Skip to main content
An evidence pack is a structured collection of documents that answers the buyer’s risk, security, compliance, and commercial questions before a purchase decision is made. In regulated markets — banking, insurance, government, healthcare — procurement cannot approve a vendor until the evidence pack is complete. No evidence pack, no contract. Most startups build evidence packs reactively — scrambling to produce documents after a buyer requests them. This adds months to the sales cycle and signals immaturity. Companies that maintain a ready evidence pack before outreach close faster because the buyer’s internal gatekeepers can proceed without waiting.

Why do enterprise buyers need evidence packs?

Enterprise and regulated buyers do not buy from vendors. They approve vendors through an internal assurance process and then buy from approved vendors. The assurance process exists to protect the buying organisation from five categories of risk:
Risk categoryWhat the buyer is protecting againstEvidence required
Security riskData breach, system compromise, unauthorised accessPenetration test reports, ISO 27001 or SOC 2 certification, security architecture diagram
Data riskMishandling personal or sensitive data, GDPR breachData processing agreement, data flow diagram, retention and deletion policies
Financial riskVendor insolvency, inability to deliverFiled accounts, funding history, insurance certificates (PI, cyber, public liability)
Operational riskService failure, downtime, performance degradationSLAs, uptime history, disaster recovery plan, incident response procedure
Regulatory riskNon-compliance with sector-specific regulationRegulatory registrations (FCA, ICO), compliance certifications, AML/KYC policies
The business sponsor — the person who wants to buy — cannot override these requirements. Even a CEO champion at the buying organisation must wait for the risk and assurance team to approve. The vendor risk and assurance process runs in parallel to the commercial conversation, and it has veto power.

What goes in an evidence pack?

An evidence pack has three layers, each used at a different stage of the buyer’s procurement process.

Layer 1: Qualification evidence (used at first contact)

Shared proactively during the first meeting to demonstrate readiness and accelerate internal triage.
  • Company overview. One page. What you do, who for, how long you have been operating, team size, funding status.
  • Security certifications. ISO 27001, SOC 2, Cyber Essentials Plus — whichever are relevant and current.
  • Key reference clients. Named clients with permission, or characterised references (e.g. “UK tier-1 bank, live since 2023”).
  • Regulatory registrations. FCA registration number, ICO registration, any sector-specific authorisations.

Layer 2: Assurance evidence (used during vendor risk review)

Submitted when the buyer’s risk team begins their formal assessment. This is typically triggered after a successful pilot or proof of value.
  • Penetration test report. External, recent (within 12 months), covering the systems the buyer will use.
  • Data processing agreement (DPA). Pre-drafted, GDPR-compliant, ready for the buyer’s legal team to review.
  • Data flow diagram. Shows where data enters, where it is processed, where it is stored, and who can access it.
  • Security architecture overview. Infrastructure diagram showing hosting environment, encryption, access controls, network segmentation.
  • Business continuity and disaster recovery plan. Documented procedures for maintaining or restoring service.
  • Insurance certificates. Professional indemnity, cyber liability, public liability — with coverage amounts.

Layer 3: Commercial evidence (used during contract negotiation)

Shared during the commercial and legal negotiation phase.
  • Standard contract terms. Pre-drafted terms that accelerate negotiation.
  • SLA definitions. Uptime commitments, response times, escalation procedures.
  • Pricing model documentation. Clear description of how pricing works, what is included, and what is additional.
  • Case studies with measurable outcomes. Not testimonials — documented results from named or characterised clients with specific metrics.

How should a startup build an evidence pack?

The Evidence Pack Builder framework provides a step-by-step method. The summary:
  1. Audit existing evidence. List what you already have. Most companies have more documentation than they realise — it is just scattered across Google Drive, Notion, and email attachments.
  2. Map against buyer requirements. Take a vendor onboarding questionnaire from a previous engagement (or request one from a target buyer) and map each question to your existing evidence. Identify gaps.
  3. Close critical gaps first. Prioritise: security certifications, penetration tests, and data processing agreements. These are the most common blockers and the longest to obtain.
  4. Package by layer. Organise the pack into the three layers above. The buyer’s champion needs Layer 1 at the first meeting. Dumping all three layers at once overwhelms.
  5. Version and assign ownership. Each document should have an owner, a version number, and a review date. A penetration test from 18 months ago is expired. Filed accounts from two years ago are stale.
  6. Maintain continuously. The evidence pack is a living artefact. Update it after every engagement, every certification renewal, and every significant product change.

How does the evidence pack interact with the sales timeline?

In a typical enterprise or bank sales process (6 to 18 months), the evidence pack touches every stage:
  • Month 1: Share Layer 1 proactively. This signals maturity and allows the buyer’s champion to begin internal triage immediately.
  • Months 2-4: Submit Layer 2 when the risk team begins formal assessment. If the evidence pack is ready, this phase takes weeks. If it is not, it takes months.
  • Months 4-6: Share Layer 3 during commercial negotiation. Pre-drafted contracts and clear pricing accelerate legal review.
The critical insight: the evidence pack does not just satisfy the assurance team. It makes the business sponsor’s job easier. An internal champion at a bank who can attach a complete evidence pack to their internal approval request will get faster decisions than one who has to chase the vendor for documents. See commercial sequencing for how the evidence pack fits into the broader GTM sequence.

What is a Proof Library?

A Proof Library is a compounding evidence system introduced in the Lessons from a Fintech series. Where an evidence pack is assembled for a specific buyer engagement, a Proof Library is an organisation-wide asset that grows with every sales cycle, pilot, and customer interaction. The Proof Library captures four types of reusable evidence:
Evidence typeExampleWhen it compounds
Security and compliance docsPen test reports, ISO certificates, data flow diagramsUpdated annually; reused across every buyer engagement
Outcome metrics”Processing time reduced from 48 hours to 4 minutes across 50,000 applications”Each pilot or production deployment adds new metrics
Reference casesNamed or characterised clients with specific, measurable resultsEach successful engagement creates a new reference
Regulatory documentationFCA authorisation evidence, Consumer Duty compliance recordsUpdated with each regulatory change; reused across buyers
The compounding effect means that each sales engagement becomes easier than the last. A startup with a mature Proof Library can respond to a 200-question vendor questionnaire in days rather than weeks because the answers already exist, are versioned, and are evidenced. The weekly operating cadence includes “Friday Truth Day” — a structured weekly review that explicitly adds to the Proof Library by capturing new evidence, updating metrics, and logging decisions.

Common mistakes

  • Building the evidence pack after the buyer asks. Reactive evidence assembly adds 2 to 6 months to the sales cycle. Build proactively.
  • Using testimonials instead of case studies. “Great product, love working with them” is a testimonial. “Income verification processing time reduced from 48 hours to 4 minutes, with 99.2% accuracy across 50,000 applications” is a case study. Buyers need the second.
  • Letting certifications expire. An expired ISO 27001 certificate is worse than not having one. It signals that security was a priority once but is not now.
  • Sending everything at once. A 200-page evidence pack sent at the first meeting overwhelms the buyer. Layer the evidence to match the procurement stage.
  • No version control. Documents without version numbers, owners, and review dates signal disorganisation. Use a simple version log.
  • Assuming one evidence pack fits all buyers. The core pack is reusable, but each buyer has specific requirements. Maintain a master pack and adapt per engagement.
  • Treating the evidence pack as a sales tool. It is not a pitch deck. It is a trust artefact. Keep it factual, structured, and free of marketing language.

Key takeaways

  • An evidence pack is the minimum requirement for enterprise and regulated procurement. No evidence pack, no contract.
  • Three layers: qualification evidence (first meeting), assurance evidence (risk review), commercial evidence (contract negotiation). Share each at the right stage.
  • Build the evidence pack before outreach, not after the buyer asks. Proactive evidence assembly compresses the sales timeline by months.
  • Each document needs an owner, a version number, and a review date. Expired evidence is worse than no evidence.
  • The evidence pack makes the buyer’s champion more effective. It gives them the ammunition to advocate internally.