Evidence Collection Mapping

Purpose: Map each unified control to specific evidence collection points across the Maelstrom AI repository platform

Created: 2025-11-08 Status: Evidence collection complete (12 of 12 planned reviews executed; 18 evidence documents produced)

Overview

This document defines the evidence collection strategy for the 186 unified controls identified in the Unified Control Matrix. It specifies:

Which repositories contain relevant evidence
What file patterns/locations to examine
Which review area should collect the evidence
What format the evidence should take

Repository Scope

Core Repositories (In Scope)

Repository	Primary Focus	Languages	Reviewer Assignment
provii-verifier	Proof verification backend	Rust (WASM, Cloudflare Workers)	API Security, Infrastructure, Age Verification
provii-issuer	Credential issuance backend	Rust (WASM, Cloudflare Workers)	API Security, Age Verification, Cryptography
provii-verifier (hosted mode)	Hosted verification routes for simple website integrations (merged into provii-verifier)	Rust (WASM, Cloudflare Workers)	Infrastructure, API Security
provii-mobile (Provii mobile wallet client repository, under the MaelstromAI GitHub Enterprise)	Mobile wallet application	Kotlin (Android), Swift (iOS)	Mobile Security, Cryptography, Age Verification
provii-mobile-sdk	Wallet SDK for proof generation	Rust	Cryptography, Age Verification
provii-agegate	Browser verifier integration	TypeScript	API Security, Age Verification
provii-crypto	Cryptographic primitives	Rust	Cryptography
shared-rate-limit	Shared rate limiting library	Rust	API Security
provii-management	Admin/management API	TypeScript (Cloudflare Workers)	API Security, Access Control
provii-credit-management	Billing/credit system	TypeScript (Cloudflare Workers)	API Security, Access Control
admin-portal	Issuer and verifier admin interface	TypeScript/React	API Security, Access Control
shared-portal-lib	Shared React component library	TypeScript/React	API Security, Access Control
provii-status	Status page worker	TypeScript (Cloudflare Workers)	Infrastructure
provii-website	Marketing website	Astro/TypeScript	Infrastructure
provii-demos	Integration demo ecosystems	Multi-language	Age Verification

Documentation Repository

Repository	Primary Focus	Reviewer Assignment
provii-docs	ISO 27001 ISMS, architecture, policies, compliance documentation	All reviewers (reference material)

Evidence Collection by Review Area

Review 1: Cryptography

Scope: Cryptographic implementations, key management, ZKP circuits, signature schemes

Repositories:

provii-crypto/* (PRIMARY)
provii/ (proof generation)
provii-verifier/ (proof verification)
provii-issuer/ (credential signing)

File Patterns:

**/*.rs (Rust crypto code)
**/Cargo.toml (dependencies)
**/circuit*.rs (ZK circuit definitions)
**/prover*.rs (proof generation)
**/verifier*.rs (proof verification)
**/sig*.rs (signature schemes)
**/commit*.rs (commitment schemes)
**/*key*.rs (key management)

Controls Covered: UC-071 through UC-082 (12 cryptographic controls)

Evidence to Collect:

Groth16 implementation details
Trusted setup process
Key generation procedures
Signature scheme specifications (RedJubjub)
Commitment scheme details (Pedersen)
Nullifier generation
Circuit constraint analysis
Cryptographic library usage (bellman, jubjub, blake2s)
Parameter generation and validation
Randomness sources (OsRng, getrandom)

Output: /trust/evidence/cryptography/crypto-implementation-evidence

Review 2: Privacy Architecture

Scope: Data flows, PII handling, unlinkability, privacy by design principles

Repositories:

docs/ (architecture documentation)
provii-verifier/ (data processing)
provii-issuer/ (data processing)
provii/ (client-side data)
ALL repos (for data flow analysis)

File Patterns:

**/overview/*.mdx (architecture docs)
**/security/*.mdx (security/privacy policies)
**/*privacy*.{rs,ts,kt,swift} (privacy-related code)
**/*data*.{rs,ts,kt,swift} (data handling code)
**/wrangler.toml (KV/DO data storage config)

Controls Covered: UC-001 through UC-043 (Privacy Controls - 38 controls)

Evidence to Collect:

Complete data flow diagrams (issuance, verification)
PII inventory (what data exists where)
Data minimization proof (what’s NOT collected)
Client-side processing evidence
Unlinkability mechanisms (random IDs)
Privacy by design principles demonstration
User control mechanisms
Transparency measures (open source, docs)
Cross-border data flow analysis
Privacy notice locations and content

Output: /trust/evidence/privacy-controls/privacy-architecture-evidence

Review 3: API Security

Scope: Authentication, authorisation, rate limiting, input validation, API security

Repositories:

provii-verifier/
provii-issuer/
provii-management/
provii-credit-management/
provii-agegate/
shared-rate-limit/

File Patterns:

**/src/**/*.rs (Rust API code)
**/src/**/*.ts (TypeScript API code)
**/*auth*.{rs,ts} (authentication)
**/*middleware*.{rs,ts} (middleware)
**/*rate*.{rs,ts} (rate limiting)
**/*validation*.{rs,ts} (input validation)
**/wrangler.toml (worker config)
**/*.env.example (environment config)

Controls Covered: UC-044 through UC-070 (Security Controls - 27 controls)

Evidence to Collect:

Authentication mechanisms (JWT, API keys, JWKS)
Authorisation patterns (RBAC, ABAC)
Rate limiting implementation
Input validation approaches
CORS policies
Security headers (CSP, HSTS, etc.)
API request logging
Error handling (no info leakage)
TLS enforcement
API versioning and deprecation

Output: /trust/evidence/security-controls/api-security-evidence

Review 4: Mobile Security

Scope: Credential storage, proof generation, secure enclave, biometric auth, mobile app security

Repositories:

provii/ (PRIMARY)
provii-mobile-sdk/
provii-crypto/ (mobile bindings)

File Patterns:

**/android/**/*.kt (Android code)
**/ios/**/*.swift (iOS code)
**/*keychain*.{kt,swift} (secure storage)
**/*biometric*.{kt,swift} (biometric auth)
**/*enclave*.{kt,swift} (secure enclave)
**/*storage*.{kt,swift} (data storage)
**/build.gradle* (Android dependencies)
**/*.xcodeproj/* (iOS config)
**/Podfile* (iOS dependencies)

Controls Covered: UC-094, UC-095, UC-096, UC-149, UC-150, UC-151 (Mobile security controls)

Evidence to Collect:

Credential storage mechanisms (Keychain, Android Keystore)
Secure enclave usage (if applicable)
Biometric authentication implementation
Proof generation security
Screen capture prevention
Jailbreak/root detection
TLS enforcement
Secure IPC
Mobile-specific data retention
Offline functionality security

Output: /trust/evidence/security-controls/mobile-security-evidence

Review 5: Infrastructure

Scope: Cloud architecture, deployment, networking, geographic distribution, Cloudflare specifics

Repositories:

ALL (for wrangler.toml files)
provii-verifier/src/hosted/ (formerly provii-verifier/)
.github/workflows/ (CI/CD configs)

File Patterns:

**/wrangler.toml (Cloudflare Workers config)
**/.github/workflows/*.{yml,yaml} (GitHub Actions)
**/terraform/**/* (if infrastructure as code exists)
**/docker* (container configs)
**/*deploy*.{yml,yaml,sh} (deployment scripts)
**/cloudflare/**/* (Cloudflare configs)

Controls Covered: UC-127 through UC-143 (Infrastructure controls - 17 controls)

Evidence to Collect:

Cloudflare Workers architecture
Durable Objects usage
KV storage configuration
Workers Logs and Grafana Loki setup
Geographic distribution (edge deployment)
CDN configuration
DDoS protection (Cloudflare)
Network segmentation
Environment separation (prod/staging/dev)
Infrastructure as code (if exists)
Deployment automation
Secrets management (environment variables)

Output: /trust/evidence/infrastructure/infrastructure-evidence

Review 6: Data Lifecycle

Scope: Data retention, deletion, backup, recovery, data flows from creation to disposal

Repositories:

ALL (data tracking)
docs/security/data-retention.mdx (existing policy)

File Patterns:

**/*retention*.{rs,ts} (retention logic)
**/*delete*.{rs,ts} (deletion logic)
**/*backup*.{rs,ts} (backup logic)
**/*ttl*.{rs,ts} (TTL expiration)
**/wrangler.toml (KV/DO expiration settings)
**/*cleanup*.{rs,ts} (data cleanup jobs)

Controls Covered: UC-017, UC-018, UC-102, UC-103, UC-104, UC-105, UC-128, UC-129 (Data lifecycle - 8 controls)

Evidence to Collect:

Data retention periods (IP logs: 90 days, challenges: 5 minutes, etc.)
Automated deletion mechanisms
TTL configurations
Backup procedures (if any - KV exports)
Data recovery processes
Data disposal verification
Cryptographic erasure (key deletion)
Legal hold capabilities
Data subject request handling

Output: /trust/evidence/privacy-controls/data-lifecycle-evidence

Review 7: Access Control

Scope: RBAC, authentication, privilege management, audit logging, least privilege

Repositories:

provii-management/ (admin access)
admin-portal/ (issuer admin)
admin-portal/ (verifier admin)
provii-credit-management/ (billing admin)
ALL (for general access patterns)

File Patterns:

**/*auth*.{rs,ts,kt,swift} (authentication)
**/*authz*.{rs,ts} (authorisation)
**/*rbac*.{rs,ts} (role-based access)
**/*permission*.{rs,ts} (permissions)
**/*role*.{rs,ts} (role management)
**/*audit*.{rs,ts} (audit logging)
**/*.github/CODEOWNERS (code review requirements)

Controls Covered: UC-052, UC-053, UC-054, UC-055, UC-056, UC-057, UC-058, UC-059, UC-060, UC-061 (Access control - 10 controls)

Evidence to Collect:

Role definitions (admin, issuer, verifier, user)
Authentication methods (password, MFA, API keys)
Authorisation models (RBAC, ABAC)
Privilege levels
Least privilege enforcement
Access review processes
Audit logging (who accessed what when)
Session management
GitHub access controls (branch protection, CODEOWNERS)
Secrets access (who can access production secrets)

Output: /trust/evidence/security-controls/access-control-evidence

Review 8: Logging and Monitoring

Scope: Security logging, audit trails, monitoring, alerting, SIEM, log retention

Repositories:

ALL (for logging implementations)
provii-verifier/ (API logging)
provii-issuer/ (API logging)

File Patterns:

**/*log*.{rs,ts} (logging code)
**/*monitor*.{rs,ts} (monitoring)
**/*alert*.{rs,ts} (alerting)
**/*audit*.{rs,ts} (audit trails)
**/wrangler.toml ([observability.logs] blocks for Workers Logs)
**/.github/workflows/* (CI/CD logging)

Controls Covered: UC-062, UC-063, UC-064, UC-065, UC-130, UC-131 (Logging/monitoring - 6 controls)

Evidence to Collect:

What gets logged (events, API calls, errors, security events)
What DOESN’T get logged (PII exclusion)
Log retention periods (Cloudflare Workers Logs in Grafana Loki: 90 days; critical security event logs are retained for up to 365 days)
Audit trail coverage
Security event monitoring
Alerting mechanisms (if any)
Log analysis (manual vs automated)
SIEM integration (if any)
Log integrity protection
Access to logs (who can view)

Output: /trust/evidence/security-controls/logging-monitoring-evidence

Review 9: Business Continuity

Scope: Backup, disaster recovery, availability, failover, incident response

Repositories:

docs/security/business-continuity.mdx (existing policy)
docs/security/incident-response.mdx (existing policy)
ALL (for availability patterns)

File Patterns:

**/*backup*.{rs,ts} (backup code)
**/*failover*.{rs,ts} (failover logic)
**/*recovery*.{rs,ts} (recovery procedures)
**/wrangler.toml (high availability config)
**/.github/workflows/*deploy*.yml (deployment automation)

Controls Covered: UC-066, UC-067, UC-068, UC-137, UC-138, UC-139, UC-140 (Business continuity - 7 controls)

Evidence to Collect:

Backup procedures (KV exports, code in Git)
Disaster recovery plan
RPO/RTO targets
Availability guarantees (Cloudflare SLA)
Failover mechanisms (edge distribution)
Incident response procedures
Tabletop exercise history
BCP testing records
Data replication (edge caching)

Output: /trust/evidence/business-continuity/bc-dr-evidence

Review 10: Third-Party Dependencies

Scope: Vendors, sub-processors, open source libraries, supply chain security

Repositories:

ALL (for dependency files)

File Patterns:

**/Cargo.toml (Rust dependencies)
**/Cargo.lock (Rust lock file)
**/package.json (npm dependencies)
**/package-lock.json (npm lock file)
**/Podfile* (iOS dependencies)
**/build.gradle* (Android dependencies)
**/.github/workflows/* (CI/CD vendors)
**/wrangler.toml (Cloudflare services)

Controls Covered: UC-070, UC-144, UC-145, UC-146, UC-147, UC-148 (Vendor/supply chain - 6 controls)

Evidence to Collect:

All third-party services (Cloudflare, GitHub, etc.)
Sub-processors list
Open-source dependencies (Rust crates, npm packages)
Dependency security scanning (Dependabot, cargo-audit)
Vendor risk assessments
Data processing agreements (DPAs)
Vendor security reviews
Supply chain security (signed commits, verified builds)
License compliance
Vulnerability management for dependencies

Output: /trust/evidence/vendors/third-party-evidence

Review 11: Development Practices

Scope: Secure SDLC, CI/CD, code review, testing, vulnerability management, DevSecOps

Repositories:

ALL (for development practices)
.github/ (workflows, templates)

File Patterns:

**/.github/workflows/*.{yml,yaml} (CI/CD pipelines)
**/.github/pull_request_template.md (PR templates)
**/.github/CODEOWNERS (code review)
**/*test*.{rs,ts,kt,swift} (test files)
**/.github/dependabot.yml (dependency updates)
**/SECURITY.md (security policy)
**/.pre-commit-config.yaml (pre-commit hooks)
**/clippy.toml (Rust linting)
**/.eslintrc* (TypeScript linting)

Controls Covered: UC-152 through UC-170 (Development & Operations - 19 controls)

Evidence to Collect:

CI/CD pipeline security (GitHub Actions)
Code review requirements (branch protection)
Security testing (SAST, linting)
Vulnerability scanning (Dependabot, cargo-audit)
Test coverage
Deployment automation
Environment separation (prod/staging/dev)
Secret scanning (GitHub secret scanning)
Pre-commit hooks
Code signing (if applicable)
Release process
Change management (Git workflow)
Documentation standards

Output: /trust/evidence/development/devops-evidence

Review 12: Age Verification Flow

Scope: End-to-end age verification flows, issuance, verification, challenge/response, nullifier handling

Repositories:

provii-verifier/ (verification flow)
provii-issuer/ (issuance flow)
provii/ (user flows)
provii-agegate/ (verifier integration)
provii-crypto/ (cryptographic flows)

File Patterns:

**/src/**/*.rs (Rust flow implementations)
**/src/**/*.ts (TypeScript flow implementations)
**/*challenge*.{rs,ts,kt,swift} (challenge generation/handling)
**/*proof*.{rs,ts,kt,swift} (proof generation/verification)
**/*nullifier*.{rs,ts} (nullifier handling)
**/*credential*.{rs,ts,kt,swift} (credential management)
**/*issuance*.{rs,ts} (issuance flow)
**/*verification*.{rs,ts} (verification flow)

Controls Covered: UC-083 through UC-093 (Age Verification Controls - 11 controls)

Evidence to Collect:

Complete issuance flow (user to issuer to credential)
Complete verification flow (challenge to proof to verification)
Challenge generation (nonce, PKCE, RP binding)
Proof generation (zk-SNARK)
Proof verification (Groth16 verification)
Nullifier generation and checking (replay prevention)
Credential lifecycle (issuance, storage, expiration, revocation)
Issuer trust model (key distribution, JWKS)
Age threshold logic
Accessibility features (challenge codes for non-QR)
Error handling in flows

Output: /trust/evidence/age-verification/flow-evidence

Additional Evidence Documents (Not Originally Mapped)

The following evidence documents were produced during evidence collection but were not part of the original 12-area plan:

Document	Location	Scope
Status Page Evidence	`/trust/evidence/business-continuity/status-page-evidence`	Cloudflare-based status page implementation and availability monitoring
Backup Worker Evidence	`/trust/evidence/business-continuity/provii-backup-evidence`	Automated KV backup to R2, cron scheduling, encryption at rest
Privacy Policy Evidence	`/trust/evidence/privacy-controls/privacy-policy-evidence`	Privacy policy content, GDPR/CCPA disclosures, notice accessibility
DPA Templates Evidence	`/trust/evidence/privacy-controls/dpa-templates-evidence`	Data processing agreement templates, SCCs addendum, enterprise DPA
HR Privacy Notice Evidence	`/trust/evidence/privacy-controls/hr-privacy-notice-evidence`	Internal staff privacy notice, employee data handling
Age-Appropriate Notices Evidence	`/trust/evidence/privacy-controls/age-appropriate-notices-evidence`	Children’s, teens’, and parents’ privacy notices
ROPA Records	`/trust/evidence/privacy-controls/ropa-records-of-processing`	Records of processing activities per GDPR Article 30

Previously Outstanding. Now Complete

Document	Status	Notes
Mobile Security Evidence	Complete (15 Feb 2026)	Covers: iOS Keychain + Secure Enclave, Android Keystore + EncryptedSharedPreferences, biometric auth, TLS enforcement, jailbreak/root detection, screenshot blocking, constant-time comparison, CI security pipeline

Evidence Documentation Standards

Required Elements for Each Evidence Document

Executive Summary

What was examined
Key findings
Control coverage summary

Detailed Findings

For each control: evidence found, implementation status, gaps
Code references (file:line format)
Configuration examples
Screenshots/diagrams where helpful

Code References Format

**Control UC-XXX**: [Control Name]
**Evidence**: `repository/path/to/file.rs:123-145`
**Description**: [What this code demonstrates]
**Status**: ✅ Implemented / 🔄 Partially Implemented / 📋 Planned / ❌ Gap

Gap Analysis

Controls without sufficient evidence
Partial implementations needing completion
Recommendations for remediation

Cross-References

Link to relevant existing ISMS docs in /trust/security/
Link to unified control matrix entries
Link to related evidence documents from other review areas

Output Format

File Type. Markdown (.md)
Location. /trust/compliance/evidence/{category}/
Naming. {review-area}-evidence.md
Length. (aim for thoroughness over brevity)
Code Blocks. Use syntax highlighting (rust, typescript, etc.)

Evidence Collection Strategy

Parallel Execution

All 12 review areas were executed in parallel to maximise efficiency across the codebase.

Review Coordination

Each review area has clear boundaries. Cross-references between review areas are noted where findings overlap:

Reference the project tracker document for context
Reference the unified control matrix for control definitions
Reference this evidence mapping document for scope
Avoid duplicating work (each review area has clear boundaries)
Cross-reference other review areas’ expected outputs when relevant

Estimated Timeline

Evidence collection. 2-3 hours real time (parallel)
Evidence consolidation. 30-60 minutes
Review and gap analysis. 1-2 hours
Total Phase 2 time. ~4-6 hours real time

Post-Collection Actions

After all reviews complete:

Consolidate Evidence

Review all 12 evidence documents
Identify cross-cutting findings across review areas
Create master evidence inventory

Gap Analysis

Compile all identified gaps
Prioritize remediation (Critical to High to Medium to Low)
Create remediation plan with timelines

Evidence Repository Structure

Finalise /trust/evidence/ organisation
Ensure cross-references are complete
Create evidence index document

Prepare for Phase 3

Map evidence to standard-specific requirements
Identify which controls have complete evidence
Flag controls needing additional evidence gathering

Success Criteria

Evidence collection is successful when:

All 186 unified controls have been examined
Evidence status determined for each control (Implemented/Partial/Planned/Gap/N/A)
Code references provided for technical controls
Existing ISMS documentation cross-referenced for administrative controls
Gaps clearly identified with specificity
Recommendations provided for gap remediation
Cross-area findings consolidated
Evidence ready to support standard-specific document generation

End of Evidence Mapping Document Evidence Collection Status: Complete (all 19 evidence documents produced) Next Step: Create mobile security evidence document from Provii mobile wallet (client) repository analysis (under the MaelstromAI GitHub Enterprise)