Help

Exporting audit evidence

How to export your vendor monitoring history for SOC 2, ISO 27001, and GDPR Article 30 evidence.

Auditors will, sooner or later, ask you to demonstrate ongoing vendor oversight. Thorgate's exports are designed to produce that evidence in a form that's easy to share and easy to read.

CSV export of the vendor list

From the Vendors page, click Export CSV. The export includes one row per vendor with columns:

  • Vendor name (your display name, falling back to the canonical name).
  • Primary URL.
  • Tracked documents (privacy, ToS, DPA, subprocessor list, security) — listed with last-fetched date.
  • Last change detected (date and severity).
  • Total change count over the past 12 months, by severity.
  • Last reviewed date and reviewer.

Suitable for: vendor inventory snapshots, SOC 2 walkthroughs, ISO 27001 internal audit prep.

Change history export

From the Changes page, the export produces one row per change event. Columns:

  • Detection date.
  • Vendor and document.
  • Severity (final, after any overrides).
  • Original AI-classified severity.
  • Brief description of the change.
  • Review status, reviewer, review date.

Suitable for: SOC 2 evidence of CC9.2 monitoring, ISO 27001 A.5.22 evidence, GDPR Article 30 supporting documentation.

Filters before export

Before clicking export, you can filter:

  • Date range. Common: the audit's observation period (typically 12 months for SOC 2 Type II).
  • Severity. Auditors usually want major + moderate at minimum; minor is informational.
  • Vendor tier or specific vendor. When evidence is being gathered for a specific vendor relationship.
  • Review status. Useful when generating a "things still needing review" working list.

The filtered export is what gets downloaded — the file matches the filter view.

Format

CSV with UTF-8 encoding and Excel-compatible date formatting. Opens cleanly in Excel, Google Sheets, Numbers, and most data tools.

For larger exports (many hundreds of changes), the download is generated server-side and may take a few seconds before downloading.

What to attach to the audit

A defensible evidence package for a SOC 2 Type II audit, drawing on Thorgate, typically includes:

  1. Vendor inventory CSV at the start and end of the audit period.
  2. Full change history CSV for the audit period, filtered to major and moderate.
  3. Screenshots of three or four representative change reviews showing the diff, the AI summary, and the reviewer's mark — the auditor wants to see the workflow, not just the data.
  4. A brief written description of your monitoring cadence and materiality criteria. (Most auditors include a "describe your process" question; a one-page document referencing Thorgate is sufficient.)
  5. Sample of audit-trail entries showing review timestamps and reviewers — taken from the export.

What's not in the export

A few things deliberately not in the standard export:

  • Document content. Privacy policies and DPAs are public documents; we don't bundle copies into the export. Open the version page and download the original from there if needed.
  • AI summary text for every change. Available in-app but not bulk-exported. (Coming on the roadmap.)
  • PDF audit packs. Branded PDF exports are a Scale-tier feature on the roadmap; not available at launch.

On compliance vs. evidence

Exports demonstrate that monitoring happened. They don't demonstrate that you responded to what monitoring found. The evidence story is stronger when the export is paired with action records — e.g. an export showing 14 major changes paired with internal records showing each one was triaged and resolved.

The simplest pairing is a one-line note added to each change ("Discussed with [team] on [date]; no contractual amendment needed") through the change detail page. We're working on a richer notes feature; for now, even short notes meaningfully improve the audit story.

Related