings, and a public verification URL. This is the primary deliverable you hand to an assessor.
  • SSP (System Security Plan) — a control-by-control narrative with links to supporting evidence. Gaps where no evidence exists are clearly marked.
  • POA&M (Plan of Action & Milestones) — automatically identifies controls with missing or insufficient evidence and formats them as remediation action items with target dates.

Every artifact in the export contains a verify_url and a verify_ui_url. The first is the raw API endpoint; the second is a human-readable verification page. Your assessor clicks either link, sees the signature status and Merkle chain proof, and can confirm the artifact's integrity without ever logging into your account.

10 Hand Off to Your Assessor

Send the exported evidence package to your C3PAO (CMMC), auditor (AI governance), or contracting officer. They receive a self-contained bundle where every artifact is independently verifiable via its public URL. No VPN, no shared credentials, no trust assumptions — the cryptographic proof speaks for itself.

Continue uploading new evidence as your controls evolve. Each new artifact gets its own signed receipt and joins the next daily Merkle chain, building a continuous, tamper-evident compliance timeline.

SDK & API Integration

1 Create Account, Workspace & API Key

Follow Dashboard steps 1–4 above: sign up at app.prolixotech.com/sign-up, complete onboarding, and generate an API key from Settings > API Keys. You need two values for the SDK:

  • Workspace ID (tenant_id) — found in Settings > Workspace
  • API Key — generated from Settings > API Keys
2 Install the Python SDK

The SDK wraps the REST API and handles presigned uploads, hashing, and receipt parsing for you.

# Requires Python 3.8+ pip install prolixotech

No Python? Use the REST API directly from any language — see step 5 for cURL examples. Node.js, Go, and Java SDKs are on our roadmap.

3 Initialize the Client
from prolixotech import EvidenceVault vault = EvidenceVault( tenant_id="your-workspace-id", # from Settings > Workspace api_key="your-api-key" # from Settings > API Keys )

The client points to api.prolixotech.com by default. All calls are HTTPS with TLS 1.2+.

4 Log Evidence (SDK)

CMMC — upload an artifact file:

# Upload a policy document (auto-maps to AC-1, SC-1, PL-1) receipt = vault.upload_artifact( filename="access-control-policy.pdf", evidence_type="policy_document", content_type="application/pdf" ) print(receipt.event_id) # unique event ID print(receipt.sha256_hex) # content hash print(receipt.verify_url) # public verify link

AI Governance — log a structured event:

# Log an AI model inference with policy context receipt = vault.record("model_inference", { "model": "gpt-4", "input": user_prompt, "output": model_response, "policy_version": "2.1.0", "human_review": True, "reviewer": "jdoe@company.com" }) # Upload a bias assessment report receipt = vault.upload_artifact( filename="q1-bias-assessment.pdf", evidence_type="bias_assessment", content_type="application/pdf" )

Every call returns a signed receipt with the event ID, SHA-256 hash, KMS signature, and the public verification URL. Store the event_id in your own database if you want to cross-reference later.

5 Log Evidence (REST API — Any Language)

If you're not using Python, call the REST API directly. Two main endpoints:

Ingest a structured event (AI Governance):

curl -X POST https://api.prolixotech.com/ingest \ -H "X-Api-Key: your-api-key" \ -H "Content-Type: application/json" \ -d '{ "tenant_id": "your-workspace-id", "event_type": "model_inference", "payload": { "model": "gpt-4", "input": "user prompt here", "output": "model response here", "policy_version": "2.1.0" } }'

Upload an artifact file (CMMC):

# Step 1: Get a presigned upload URL curl -X POST https://api.prolixotech.com/cmmc/artifacts/upload \ -H "X-Api-Key: your-api-key" \ -d '{ "tenant_id": "your-workspace-id", "filename": "vuln-scan-q1.pdf", "content_type": "application/pdf", "evidence_type": "vulnerability_scan" }' # Step 2: Upload the file using the presigned URL (from step 1 response) curl -X POST "{presigned_url}" \ -F "key={fields.key}" \ -F "file=@vuln-scan-q1.pdf" # Step 3: Finalize — triggers hash, sign, map, and ledger write curl -X POST https://api.prolixotech.com/cmmc/artifacts/{artifact_id}/finalize \ -H "X-Api-Key: your-api-key"
6 Verify a Receipt

Verify any event using the public endpoint (no auth required):

curl https://api.prolixotech.com/public/verify/{event_id}

Response includes:

  • kms_signature_validtrue if the ECDSA signature matches the stored hash
  • merkle_linkedtrue once the daily attestation has included this event
  • shard_id and position — the event's location in the Merkle tree

Or use the human-readable verification page: www.prolixotech.com/tenant/verify.html?event_id={event_id}

7 Export Evidence Packages

Generate an export via the API:

# Evidence index (primary deliverable) curl -X POST https://api.prolixotech.com/cmmc/exports \ -H "X-Api-Key: your-api-key" \ -d '{"tenant_id":"your-workspace-id","export_type":"evidence_index"}' # System Security Plan curl -X POST https://api.prolixotech.com/cmmc/exports \ -H "X-Api-Key: your-api-key" \ -d '{"tenant_id":"your-workspace-id","export_type":"ssp"}' # Plan of Action & Milestones curl -X POST https://api.prolixotech.com/cmmc/exports \ -H "X-Api-Key: your-api-key" \ -d '{"tenant_id":"your-workspace-id","export_type":"poam"}'

Each export returns a JSON package grouped by control family. Every artifact entry includes a verify_url and verify_ui_url that your assessor can open to independently confirm each artifact's integrity.

How Evidence Vault Works

Every artifact and log entry goes through the same cryptographic pipeline. The framework module you choose determines which controls are mapped.

📄 Upload Policy, scan, config, or screenshot
🔒 Hash SHA-256 content digest
✏️ KMS Sign ECDSA P-256 via AWS KMS
📑 Map Controls Auto-map to NIST 800-171
🔗 Merkle Chain Daily attestation root
📦 Export SSP, POA&M, evidence index

1. Upload & Store

Upload artifacts through the dashboard or API. Each file is stored in S3 with server-side KMS encryption (SSE-KMS). Supported types include policy documents, procedure documents, access reviews, audit logs, vulnerability scans, penetration test reports, configuration exports, screenshots, training records, incident reports, and risk assessments.

2. Hash & Sign

On finalize, the system computes a SHA-256 hash of the artifact content. This 32-byte digest is then signed using AWS KMS with an ECDSA P-256 key (algorithm: ECDSA_SHA_256, message type: DIGEST). The signature is stored alongside the artifact record — proving that the content existed in this exact form at the time of signing. The signing key is managed entirely by AWS KMS and never leaves the hardware security module.

3. Auto-Map to NIST 800-171 Controls

The system automatically maps each artifact to the CMMC 2.0 / NIST 800-171 control families it satisfies, based on evidence type. Mappings include a confidence score (0.90 for auto-detected type, 0.95 when source matches expected system, 1.0 for manually tagged controls).

Policy Document
AC-1, SC-1, PL-1
Access Review
AC-2, AC-6
Audit Log
AU-2, AU-3, AU-6
Vulnerability Scan
RA-5
Configuration Report
CM-2, CM-6
Incident Report
IR-4, IR-6
Training Record
AT-2
Risk Assessment
RA-1, RA-3
Penetration Test
CA-8

You can also tag artifacts with an explicit control ID (e.g., cmmc_control: AC-3) for 100% confidence mapping to any of the 110 controls across 14 families.

4. Ledger & Merkle Chain

Every signed artifact is written to an append-only ledger in DynamoDB. Once per day, a scheduled attestation job reads all new ledger entries since the last attestation, computes a Merkle tree of their hashes, and publishes the Merkle root. Each artifact's position in the tree is recorded, creating a tamper-evident chain. If any single byte in any artifact were changed after the fact, the Merkle root would no longer match.

5. Export & Verify

When you export, the system generates a structured evidence package grouped by control family. Available export types:

  • Evidence Index — JSON listing every artifact, its controls, hash, and a public verification URL per entry
  • SSP (System Security Plan) — control-by-control narrative with linked evidence
  • POA&M — controls with missing or incomplete evidence flagged as action items

Each artifact in the export includes a verify_url that anyone (C3PAO, auditor, contracting officer) can open to independently confirm the KMS signature, Merkle chain position, and content hash — with no login required.

🤖 Log AI decision, inference, or action
🔒 Hash SHA-256 content digest
✏️ KMS Sign ECDSA P-256 via AWS KMS
📑 Map Controls EU AI Act, AI RMF, Colorado
🔗 Merkle Chain Daily attestation root
📦 Export AI governance evidence view

1. Log AI Decisions

Use the SDK or REST API to log every AI decision, model inference, or automated action your system makes. Each log entry captures the event payload you define — typically the model name, input, output, policy version, and any human oversight context. The logging call returns a signed receipt immediately.

# Example: log an AI inference receipt = vault.record("model_inference", { "model": "gpt-4", "input": user_prompt, "output": model_response, "policy_version": "2.1.0", "human_review": True })

2. Hash & Sign (Same Engine)

The exact same cryptographic pipeline used for CMMC artifacts applies here. The event payload is canonicalized (sorted keys, no whitespace), hashed with SHA-256, and signed with the KMS key (ECDSA P-256). This proves the AI decision log existed in this exact form at the recorded timestamp.

3. Multi-Framework Control Mapping

AI Governance logs map across three frameworks simultaneously. A single audit log entry, for example, can satisfy the EU AI Act's record-keeping mandate, the NIST AI RMF's monitoring requirement, and the Colorado AI Act's impact assessment provision — all from one log call.

EU AI Act

Audit Log
Art. 12 (Record-Keeping), Art. 14 (Human Oversight)
Model Card
Art. 11 (Technical Docs), Art. 13 (Transparency)
Bias Assessment
Art. 10 (Data Governance)
Risk Assessment
Art. 9 (Risk Management)

NIST AI RMF

Policy Document
GOVERN-1 (Policies & Processes)
Model Card
MAP-3 (AI Capabilities Documented)
Audit Log
MAP-1 (Context), MANAGE-4 (Monitoring)
Bias Assessment
MEASURE-2 (Performance Evaluation)

Colorado AI Act

Policy Document
COL-1 (Algorithmic Governance)
Bias Assessment
COL-2 (Bias Testing)
Audit Log
COL-3 (Impact Assessment)
Incident Report
COL-4 (Consumer Notice)

4. Ledger & Merkle Chain

Identical to CMMC: every signed AI log entry is written to the append-only DynamoDB ledger and linked into the daily Merkle tree. The chain provides a tamper-evident history of every AI decision your system made — exactly what EU AI Act Article 12 requires for high-risk AI systems (enforceable August 2, 2026).

5. Export & Verify

Export an AI Governance evidence view grouped by framework and control. Each entry includes a public verification URL so regulators or enterprise buyers can independently confirm the authenticity of your AI decision logs without needing access to your system.

  • EU AI Act — Article-by-article evidence breakdown (Art. 9 through Art. 62)
  • NIST AI RMF — Evidence organized by function (Govern, Map, Measure, Manage)
  • Colorado AI Act — Impact assessment evidence with bias testing records

Artifact Types for AI Governance

In addition to standard audit logs, the AI Governance module recognizes these evidence types:

  • model_card — Model documentation (maps to Art. 11, Art. 13, MAP-3)
  • bias_assessment — Fairness and bias testing results (maps to Art. 10, MEASURE-2, COL-2)
  • human_oversight_plan — Human-in-the-loop procedures (maps to Art. 14, GOVERN-1)
  • risk_assessment — AI risk analysis (maps to Art. 9, MAP-1)
  • incident_report — AI-related incidents (maps to Art. 62, COL-4)
  • training_record — Staff AI training (maps to Art. 14, GOVERN-4)

Your Data on Our Infrastructure

Every event you send — whether a CMMC artifact upload or an AI inference log — flows through the same AWS-based pipeline. Here is what happens end to end.

1

SDK / API → API Gateway

Your application calls record() from the Python SDK or sends a POST /ingest request. The SDK uses a background thread to batch events (default: 10 events or 5 seconds), so your code continues immediately with <1ms overhead. Requests are authenticated via the X-Api-Key header and routed through Amazon API Gateway at api.prolixotech.com.

2

Lambda → Hash, Sign, Map Controls

Our ingestion Lambda processes the event in four steps:
Canonicalize — JSON payload is serialized using RFC 8785 (sorted keys, deterministic encoding) so the same data always produces the same byte sequence.
Hash — SHA-256 digest computed over the canonical bytes (32-byte output).
KMS Sign — The digest is signed with AWS KMS using ECDSA P-256 (the private key never leaves the hardware security module).
Map Controls — Evidence type is automatically mapped to compliance controls (NIST 800-171 for CMMC, EU AI Act articles for AI governance).

3

DynamoDB Evidence Ledger (Merkle-Linked)

The signed event is written to the prolixo_evidence_ledger_v1 DynamoDB table. Each event is linked into one of 20 parallel shard chains using chained SHA-256 hashes. This creates an append-only, tamper-evident ledger — modifying any past record would break the chain. A daily attestation Lambda computes a Merkle root across all shards, creating a single tamper-evident root hash for the entire day.

4

Firehose → S3 Cold Storage (7+ Years)

A DynamoDB Stream triggers a Lambda that pipes every new event to Amazon Kinesis Firehose. Firehose batches and compresses events into columnar Parquet files (SNAPPY compression) and writes them to S3. Lifecycle rules automatically tier storage for cost efficiency: Standard → Standard-IA (90 days) → Glacier (1 year) → Deep Archive (2+ years). Your evidence is retained for the full compliance retention period.

5

Dashboard → View, Export, Verify

Events appear in your dashboard immediately. Browse the evidence timeline, generate compliance exports (SSP, POA&M, Evidence Index, EU Declaration) as JSON or PDF, and verify any artifact's cryptographic proof. Each export includes per-artifact public verification URLs that your auditors, C3PAOs, or regulators can check independently — no login required.

Security guarantees

Common Issues

Check that your API key is correct and active. Verify you're using the X-Api-Key header (not Authorization) for evidence routes. Confirm your workspace ID matches the key.
Clear browser cookies for app.prolixotech.com. Check that third-party cookies are enabled (required for Clerk authentication). Try an incognito/private window.
Check your workspace ID in Settings. API calls use tenant_id — it must match your workspace. If you have multiple workspaces, confirm you're viewing the correct one in the dashboard.
Files must be under 100MB. Supported types: PDF, PNG, JPG, JSON, CSV, TXT, DOCX. Presigned URLs expire after 15 minutes — upload promptly after requesting one.
The event ID may not have been finalized yet. Call the finalize endpoint first. Merkle chain linking happens on a daily schedule. Recent events may show merkle_linked: false until the next attestation runs.
Use api.prolixotech.com (not the raw API Gateway URL). S3 download URLs require the bucket's CORS configuration — this is handled automatically for presigned URLs.

Ready to Start?

Create Account Read the Docs