Export compliance evidence

When an auditor asks “prove your team filed their time,” screenshots of a dashboard do not cut it. The evidence export produces a machine-readable compliance report for any period: per-person weekly status, plus the full stream of compliance events (reminders sent, deadlines missed, locks applied, exceptions granted) that shows the controls were actually operating.

Generate an export

1. Open Organization Settings → Configuration → Timesheets and find the Compliance evidence export panel.

2. Pick the from and to dates. A single export covers up to 90 days (about 13 weeks); for a longer period, run multiple exports back to back.

3. Choose the format:

   • CSV: one row per person per week, built for ingestion into GRC tools such as Vanta, Drata, or SecurityScorecard.
   • JSON: the full payload, including the audit event stream.

4. Select Generate. The file downloads immediately, named with the date range.

What each format contains

The CSV carries, per person per week: the week start, user id and email, role, expected hours, logged hours, compliance status, and the cost at risk with its currency.

The JSON adds structure an auditor can drill into: the period summary (unique users, total person-weeks, overall compliance percentage), a per-week breakdown with the same per-user detail, the chronological list of compliance audit events for the period, and the export’s own timestamp and author.

Note

Exporting evidence is itself an audited action. Every export writes its own audit entry recording who exported, what range, and in which format, so the chain of custody is complete end to end.

Give an auditor direct access

Instead of emailing files, you can hand an external auditor a read-only way to pull the same data themselves: an API token scoped to compliance reads only. A token with that scope can fetch evidence exports and nothing else; it cannot read projects, tasks, or members, and it cannot grant or revoke compliance exceptions. Exception management always requires a signed-in Owner or Admin.

FAQs

Why is there a 90-day cap? It keeps each export bounded and fast. Quarterly audit periods fit in one file; for an annual review, run four exports and ingest them together.

Which events appear in the JSON audit stream? The timesheet compliance events for the period: reminders fired, deadlines missed, hard locks applied and lifted, escalation steps advanced, exceptions granted and revoked, and prior evidence exports.

Is there a PDF format? No, CSV and JSON only. GRC platforms consume those directly, and the JSON is self-describing enough to archive as-is.

Who can run an export? Owners and Admins by default (the compliance management permission), or any holder of a compliance-scoped read-only token.