estøkad

DORA evidence pack

The Digital Operational Resilience Act (DORA) requires regulated financial entities to maintain ongoing evidence of ICT risk management, third-party risk, incident handling, and business continuity. Estokad assembles this evidence on demand as a downloadable archive.

What's in the pack

A .zip containing:

| Artifact | Format | Source | |---|---|---| | executive-summary.pdf | PDF | Generated overview, signed by tenant key | | ict-risk-register.json | JSON | Risk register entries from /settings/compliance | | third-party-register.json | JSON | Sub-processor list with EU jurisdiction status | | incident-log.json | JSON | Audit chain entries tagged incident.* | | bcp-test-results.json | JSON | Business continuity test logs | | exit-plan.pdf | PDF | Generated from your sub-processor register and content schema | | audit-chain-export.json | JSON | Full audit log for the period, with daily Merkle roots | | residency-proofs/ | Dir of JSON | Daily signed attestations | | manifest.json | JSON | SHA-256 of every other file, signed by Estokad's KMS-managed key |

The signing keys are tenant-specific and rotated monthly. The manifest.json lets a regulator verify nothing in the pack was substituted after generation.

Generating the pack

Pack generation is async — large workspaces can take 60+ seconds because the audit chain export runs over potentially millions of rows.

  1. Open /settings/compliance in the Studio.
  2. Click Generate DORA pack. The Studio kicks off a background job and shows a progress indicator.
  3. When the job finishes (typically 5–60 seconds), a download link appears.

Job status is polled via /v1/<workspace>/management/jobs/dora-pack/<jobId>. The link to the generated archive is one-time-use and expires after 24 hours; re-generate if you need a new one.

Module gate

DORA pack generation requires the dora_pack module (€399 / mo) or one of the Regulated, Enterprise, or Sovereign presets. Without it, the Generate button shows an upgrade nudge.

What's not automated

Two things require human input:

  • Risk register entries — you maintain the list of identified risks and mitigations in /settings/compliance/risk-register. We can generate the form fields and remind you to review quarterly; we cannot fabricate the content.
  • Business continuity test results — you upload these as JSON when you run a test. We persist them, sign them into the chain, and include them in every subsequent pack.

The rest assembles automatically from your audit chain, sub-processor register, and residency proofs.