Skip to main content
AuditProven

Help

Help Center

Getting Started with AuditProven Shield

Welcome to AuditProven Shield. This guide walks you through everything from your first assessment to verifying provenance chains.

Quick Start

1. Create Your Account

Visit app.auditproven.com and register with your work email. No credit card is required — every account receives one complimentary assessment.

2. Upload Your Documents

Click "New Assessment" and drag your policy documents into the upload area. Shield accepts PDF, DOCX, and plain text files. For best results, upload documents with clear heading structures — Shield uses headings to identify section boundaries.

3. Select a Framework

Choose the compliance framework you want to assess against. If you are preparing for a SOC 2 audit, select SOC 2. If you need to demonstrate GDPR compliance, select GDPR. You can select multiple frameworks for a single assessment on Professional and Enterprise plans.

4. Review Your Report

When the assessment completes (typically under 60 seconds), you will see a summary showing how many requirements are addressed, how many gaps were identified, and the overall compliance posture. Click into any section to see the full control narratives, evidence links, and gap details.

5. Export and Share

Download the report in your preferred format: PDF for auditors, DOCX for editing, XLSX for the evidence matrix, or JSON for system integration.

Uploading Documents

What to Upload

Upload any document that describes how your organization implements security controls. Common documents include:

  • Information security policy
  • Access control policy
  • Incident response plan
  • Business continuity / disaster recovery plan
  • Change management procedure
  • Vendor management policy
  • Data classification policy
  • Employee handbook (security-relevant sections)
  • Network security architecture document
  • Physical security policy

What Not to Upload

Shield analyzes policy and procedure documents. It does not process:

  • Source code
  • Configuration files
  • Spreadsheets with raw data
  • Scanned images without text (use OCR first)
  • Documents in languages other than English (multilingual support coming)

File Size Limits

  • Starter: 50 MB total per assessment, up to 10 files
  • Professional: 200 MB total per assessment, unlimited files
  • Enterprise: configurable, contact your account manager

Supported Formats

  • PDF (including text-selectable PDFs)
  • DOCX (Microsoft Word)
  • TXT (plain text)
  • MD (Markdown)

Selecting a Framework

Which Framework Do I Need?

SOC 2 — You are a SaaS company or service organization and your clients are asking for a SOC 2 report, or you are preparing for a SOC 2 Type II audit.

ISO 27001 — You want or need ISO 27001 certification, common for European businesses and organizations with international clients.

GDPR — You process personal data of EU residents and need to demonstrate compliance with EU data protection requirements.

HIPAA — You are a healthcare provider, health plan, clearinghouse, or business associate handling electronic protected health information.

PCI DSS — You store, process, or transmit payment card data and need to comply with PCI DSS requirements.

NIST CSF — You want a comprehensive cybersecurity risk management framework, commonly used by US government contractors and critical infrastructure organizations.

Multi-Framework Assessment

On Professional and Enterprise plans, you can assess against multiple frameworks simultaneously. Shield identifies where a single policy satisfies requirements across frameworks, reducing documentation redundancy.

Reading Your Report

Executive Summary

The first section shows your overall compliance posture: total requirements in the framework, how many are addressed by your documentation, how many gaps exist, and a compliance percentage.

Control Narratives

For each addressed requirement, Shield provides a narrative describing how your policy addresses the requirement, citing the specific source document and section. These narratives are written for auditors — they are precise, specific, and traceable.

Gap Analysis

Gaps are listed in priority order: CRITICAL (risk score above 0.8), HIGH (above 0.5), MEDIUM (above 0.2), LOW (below 0.2). Each gap shows the unaddressed requirement, how many downstream controls it affects, and a suggested remediation based on industry best practice.

Evidence Matrix

A table mapping each requirement to its corresponding control description, the source document and section, and any evidence references found in your documentation.

Remediation Plan

For each identified gap, Shield suggests specific remediation actions based on the requirement's implementation guidance in the compliance knowledge graph.

Provenance Appendix

The technical section containing the Merkle root hash and individual claim hashes. Use the verification tool to confirm that any specific claim in the report traces to its source document.

Understanding Gaps

Gap Types

GAP — No policy statement was found that addresses this requirement. You need to create a new policy or add a section to an existing one.

WEAK — A policy statement was found but with low confidence. The existing language may be too vague, too general, or only tangentially related to the requirement. Review the mapping and consider strengthening the language.

NEEDS_EVIDENCE — A control description was found but no evidence reference. Your policy describes what you do but does not reference documentation, logs, or artifacts that demonstrate the control operates. Add evidence references to your policy.

Risk Scores

Risk scores reflect how many other controls depend on the gapped requirement. Access control is a foundational control — a gap there propagates risk to encryption, monitoring, vendor management, and many others. Risk scores range from 0.0 (no dependent controls) to 1.0 (many dependent controls).

Priority Levels

  • CRITICAL — Risk score above 0.8. Address immediately. This gap undermines multiple other controls.
  • HIGH — Risk score above 0.5. Address before your audit. Significant downstream impact.
  • MEDIUM — Risk score above 0.2. Address as resources permit. Moderate impact.
  • LOW — Risk score below 0.2. Low priority. Isolated requirement with few dependencies.

Provenance Verification

What is Provenance?

Every sentence in your AuditProven Shield report carries a SHA-256 hash that links it to the source document, section, page, and requirement it was derived from. These hashes are organized into a Merkle tree — a cryptographic structure where a single root hash can validate the integrity of the entire report.

How to Verify a Claim

  1. Open the Provenance Appendix section of your report
  2. Find the claim hash for the sentence you want to verify
  3. Enter the hash in the verification tool
  4. The tool shows: source document name, section heading, page number, matched requirement, and the Merkle path from the claim to the root

Why This Matters

In an audit, the auditor may ask: "How do you know your access control policy addresses CC6.1?" With AuditProven Shield, the answer is not "our tool said so." The answer is a cryptographic proof that resolves to Section 3.2 of your Access Control Policy, Page 7, which contains the sentence "All employees must use multi-factor authentication."

Export Formats

JSON

Machine-readable format containing the complete report data structure. Suitable for API integration, dashboard consumption, and programmatic analysis. Includes all metadata, provenance records, and the Merkle root.

PDF

Professional print-ready document with headers, footers, page numbers, table of contents, and color-coded gap severity. Suitable for sharing with auditors and board members. Optimized for both screen reading and printing.

DOCX

Editable Microsoft Word document with heading styles, table of contents field, and formatted tables. Suitable for customization before distribution. All content is editable while provenance hashes are preserved in the appendix.

XLSX

Excel spreadsheet containing the evidence matrix as a filterable table. Each row maps a requirement to its control, source document, source section, evidence reference, and confidence score. Suitable for GRC platform import and manual review.

Troubleshooting

My PDF is not parsing correctly

Ensure your PDF contains selectable text (not a scanned image). Try selecting text in your PDF viewer — if you cannot select individual words, the PDF needs OCR processing before upload. Shield does not currently process image-only PDFs.

Assessment is taking longer than expected

Assessments typically complete in under 60 seconds. If yours is taking longer, it may be due to a very large document set (over 100 pages total) or high system load. Assessments will complete — they do not time out.

My control was not mapped to the expected requirement

Shield maps controls using text similarity. If your policy language is very different from the standard requirement language, the mapping may be low-confidence or absent. Try using terminology closer to the framework's own language. For example, "we restrict system access" maps better to SOC 2 CC6.1 than "we control who can log in."

The gap analysis shows a gap I think I've addressed

Check the confidence score on the mapping. A LOW confidence mapping may not have passed the threshold to count as addressed. Review the source sentence — does it clearly and specifically address the requirement, or is it tangential?

I cannot export to DOCX/XLSX

DOCX and XLSX export are available on Professional and Enterprise plans. Starter plans include PDF and JSON export only.

Keyboard Shortcuts (Web Application)

Key Action
N New assessment
U Upload documents
R View report
G View gaps
E View evidence matrix
P View provenance
D Download report
? Show keyboard shortcuts