Ankos
Ankos Ledger

Share with QSA

Send your evidence package directly to your QSA over a secure, time-limited link — no email attachments, no forwarding.

When your cycle is ready for review, the easiest way to hand it to your QSA is Share with QSA. Ankos prepares the same evidence package as a download-export and sends a secure link directly to the QSA's email. You don't email a ZIP, the QSA never holds anything besides the link, and you can revoke access at any time.

Share with QSA is available on the Team plan and above. The free CLI produces local reports only.

When to use Share with QSA vs. download

Both produce the same evidence package. The difference is delivery:

Share with QSADownload Export
Where the bytes liveOn Ankos, behind a TLS linkOn your machine, then wherever you send them
Who delivers itAnkos (branded email to the QSA)You (manual email or upload)
Revoke after sendingYes, any timeNo — the file is already with the recipient
Expiry7 daysNone — the file lives wherever you put it
Audit trail"Shared", "opened", "revoked" events"Exported" only

The download path still exists — use it for internal review, board reports, or any case where you want a local copy. Use Share for handing off to the QSA.

How to share

From the cycle detail page, click Share with QSA. You'll be asked for:

  • QSA email — where the share link is delivered
  • Message (optional) — a short note that appears in the email
  • Entry states to include — defaults to the same set as the regular export (collected, uploaded, carried forward, N/A with justification)

Click Send share link. Ankos:

  1. Records the share in the Active shares list on the cycle page
  2. Starts preparing the package (same pipeline as a regular export)
  3. Sends the QSA a branded email with a download link

The email goes out immediately — the QSA can open it right away. If the package is still preparing when they click, they see a "preparing" page that auto-refreshes when it's ready. No "refreshed too early and got nothing" failure mode.

What the QSA sees

The QSA opens the link and lands on a clean download page hosted by Ankos:

  • Your organization name and the cycle ID
  • Who sent the share (your name + email)
  • Your optional message
  • A Download evidence package button
  • A summary of file count, total size, and link expiration date

No login required for the QSA. The link is the credential — same pattern as a Stripe hosted-invoice page or a DocuSign envelope.

What's in the package

Exactly the same contents as the regular export — see Evidence Export for the full breakdown. In short:

  • One folder per category
  • Standardized filenames (<ENTRY-ID>-<slug>.<ext>)
  • A summary PDF with cycle metadata + per-entry status
  • manifest.json with SHA-256 hashes for every file
  • README.txt orienting the QSA to the structure

Because the QSA downloads directly from Ankos over TLS, the integrity manifest doubles as a tamper-evidence record: the bytes the QSA receives are the bytes Ankos packaged. No intermediate handling.

Active shares + revoke

The Active shares panel on the cycle detail page lists every live share for that cycle:

  • QSA email it was sent to
  • Status: Preparing, Ready, or Failed
  • Whether the QSA has opened it yet
  • Days remaining before the link expires
  • Revoke action

Revoke immediately invalidates the link — the next time the QSA opens it, they see a "this link has been revoked" page asking them to contact the sender for a fresh one. Revocation is logical only; the underlying file stays in Ankos storage for the audit trail.

Use revoke when:

  • You sent the link to the wrong email address
  • You uploaded new evidence and want the QSA to use the latest package
  • The engagement ended and you want to close out access

Expiration

Share links automatically expire 7 days after creation. Expired links show the same "link expired" page the QSA sees after revocation, with the same recovery path (ask the sender for a new link).

If your QSA needs longer access, send a fresh share — there's no cap on how many shares you can create per cycle.

Audit trail

Every share emits audit events visible in the cycle's audit trail:

  • Shared — when the share is created (records the QSA email)
  • Downloaded — the first time the QSA successfully opens the package
  • Revoked — when an admin revokes the share

These events sit alongside sign-offs, state changes, and evidence uploads in the cycle's full activity history.

Ankos prepares the case

The share link delivers the package the same way the download export does — organized, annotated, and ready for review. The final compliance determination is made by your QSA. Ankos gathers and structures the evidence; the assessor's findings are theirs to issue.

Next steps

Evidence Export

Download the same package as a ZIP for internal review.

Sign-off

Readiness gates before you share.

Carry-forward

How reused evidence is presented to the QSA.

Evidence Export

Export your cycle as a QSA-ready ZIP package — organized by category with consistent file naming, a summary PDF, and integrity hashes.

Settings

Profile, organization, billing, categories, notifications, and password management.

On this page

When to use Share with QSA vs. downloadHow to shareWhat the QSA seesWhat's in the packageActive shares + revokeExpirationAudit trailAnkos prepares the caseNext steps