Assurance and procurement packs

Before building a procurement pack

Use this page when a customer needs a buyer-facing pack of existing WebRiskOps technical evidence. A procurement pack should organize approved reports, scan artifacts, diagnostics, checklist notes and open gaps; it should not invent answers or present certification claims.

• Open the procurement evidence pack
• Start from a customer-approved report, current evidence and explicit external-sharing approval.
• Keep unanswered buyer questions visible as gaps instead of filling them with unsupported wording.
• Stop when `ASSURANCE_PACK_INCOMPLETE`, `ASSURANCE_EVIDENCE_MISSING`, `ASSURANCE_BOUNDARY_REQUIRED` or `REPORT_PUBLICATION_BLOCKED` applies.

Build and review the evidence pack

Follow the path `SaaS procurement pack → Report evidence → Pack contents → Open gaps → Customer review → Share, export or stop`.

1. Open `/saas-procurement-pack` and review the pack deliverables before choosing the pack path. Result: Evidence checklist, Security hygiene report, Questionnaire draft, Open-gap register and Refresh proposal are visible as bounded outputs.
2. Open `/reports/{report}` for the current customer-approved scan report. Result: the procurement pack starts from the selected account, project, report, scan dates, findings and evidence artifacts.
3. Check `assurance_pack_status`, `evidence_pack_id`, `reviewer_package_status` and `missing_evidence_count`. Result: customers see whether the pack is ready, incomplete or blocked before sharing.
4. Add current report summary, relevant findings, scan dates, screenshots, HTML artifacts, browser extension evidence and CMS or Shopify diagnostics that are approved for external review. Result: each buyer-facing item traces back to product evidence.
5. Review `evidence_checklist_status` and mark unavailable or outdated items as open gaps. Result: missing scans, diagnostics, retests or customer-owned policies stay visible instead of becoming unsupported claims.
6. Review `questionnaire_draft_status` and `customer_review_required` before exporting answer text. Result: questionnaire notes stay customer-owned and editable before a buyer sees them.
7. Confirm boundary wording before export. Result: the pack is framed as technical support material, not an audit opinion, attestation, certification or buyer acceptance promise.
8. If `missing_evidence_count` is greater than zero, route the gap to the automated scan, diagnostic, retest or customer-document workflow that can produce it. Result: `ASSURANCE_EVIDENCE_MISSING` remains visible until evidence exists.
9. Share or export only when `publication_status` and `reviewer_package_status` are ready. Result: `REPORT_PUBLICATION_BLOCKED` stops private, outdated or unapproved evidence from leaving the product.
10. Continue to SOC 2 and ISO evidence checklists or Non-certification boundaries after the pack is ready. Result: checklist mapping and external wording stay inside the documented assurance boundary.

Evidence pack contents

A ready procurement pack should show exactly which evidence is included and where it came from.

• Evidence checklist maps current reports, scan dates, issue evidence, screenshots, HTML artifacts, diagnostics and customer-owned documents to buyer questions.
• Security hygiene report summarizes observable technical signals, remediation notes and report evidence that the customer has approved for sharing.
• Questionnaire draft turns available evidence into editable customer-owned response notes, with unknown answers left as gaps.
• Open-gap register lists missing scans, diagnostics, retests, policies, ownership decisions or stale artifacts that block the pack from being complete.
• Refresh proposal explains how updated scans, diagnostics and change notes can keep the pack current for future buyer review.

Evidence and claims the pack must exclude

Procurement packs should stay tied to observed evidence and customer-owned statements.

• Exclude private report artifacts, out-of-scope pages, unredacted screenshots, raw credentials, provider secrets, customer records and personal data.
• Exclude unsupported questionnaire answers, buyer acceptance promises, audit opinions, attestations, certification claims and outdated evidence.
• Do not mark an unknown answer as ready. Keep the missing item in the open-gap register until the customer supplies evidence or the product workflow produces it.
• Do not share a pack when `publication_status` is blocked, the report is private, evidence is stale or customer responsibility has not been confirmed.

Ready and blocked procurement pack states

Use these states before sharing a buyer-facing pack.

• Procurement pack ready means `ASSURANCE_PACK_READY`, `assurance_pack_status`, `reviewer_package_status` and `publication_status` confirm the pack can be shared.
• Pack incomplete means `ASSURANCE_PACK_INCOMPLETE` or a nonzero `missing_evidence_count` leaves open gaps for scans, diagnostics, policies or customer-owned evidence.
• Evidence missing means `ASSURANCE_EVIDENCE_MISSING` routes the customer to the workflow that can produce the missing artifact.
• Boundary required means `ASSURANCE_BOUNDARY_REQUIRED` blocks wording that sounds like attestation, certification, buyer approval or unsupported assurance.
• Publication blocked means `REPORT_PUBLICATION_BLOCKED` keeps private, stale, unapproved or unsafe evidence from leaving WebRiskOps.

Continue after the pack is reviewed

When the pack is ready, continue to SOC 2 and ISO evidence checklists for control mapping or Non-certification boundaries for external wording. Use Public reports or PDF and print export only after `publication_status` is ready, and use Customer responsibilities plus Data collected and excluded when the customer needs to confirm authorization, sharing approval or evidence boundaries before export.