Exports and Auditor Access
Overview
Regulators, customers, and notified bodies often ask for immutable evidence: what risk tier you assigned, what Annex IV documentation existed on a date, and what monitoring covered. Aikraft combines versioned documentation, PDF export, and scoped read-only auditor access so you can respond without forwarding living documents by email.
Annex IV PDF export
Available on Starter and above for systems classified as high-risk.
- Open the system → Document tab.
- Ensure at least one version is Published (not draft).
- Click Export PDF.
The export includes:
- Cover sheet with system name, version, and export timestamp
- Classification summary and Annex III mapping
- All eight Annex IV sections as rendered in the editor
- Change log appendix for published versions included in the bundle
Exports are watermarked with organisation ID and user email. Large annexes may take up to 60 seconds; you will receive an in-app notification when ready.
Classification report
For any classified system, Classify → Export report produces a shorter PDF focused on:
- Questionnaire answers (with reviewer notes)
- Rule trace summarising why the tier was assigned
- Optional comparison if you re-ran classification after a material change
Use this for board packs or procurement diligence where full Annex IV is not required.
Version snapshots
Every publish action on documentation creates an immutable snapshot. Snapshots:
- Cannot be edited (only superseded by a later publish)
- Retain the user who published and the optional approval reference
- Appear in the History drawer with diff summaries between versions
Enterprise customers can configure legal hold to prevent deletion of snapshots for systems under investigation.
Auditor read-only access
Grant an external reviewer the Auditor (read-only) permission to open a subset of the Aikraft UI:
- Published classification and documentation only (drafts hidden unless you explicitly include them)
- Monitoring incident list if you toggle Include monitoring summary
- No access to billing, team settings, or other systems
Grant access
- Settings → Team → Invite member
- Enter the reviewer’s email and select the Auditor (read-only) permission
- Scope the access to one or more systems
The Auditor permission does not consume a paid seat. Revoke access instantly by removing the member, and all auditor page views are written to the audit log.
API and automation
Programmatic export uses GET /v1/systems/{id}/exports/annex-iv (see API Reference). Responses return a download URL valid for 15 minutes. Pair with your GRC tool or document management system if you need scheduled archival.
Good practice
- Export after each material model or policy change, not only annually.
- Store PDFs in your records repository with the same retention category as underlying personal data.
- Grant the Auditor (read-only) permission instead of forwarding Google Docs — you retain control and an evidence trail.