Loading
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Considerations for Evidence Artifacts in IT Compliance

            You are here:

            1. Salesforce Help
            2. Docs
            3. Agentforce IT Service

            Considerations for Evidence Artifacts in IT Compliance

            Understand how artifact statuses work, when artifacts lock, which file types are supported, and what classification levels mean, so you can manage compliance evidence accurately and securely.

            Required Editions

            Available in: Lightning Experience
            Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service.

            Artifact status lifecycle

            Evidence artifacts move through a defined status lifecycle from creation to verification. Each status transition signals who is responsible for the next action and controls whether the artifact can be edited.

            Status Who sets it What it means Next step
            Draft Fulfiller Artifact created, files are being gathered. The artifact is editable. Upload files and change status to Submitted.
            Submitted Fulfiller Artifact and files are ready for compliance review. Reviewer inspects the artifact and sets status to Verified - Accepted or Verified - Rejected.
            Verified - Accepted Compliance Reviewer Artifact meets requirements. The artifact record and all attached files lock and become read-only. Evidence request can be marked Accepted once all artifacts are verified.
            Verified - Rejected Compliance Reviewer Artifact is incomplete or incorrect. Reviewer fills in the Observation Statement with feedback explaining what's wrong. Fulfiller receives feedback, corrects the issue, and creates a new artifact or resubmits.

            When artifacts lock

            Artifacts with status Verified - Accepted are read-only. Once an artifact is accepted:

            • The artifact's fields can't be edited.
            • Files can't be added to or removed from the artifact.
            • Downloads are restricted by default. To allow authorized users to download artifact files from the evidence previewer, turn on the Turn On Evidence Artifact Download from Evidence Viewer setting in Salesforce Go.

            If a verified artifact later turns out to be incorrect or needs to be replaced—for example, because the underlying source system data was reissued—create a new artifact and link it to the request rather than editing the locked record. The original verified artifact stays on the request as part of the audit history.

            Supported file types

            The evidence artifact previewer renders the following file formats inline:

            • PDFs
            • Images (PNG, JPG, GIF)
            • Video files (MP4, MOV)

            For office documents (DOCX, XLSX, PPTX) and other formats not rendered inline, attach the file to the artifact and reviewers can download it for offline review. To attach files stored in external sources like Google Drive, OneDrive, or SharePoint, set up Salesforce Files Connect for your org.

            For evidence that doesn't have a file—such as a written attestation or narrative explanation—use the Artifact Text field on the artifact record instead of uploading a document.

            Classification levels

            The Classification field on the evidence artifact signals to reviewers and auditors how sensitive the artifact is and how it should be handled. Classification is a label that guides proper handling—it doesn't change system permissions or access controls. Apply your org's data protection policies based on the classification.

            Classification Use when Handling guidance
            Internal Evidence is for internal use only and doesn't contain sensitive or regulated data. Standard org access controls apply. No special handling required.
            Confidential Evidence contains business-sensitive data like financial information, strategic plans, or proprietary technical details. Restrict sharing to the compliance team. Don't distribute outside the org without approval.
            Restricted Evidence contains personally identifiable information (PII), protected health information (PHI), payment card data, or other highly sensitive regulated data. Apply strict access controls per your org's data protection policies. Audit access regularly.

            Linking versus creating artifacts

            If the same piece of evidence satisfies multiple evidence requests—for example, a quarterly user access review artifact that applies to both a compliance audit review and an internal governance audit—link the existing artifact to all relevant requests instead of creating duplicates.

            Linking keeps one source of truth and reduces storage overhead. When you link an artifact, it appears on each request's Artifacts tab, and any verification status changes to the artifact are reflected across all linked requests. Removing a link from one request doesn't affect the artifact's linkage to other requests.

            Artifact deduplication

            Evidence Management doesn't automatically deduplicate files. If two fulfillers upload the same log file to different artifact records, both copies are stored separately. To prevent this, use the linking workflow: create the artifact once and link it to all requests that need it.

             
            Loading
            Salesforce Help | Article