DORA Article 28 vendor evidence

File-transfer vendor checklist for Article 28 reviews.

Use this checklist to prepare the file-transfer evidence buyers and risk teams ask for before renewing, replacing, or approving an ICT third-party provider.

Open checklist Run audit tool
Register fields to collect

Provider legal name, service owner, contract owner, and renewal date

Business process, criticality, data class, counterparties, and countries involved

Supported protocols, storage paths, identity source, MFA coverage, and admin model

Subcontractors, hosting locations, encryption ownership, and audit-log retention

Exit path, recovery owner, evidence export method, and incident notification route

Four questions before renewal

Article 28 conversations move faster when the file-transfer stack is documented as an operating service with owners, controls, evidence, and an exit path.

Can the team prove what service is being used?

A file-transfer provider should be mapped to the business process it supports, not only to a server name or invoice line.

Can the team prove who has access?

Reviewers usually need SSO, MFA, role scope, partner access, emergency removal, and admin activity evidence.

Can the team prove how data moves?

Protocol, storage location, encryption, scanning, retention, and transfer status need to be readable by security and operations.

Can the team leave the provider?

Exit plans need exports, alternate routes, key contacts, retained logs, and a realistic migration sequence for critical workflows.

Evidence that makes xEvolve easier to review.

xEvolve is positioned for regulated file exchange where the buyer needs transfer evidence, access-control evidence, data-location clarity, and a practical exit path.

Owner mapping

Track counterparties, transfer purpose, protocol, schedule, data class, and internal owner.

Access evidence

Use Entra ID SSO, MFA, scoped rooms, roles, and auditable admin actions.

Operational evidence

Export upload, download, approval, failed-auth, file scanning, and retention evidence.

Exit planning

Prove how to export evidence, move flows, and keep critical partners operating.

Red flags to fix first

Shared admin accounts or partner accounts without SSO and MFA

No central owner for critical scheduled transfers

Audit evidence spread across server logs, tickets, and spreadsheets

Subprocessor, data-location, and retention details unknown at renewal time

No tested path to export evidence and move the workflow to another provider

Get the checklist

This checklist is a sales and security-review aid. It is not legal advice or a compliance certificate.

Need the first evidence pass?

Start with the browser audit, then use the gaps to scope a paid xEvolve pilot.

Open audit tool