The Evidence Pack Kit (v4.1‑Ready): Anonymized Case File + Metric Chips + Signed Permissions

Use this conservative checklist every time you create a public case file. Treat it as de‑identification, not pseudonymization, and document decisions.

Anonymize early

• Start the checklist before writing. Note your anonymization intent and risk appetite in an internal log.

Strip direct/indirect identifiers (HIPAA Safe Harbor as baseline)

• Remove: names; specific geographies below state level; all dates except year; phone, email, URLs, IPs, device IDs; account numbers; license plates; full‑face images and comparable photos; biometric IDs; and any unique codes linked to identity.
• Plus for B2B: company name, ticker, product code names, internal project names, unique order/contract numbers, subdomain paths, unique campaign IDs.

De‑sharpen the triangle (mosaic‑effect mitigation)

• Bucket sensitive attributes: “2–5M MAU” not “2.7M”; “200–300 employees” not “237.”
• Time‑shift sensitive dates to month/quarter or “in H2.”
• Aggregate narrow geographies or vertical niches when a combo would reveal identity.

Language patterns to avoid

• Don’t imply the client is endorsing typical results. Avoid “guaranteed,” “industry‑leading,” or naming unique competitors, vendor SKUs, or local awards.
• Replace brand‑revealing phrasing: “Shopify Plus electronics retailer” → “enterprise ecommerce retailer.”

Redaction and metadata scrubs (apply before publishing)

• Use true redaction tools (e.g., Adobe Acrobat Pro “Mark for Redaction” → “Apply”)—no drawing boxes.
• Search and redact patterns: emails, phone numbers, order IDs, subdomains, API keys.
• Scrub file metadata: PDF properties, EXIF, track changes, comments. Export flattened images/PDFs.

Decision log (store with the case file)

• Who approved anonymization method; what attributes were bucketed or time‑shifted; permission artifacts; final reviewer sign‑off. Keep an audit trail.

Correct redaction preserves credibility without leaking data. Use this workflow for PDFs, images, and screen captures.

PDFs (dashboards, invoices, tickets)

1. Duplicate the source file; never redact the only copy.
2. Tools: Adobe Acrobat Pro or equivalent with permanent redaction.
3. Identify layers: use “Find Text” for PII patterns; preview all redaction marks.
4. Apply redactions; remove hidden content (Object data, JavaScript, attachments).
5. Sanitize document: File → Properties → Remove metadata. Save as new file.
6. QA: Try selecting under black boxes; nothing should copy. Zoom to 400% to check for halos.

Images (screenshots)

1. Capture only what you need; crop first.
2. Redact with solid blocks that cover full characters; avoid Gaussian blur for PII.
3. Remove EXIF/location; export PNG/JPEG without layers.
4. QA on a second device and by a second person.

What to keep visible (credibility signals)

• UI chrome that proves the tool exists, generic column headers, non‑unique row labels, anonymized KPI tiles, timestamps at month/quarter granularity.

What to hide

• Names/emails/usernames, order IDs, ticket numbers, URLs/subdomains, internal project names, customer list exports, secrets/keys.

Include a caption

• “Redacted Ops Dashboard (Q1). PII removed; metrics aggregated to month.”

Standardize the numbers you publish so buyers can compare apples to apples. Use chips as small, consistent before/after snapshots.

Chip format

• Label — Before → After (Δ absolute, Δ %) [Period]
• Example: Latency (p95) — 12.4s → 3.1s (−9.3s, −75%) [30 days]

Delivery performance

• Latency (p50/p95): end‑to‑end or step‑level.
• Throughput: runs/day or tasks/hour.
• Success rate: completed runs ÷ total attempts.

Reliability & quality

• Error rate: failures/1000 runs; rollback/retry rate.
• Defect/leak rate: incidents per 1k outputs; manual review hit rate.
• MTTA/MTTR: mean time to acknowledge/resolve incidents.

Cost & efficiency

• Cost/run: API + compute + tooling fees.
• Human minutes saved/run and hours saved/month.
• COGS reduction %; monthly tool spend before/after.

Security & operations (buyer‑friendly)

• Access hardening: % of privileged actions requiring MFA; SSO enabled (Y/N).
• Logging coverage: % systems forwarding to SIEM; retention days.
• Patch cadence: median days‑to‑patch critical issues.

Business impact

• Revenue lift or pipeline created (bucketed ranges if sensitive).
• SLA attainment: % within target; P95 response time vs. SLA.

Copy‑ready chip snippets

Latency (p95) — [BEFORE] → [AFTER] ([DELTA_ABS], [DELTA_PCT]) [RANGE]
Success rate — [BEFORE%] → [AFTER%] ([DELTA_PCT]) [30 days]
Cost/run — $[BEFORE] → $[AFTER] (−$[DELTA], −[DELTA_PCT]) [pilot]
Logging coverage — [BEFORE%] → [AFTER%] ([DELTA_PCT]); Retention: [DAYS]
Patch cadence — [BEFORE_DAYS] → [AFTER_DAYS] ([DELTA_PCT])

Notes

• Always state period and scope; bucket sensitive values; round consistently.
• Keep raw calculations in your internal file; only chips go public.

Capture clear rights to publish an anonymized story and, optionally, a named testimonial. This is U.S.‑centric guidance—consult counsel for your situation.

Set up once in your e‑sign tool

• Create a reusable template (Adobe Acrobat Sign, DocuSign, Dropbox Sign). Include: signer name, title, company (optional), email, checkboxes for attribution preference, approval window, disclosure block, and e‑signature/date. Require signer to receive a final PDF for their records (ESIGN retention).

Attribution options (checkboxes)

• Anonymous case file (default) — allow publication without client name/logo.
• Named attribution — allow publication with name/logo after final approval.
• Quote use — authorize use of a specific testimonial text.

Disclosure block (FTC compliance)

• If any material connection exists (discount, free month, affiliate), include a conspicuous disclosure adjacent to the quote. Example: “We received a [discount/free pilot] in connection with this project.”

Copy‑ready release language

I authorize [YOUR COMPANY] to use the anonymized results of our engagement in public marketing and sales materials (“Evidence Pack”). I confirm that: (a) no confidential information or personal data will be disclosed; (b) [YOUR COMPANY] will provide the final anonymized text and redacted images for my review at least [5] business days before publication; and (c) I may request reasonable edits limited to confidentiality and accuracy.

Attribution preference (select one):
[ ] Anonymous case file only
[ ] Named attribution permitted (name/logo) after final approval

Optional testimonial (exact text to use):
"[CLIENT QUOTE HERE]"

Disclosures (check all that apply):
[ ] We received a discount or other consideration: [SPECIFY]
[ ] Employee/contractor of [YOUR COMPANY]

Scope of use: websites, proposals, social posts, conference talks, and paid ads. Worldwide, perpetual, royalty‑free. This release does not transfer ownership of our confidential information.

Signature: ____________________  Date: __________
Name/Title: ____________________  Company: ______

Operational tips

• Auto‑attach the final PDF with audit trail to your case file folder. Store signer email, IP, and timestamp.
• Add a 12‑month review reminder to refresh chips or convert to named attribution if permitted.

Buyers and security reviewers recognize CAIQ/CAIQ‑Lite structure. Tag your chips and screenshots to these domain‑level buckets so your public case file doubles as security‑questionnaire evidence.

Context (dates matter)

• CCM/CAIQ v4.1 released January 27–28, 2026; dual acceptance with v4.0.x through December 2027; v4.0.x withdrawn January 2028.
• CAIQ v4.1 expands question coverage; CAIQ‑Lite v4.1 condenses to 138 focused questions across 17 domains.

Domain‑level mapping (examples; avoid control IDs in public docs)

• IAM (Identity & Access Management): Evidence — SSO on, MFA for admins, least‑privilege roles; Chips — “SSO enabled (Y/N), % admin actions with MFA, new‑user deprovisioning time.”
• LOG (Logging & Monitoring): Evidence — SIEM screenshot with redacted sources; Chips — “Logging coverage %, retention days, MTTA/MTTR.”
• TVM (Threat & Vulnerability Management): Evidence — redacted vuln backlog/patch policy; Chips — “Median days‑to‑patch criticals; scan cadence.”
• STA (Security Testing/Assessment): Evidence — redacted incident runbook excerpt and post‑incident summary; Chips — “Tabletop frequency, incident SLA attainment %.”
• DSP (Data Security & Privacy): Evidence — data flow diagram with buckets, DLP rule summary (redacted); Chips — “Data retention period, backup frequency.”
• DCS (Datacenter/Infrastructure Security): Evidence — cloud baseline controls page (project names redacted); Chips — “CIS benchmark coverage %, region restrictions (Y/N).”
• SEF (Supplier/External Party Management): Evidence — vendor review workflow screenshot; Chips — “Review cycle days, % vendors with SSO.”

How to tag inside your library

• Add multi‑select fields per domain (IAM, LOG, TVM, STA, DSP, DCS, SEF). Tag each chip and screenshot. Create saved views by domain for fast questionnaire responses.

Public vs. private

• Public file: show domain labels and chips. Private annex (for NDAs): add control‑level references and fuller screenshots.

Make each case file fast to find, reuse, and update.

Naming convention

• evidence‑[YYYY]‑[MM]‑[client‑slug‑anon]‑v[MAJOR.MINOR]
• Example: evidence‑2026‑05‑logistics‑platform‑anon‑v1.0

Folder structure

• /evidence/[year]/[slug]/
  • /public‑case‑file (PDF/Markdown)
  • /screenshots‑redacted
  • /permissions (signed PDFs)
  • /anonymization‑log
  • /private‑annex (under NDA only)

Database (Notion/Sheets) fields

• Title, Summary (1–2 lines), Vertical, Size bucket (employees/revenue), Region bucket, Period covered, Chips (multi‑line), CAIQ Domains (multi‑select), Links to assets, Status (draft/review/published), Reviewer, Next review date.

Blueprint (paste into Notion page body)

Summary: [Outcome in one line]
Scope: [What you changed]
Period: [e.g., Q1 2026]
Chips:
- Latency (p95) — 12.4s → 3.1s (−75%) [30 days]
- Success rate — 91% → 98% (+7 pp) [pilot]
- Cost/run — $0.41 → $0.19 (−54%) [prod]
Screenshots:
- Ops Dashboard (redacted)
- SIEM source list (redacted)
Permissions:
- Release signed (Anonymous) — 2026‑05‑12 (DocuSign) — link
Anonymization log:
- Bucketed MAU to 2–5M; shifted exact go‑live date to “H2”
CAIQ domains:
- IAM, LOG, TVM
Risks & mitigations:
- Narrow niche → Aggregated region to “North America”; removed unique vendor SKU

Review cadence

• Freshness matters. Revalidate chips quarterly or on major stack changes. Tag updated versions v1.1, v1.2, etc.

Before you publish, run a hardening pass.

Pre‑publication QA (two‑person rule)

• Person A runs the checklist; Person B attempts re‑identification using public data (site, LinkedIn, press releases). If B can guess the client with high confidence, tighten buckets or redact more.

Risk controls

• If a metric is uniquely identifying (e.g., “Europe’s only X with 11 plants”), aggregate or remove it.
• Time‑shift go‑live dates to month/quarter; avoid “on March 3 at 2:04pm.”
• Keep a private annex for buyers under NDA; don’t over‑sanitize the public file if you can share more privately.

Legal/compliance notes

• ESIGN: ensure signers receive a retainable copy with an audit trail.
• FTC testimonials: disclose material connections; don’t imply typical results unless you can substantiate. Prefer “This reflects one client’s experience; results vary.”

Kill‑switch

• Add a takedown clause in your release for material errors. Keep the ability to pull the page quickly if needed.

CSA’s transition is your trigger for periodic updates.

Key dates

• v4.1 released: January 27–28, 2026
• Dual acceptance (v4.0.x and v4.1): through December 2027
• v4.0.x withdrawn: January 2028

Operating plan

• Now: Tag case files with domain‑level labels (IAM/LOG/TVM/etc.).
• Q4 2027: Audit mappings; update any v4.0.x references in your private annex.
• 2028 onward: Ensure all STAR/CAIQ responses reference v4.1+ language; keep public case files domain‑level and platform‑agnostic.

Version log snippet

2026‑06‑05 — v1.0 — Initial v4.1‑ready Evidence Pack
2027‑10‑01 — v1.1 — Updated LOG chips to include retention days; refreshed SIEM screenshot
2028‑01‑15 — v2.0 — Migrated private annex to v4.1 control references