Evidence Packaging Walkthrough

This walkthrough takes you through the complete process of generating a EU AI Act-compliant technical documentation evidence package using VeriProof. By the end, you’ll have a PDF and/or JSON export that satisfies the evidence requirements for Annex IV sections 3, 5, and 6, ready for your conformity assessment process or market surveillance authority request.

This walkthrough assumes you have the VeriProof SDK integrated and have been capturing sessions for at least one deployment. If you’re starting from scratch, see Getting Started first.

Before You Begin

Gather the following from your organisation settings (Customer Portal → Settings → Organisation):

System name: The name you’ll use in official documentation
System version: Current deployed version identifier
Deployment date: When this version went into production in the EU
Article 13 description: Your intended purpose statement (free text, used in the package header)
Responsible person contact: Name and email of the person responsible for the QMS

These fields are used to auto-populate the documentation header in generated packages.

Step-by-Step Walkthrough

Verify session capture completeness

Before generating an evidence package, confirm that session capture was active throughout the entire report period. Open the Application Workspace for your AI application and check the Dashboard tab. The daily session volume chart shows whether session counts are consistent across the reporting period.

If you find days with zero sessions, check whether those correspond to scheduled maintenance windows or deployments in environments not yet integrated. Document any gaps in your evidence package with an explanation — unexplained gaps may require investigation before submitting to an auditor.

Verify governance configuration is current

The evidence package will include a snapshot of your governance policies. Before generating, open Settings → Governance Policies and confirm the active policies reflect the Article 9 thresholds in your current risk assessment. Check that the rule types, enforcement modes, and application assignments are correct.

If policies changed during the report period, the package will note when each policy was last updated. Confirm that any changes are supported by a rationale in your risk documentation.

Generate the evidence package

Python SDK


package = client.compliance.export_evidence(
    framework="eu-ai-act",
    articles=["9", "10", "11", "13", "17"],
    start_date=date(2026, 1, 1),
    end_date=date(2026, 12, 31),
    format="pdf",
    include_proofs=True,        # Blockchain Merkle proofs for record samples
    include_attestation=True,   # TEE attestation token
    include_raw_sessions=False, # Omit full session content for regulator packages
    report_language="en",       # "en", "de", "fr", "nl", etc.
)
 
print(f"Package ready: {package.download_url}")
print(f"Session count: {package.session_count}")
print(f"Report period: {package.period_start} to {package.period_end}")

REST API


POST /v1/compliance/export
Authorization: Bearer vp_live_...
Content-Type: application/json
 
{
  "framework": "eu-ai-act",
  "articles": ["9", "10", "11", "13", "17"],
  "period": {
    "start": "2026-01-01",
    "end": "2026-12-31"
  },
  "options": {
    "format": "pdf",
    "include_proofs": true,
    "include_attestation": true
  }
}

Review the generated package

Open the generated PDF and verify:

Header — System name, version, deployment date, and responsible person match your documentation. If not, update your organisation settings and regenerate.

Section 3 — Monitoring Implementation — The session capture description should match your actual SDK integration. The governance scoring configuration should reflect your current Article 9 risk thresholds.

Section 5 — Post-Market Monitoring Data — Check the session counts, governance score distribution, and alert trigger summary. Ensure the statistical summaries look reasonable for your production volume.

Section 6 — Risk Management Evidence — Verify the incident count and corrective action log. Any unacknowledged alerts will appear here with a warning.

Section E — Attestation — The TEE measurement should match the published value in your most recent VeriProof release notes. If it doesn’t match, contact security@veriproof.app before using the package.

Supplement with your own documentation

The VeriProof evidence package covers Annex IV sections 3, 5, and 6. You need to add:

Annex IV section 1 — General system description (write this yourself)
Annex IV section 2 — Detailed technical description, training methodology, architecture
Annex IV section 4 — Change log for significant modifications during the period
Annex IV section 7 — Instructions for use (if you have deployers using your system)

Most organisations combine the VeriProof package with their own documentation into a single organised folder or document set.

Archive and version the package

Store the complete package alongside your other Article 11 documentation:

Use a document management system that records who generated the package and when
Keep the signed PDF (VeriProof signs the PDF with a certificate chaining to a trusted CA)
Retain for at least as long as the system remains operational, plus the post-market monitoring period required by the applicable conformity assessment route

Responding to a regulatory request

If a national market surveillance authority requests your technical documentation:

Retrieve the latest package from your document management system (or Compliance → Exports in the portal)
Combine it with your supplementary documentation into a single submission package
Authorities typically expect a response within 15 working days under Article 74(3)

Generating an Incident Evidence Package

For Article 99 serious incident reporting, create a targeted evidence package scoped to the incident period:

In Compliance → Audit Engagements, create a new engagement, set the scope to the incident window, and tag it as a serious incident report
Go to Compliance → Evidence Exports, select the EU AI Act framework, choose Articles 9 and 17, and set the date range to the incident window
Download the signed PDF and supplement it with the Monitoring → Trigger History acknowledgement and resolution notes for the affected alert rules
Include your root cause analysis and corrective action summary as an attachment

Next Steps

Article 9 — Risk Management — governance scoring configuration
Article 17 — Quality Management — corrective action documentation
Compliance Evidence guide — general evidence export workflow