Exports and Auditor Access

Last updated: Edit on GitHub

Overview

Regulators, customers, and notified bodies often ask for immutable evidence: what risk tier you assigned, what Annex IV documentation existed on a date, and what monitoring covered. Aikraft combines versioned documentation, PDF export, and scoped read-only auditor access so you can respond without forwarding living documents by email.


Annex IV PDF export

Available on Starter and above for systems classified as high-risk.

  1. Open the system → Document tab.
  2. Ensure at least one version is Published (not draft).
  3. Click Export PDF.

The export includes:

  • Cover sheet with system name, version, and export timestamp
  • Classification summary and Annex III mapping
  • All eight Annex IV sections as rendered in the editor
  • Change log appendix for published versions included in the bundle

Exports are watermarked with organisation ID and user email. Large annexes may take up to 60 seconds; you will receive an in-app notification when ready.


Classification report

For any classified system, Classify → Export report produces a shorter PDF focused on:

  • Questionnaire answers (with reviewer notes)
  • Rule trace summarising why the tier was assigned
  • Optional comparison if you re-ran classification after a material change

Use this for board packs or procurement diligence where full Annex IV is not required.


Version snapshots

Every publish action on documentation creates an immutable snapshot. Snapshots:

  • Cannot be edited (only superseded by a later publish)
  • Retain the user who published and the optional approval reference
  • Appear in the History drawer with diff summaries between versions

Enterprise customers can configure legal hold to prevent deletion of snapshots for systems under investigation.


Auditor read-only access

Grant an external reviewer the Auditor (read-only) permission to open a subset of the Aikraft UI:

  • Published classification and documentation only (drafts hidden unless you explicitly include them)
  • Monitoring incident list if you toggle Include monitoring summary
  • No access to billing, team settings, or other systems

Grant access

  1. Settings → Team → Invite member
  2. Enter the reviewer’s email and select the Auditor (read-only) permission
  3. Scope the access to one or more systems

The Auditor permission does not consume a paid seat. Revoke access instantly by removing the member, and all auditor page views are written to the audit log.


API and automation

Programmatic export uses GET /v1/systems/{id}/exports/annex-iv (see API Reference). Responses return a download URL valid for 15 minutes. Pair with your GRC tool or document management system if you need scheduled archival.


Good practice

  • Export after each material model or policy change, not only annually.
  • Store PDFs in your records repository with the same retention category as underlying personal data.
  • Grant the Auditor (read-only) permission instead of forwarding Google Docs — you retain control and an evidence trail.