SOC 2 & ISO 27001 audit evidence,
from Jira and Confluence.

EvidencePack indexes the issues and pages you already use, identifies missing or stale evidence, and exports an auditor-ready pack — without storing data outside your Atlassian tenant.

Try on Atlassian Marketplace Read the docs

Starter mappings included

Eight SOC 2 (CC1.1–CC9.2) and eight ISO 27001 (Annex A) controls ship in the box, ready to map to your Jira and Confluence sources.

Built on Forge

Runs entirely inside Atlassian. No external servers, no LLMs, no data egress. Eligible for the “Runs on Atlassian” trust badge.

Metadata only

Stores titles, statuses, authors, freshness — never issue descriptions or page bodies. Auditors follow source URLs back to Atlassian for content.

Three export formats

JSON for tooling, CSV for spreadsheets, Markdown for human readers. Each evidence item links back to its Jira or Confluence source.

Remediation built in

Click once on any control with missing or stale evidence to open a tracking Jira issue, pre-filled with the control description and warnings.

Privacy-first by design

Five least-privilege scopes. Zero sub-processors. Zero analytics. Uninstall removes all data automatically.

EvidencePack helps you collect and organise evidence relevant to SOC 2 and ISO 27001 audits in Jira and Confluence. It does not certify your organisation as compliant. Certification requires an independent third-party audit and controls that extend beyond Atlassian. SOC 2 is a service mark of the AICPA; ISO 27001 is a standard of the International Organization for Standardization. EvidencePack is not affiliated with or endorsed by either organisation.