A document library that knows what the evidence is about
Document management sits in the same platform as your risks, controls and vendors. Policy documents and certificates are version-controlled on European servers, and the AI reads the contents so the right evidence lands on the right control.
Not another SharePoint – a library tied to the evidence work
Policies live on SharePoint, vendor certificates in an email, ISO evidence in a shared Drive, the DPAs as attachments in the CRM. The auditor asks "which version of the password policy applied in March?" and the hunt is on. Securapilot's document management pulls them into one versioned library where every file knows which control or risk it's there to prove.
The result: an evidence library that survives audit – without a single Excel file.
Who it is for
Six roles use document management in different ways, but all in the same library.
Information Security Coordinator (CISO/CSO)
Versioned policy collection, evidence library for ISO 27001/NIS2, approval flows.
Data Protection Officer (DPO)
DPA archive, ROPA evidence, retention on personal data attachments.
Vendor Manager
Central archive for vendor certificates with expiry tracking and AI verification.
Internal Auditor
Timestamped version history, approvals and download log for traceability.
External Auditor
Direct access to evidence linked to a control – no "sent by email" versions.
Compliance Manager
Folder structure per framework and automatic classification of uploaded documents.
All document work in one module
Securapilot's document management covers the full document lifecycle across eight areas – from upload to audit trail.
Central library
Hierarchical folder structure by framework, department or process – with permissions per folder and three access levels (read, upload, manage).
Drag-and-drop upload
Upload multiple files at once straight in the browser. Automatic classification: policy, template, certificate, evidence, reference or vendor document.
Version management
Every upload becomes a new version. Restore an earlier version with one click – with SHA256/MD5 checksums and change notes.
Preview without download
Images, PDFs and Office documents are shown directly in the browser – Office is converted to PDF automatically via the built-in Gotenberg integration.
Approval flows
Mark a document as "requires approval" – typical for vendor evidence. Statuses pending, approved or rejected, always timestamped.
AI-verified evidence
When a document is used as evidence, the AI analyses its content and gives a relevance score 0–100. OCR for images via vision models.
Expiry tracking
Set a validity date on every document. List views for documents expiring soon or already expired – ideal for certificates and contracts.
Audit trail by default
Download and preview log per document with timestamp, IP and user. Version history and approval log are included.
Features that hold up in audit
Eight technical capabilities that make document management audit-ready from day one.
Hierarchical folder structure
Unlimited folder levels organised by framework, department or process – with materialised paths for fast navigation.
Per-folder permissions
Visible to everyone, restricted to specific roles or individuals. Three access levels: read, upload, manage.
Full-text search
Search file name, display name and description. Filter by folder, category, status and date. Extracted text is stored for deeper search.
OCR for scanned documents
Images and scanned certificates are read via vision models (Claude/GPT-4o). Support for JPG, PNG, GIF, WEBP and BMP.
Framework and control extraction
The AI recognises frameworks (ISO 27001, GDPR and others) in policy documents and extracts which controls the document covers.
Multi-tenant isolation
Each customer has a dedicated database. Files are stored under a tenant-specific path – no risk of data crossover between customers.
Flexible storage
AWS S3, S3-compatible (Oderland, MinIO) or local disk. Whistleblower cases can use dedicated storage with separate permissions.
File integrity
SHA256 + MD5 checksums are computed on upload and validated on restore. Soft deletes with configurable retention.
Concrete use cases
Five situations document management is built for.
"We need to prove to the auditor which password policy applied in March."
Open the policy document, pick the Versions tab and download the version that was current in March. Timestamped, checksummed, done.
"Three vendor certificates expire next month."
The dashboard shows "Expiring soon" with 30/60/90-day warnings. Click to open the vendor and request a new certificate via a Kanban task.
"The new DPA needs legal approval before we start using the vendor."
Upload the DPA and mark "Send for approval". Legal gets a notification and approves with a comment. The whole chain is logged.
"The AI says this SOC 2 report covers the access control question."
On upload the AI analyses the content and shows a relevance score. 87/100 is green; 32/100 tells you straight away that the wrong document is attached.
"All HR policies should sit separately from the IT policies."
Create an HR folder with restricted visibility and invite the HR role. They see only their documents and cannot delete approved versions.
Why not just use SharePoint?
Securapilot's document management is not a separate DMS – it is part of the platform that runs your controls, risks and vendors.
Not SharePoint, Confluence or Box
Documents are linked to specific controls and risks, not just folders. The auditor clicks on a control and sees exactly which version of which document proves it.
Not Dropbox or OneDrive
Version history, checksums and approval flows are included from day one – not as a paid upgrade or plugin.
Not a separate GRC add-on
AI verification, evidence linking and expiry tracking are built in. No integrations to maintain.
EU-hosted
S3-compatible storage with European providers such as Oderland. No US cloud services required – your choice.
Common questions about document management
How large a file can I upload?
100 MB per file for resource attachments (linked to risks, controls and so on) and 50 MB for library documents. The limits can be adjusted per installation.
Are documents stored encrypted?
File integrity is secured via SHA256/MD5. Encryption at rest is handled at the storage layer – for S3 via AWS KMS or equivalent at European providers.
Can we connect to existing storage?
Yes. S3, S3-compatible (Oderland, MinIO) or local disk is configured per installation. If needed, separate disks can be used for different modules (for example dedicated storage for whistleblower cases).
How does AI verification work?
When a document is uploaded as evidence the text is extracted (or read via OCR from an image). The content is analysed against the question or control the document is meant to prove. The result: a relevance score 0–100 plus a summary of what the AI found.
What happens when a certificate expires?
The document is marked as expired in list views and notifications are sent in advance (configurable). The old document is not deleted automatically – it is archived for audit traceability.
Do you support digital signatures?
Approval flows with timestamp and approver are built in. For qualified e-signatures under eIDAS we connect to an external provider when needed.
Stop hunting for the right version
Book a demo and we'll show how document management links evidence directly to the right control – without SharePoint, without Excel, without losing traceability.