Exports and Auditor Access

Last updated: Edit on GitHub

Overview

Regulators, customers, and notified bodies often ask for immutable evidence: what risk tier you assigned, what Annex IV documentation existed on a date, and what monitoring covered. Aikraft combines versioned documentation, PDF export, and time-limited auditor portals so you can respond without forwarding living documents by email.

Annex IV PDF export

Available on Starter and above for systems classified as high-risk.

  1. Open the system → Document tab.
  2. Ensure at least one version is Published (not draft).
  3. Click Export PDF.

The export includes:

  • Cover sheet with system name, version, and export timestamp
  • Classification summary and Annex III mapping
  • All eight Annex IV sections as rendered in the editor
  • Change log appendix for published versions included in the bundle

Exports are watermarked with organisation ID and user email. Large annexes may take up to 60 seconds; you will receive an in-app notification when ready.

Classification report

For any classified system, Classify → Export report produces a shorter PDF focused on:

  • Questionnaire answers (with reviewer notes)
  • Rule trace summarising why the tier was assigned
  • Optional comparison if you re-ran classification after a material change

Use this for board packs or procurement diligence where full Annex IV is not required.

Version snapshots

Every publish action on documentation creates an immutable snapshot. Snapshots:

  • Cannot be edited (only superseded by a later publish)
  • Retain the user who published and the optional approval reference
  • Appear in the History drawer with diff summaries between versions

Enterprise customers can configure legal hold to prevent deletion of snapshots for systems under investigation.

Auditor links are scoped, expiring URLs that open a subset of the Aikraft UI:

  • Published classification and documentation only (drafts hidden unless you explicitly include them)
  • Monitoring incident list if you toggle Include monitoring summary
  • No access to billing, team settings, or other systems

Create a link

  1. Settings → Auditors → New link
  2. Select systems and expiry (1–90 days)
  3. Optional: password, IP allowlist, single-use token

Revoke links instantly from the same screen. All auditor page views are written to the audit log.

API and automation

Programmatic export uses GET /v1/systems/{id}/exports/annex-iv (see API Reference). Responses return a download URL valid for 15 minutes. Pair with your GRC tool or document management system if you need scheduled archival.

Good practice

  • Export after each material model or policy change, not only annually.
  • Store PDFs in your records repository with the same retention category as underlying personal data.
  • Use auditor links instead of forwarding Google Docs — you retain control and an evidence trail.