By Yair Knijn · March 3, 2026
The director who couldn't switch web-filtering vendors because his audit evidence was trapped inside the old one
He ran the bake-off, scored detection quality, pushed the price down, and signed. The question the evaluation team never raised was how the data comes back out. Three years on, with a cheaper competitor quoting and a board that wanted the move, the answer arrived: his policies, his exception list, and every block decision the SOC had ever justified lived inside the incumbent, in a shape only the incumbent could read. He thought he was buying detection quality. He had signed a multi-year custody arrangement over his own audit evidence, and noticed only on the way out.
Why audit evidence portability is a procurement requirement
Auditors do not accept "the vendor showed us a dashboard." For an ISO 27001 surveillance audit or a NIS2 readiness review, you have to show that a control was active over a defined window, that exceptions had named owners and expiry dates, and that the record wasn't quietly rewritten. If that evidence only renders inside the product, your assurance lasts as long as the subscription.
Regulators now write this into contract language. DORA and the EBA outsourcing guidelines push financial entities to put exit assistance and supervised data handover into their arrangements; GDPR Article 20 already requires personal data in a "structured, commonly used and machine-readable" format. A record you cannot extract and re-check independently was never yours.
Policy, exception, and log export as table stakes
Three artifacts decide whether you can leave. Make them a checklist before you sign:
- Policy — the category-to-group mapping in a text format you can diff in
git, not a binary blob and not a screenshot. - Exceptions — every allow and override with owner, reason, and expiry as
CSVorJSON, so the list survives a migration instead of being re-keyed by hand. - Decision logs — block and allow events with full history and timestamps, exportable in bulk, not paginated fifty rows at a time.
A vendor that can only hand you a PDF report or a console view hasn't given you export. They've given you a souvenir. Ask for a sample export during evaluation and load it into something else. The ones that fail this fail quietly.
How trapped evidence turns into a price increase
Once the incumbent knows your last four years of compliance proof exists only in their schema, the switch stops being a re-platform and becomes a re-attestation project. You rebuild the exception list from memory, explain an audit-trail gap to the assessor, and hope nobody asks why the history starts on the cutover date. Nobody threatens you; the switching cost does the negotiating, and the renewal quote knows it.
So he didn't switch. He paid the higher number, because re-attesting three years of block decisions to an auditor cost more than the difference. Portability was the control missing at the only moment it counted.
Open formats and signed evidence that travel between vendors
Two properties make evidence portable: open formats any tool can parse without the original product, and integrity you can verify after export, so a record carried onto a new platform still stands on its own. Public threat-indicator feeds travel this way because they aren't bound to one consumer. Hold your filtering evidence to the same standard.
Writing exit and export rights into the contract
Procurement closes this gap before the lock-in exists. Put an export SLA in the MSA: named formats, a hard turnaround for a full historical extract, and the right to test that extract mid-term, not on your way out. "Reasonable assistance" is what a vendor says when it plans to bill you for leaving.
ClearScreen keeps every policy group's configuration, its exceptions, and its block-decision logs in open, re-attestable formats you can export and verify outside the product, so a vendor switch stays a data move instead of a forensic rebuild. If portability is the control you're short on, start with the security page.