| EVD-AUTH-001 | Authentication | Login success/failure screenshots or API responses | QA | Needed | No real passwords |
| EVD-RBAC-001 | RBAC | Denied access test evidence for each role | QA / Backend | Confirmed by technical team; Evidence Pending Attachment | Test cases and manual testing confirmed |
| EVD-SCOPE-001 | Scope / Account Isolation | Cross-school/supplier/operator denial evidence | QA / Backend | Confirmed by technical team; Evidence Pending Attachment | Maqsafy is not SaaS; use scope/account isolation wording |
| EVD-CRED-001 | Credentials | Cancellation and activation/deactivation test evidence | QA / Product | Needed | Include scope note |
| EVD-PAY-001 | Payments | Idempotency proof for duplicate payment/webhook/job | Backend / Payments | Confirmed by technical team; Evidence Pending Attachment | Server-to-server status checks and single-update enforcement confirmed |
| EVD-BCK-001 | Backup / Restore | Restore date, result, duration, owner approval | DevOps | Partial | Restore test performed approximately during the last month; exact evidence pending |
| EVD-API-001 | API Contract | Postman documentation and OpenAPI draft review | Backend | Partial | Postman exists; OpenAPI draft exists; Swagger UI hosting decision pending |
| EVD-OBS-001 | Monitoring | Sentry/logging/alert owner screenshots | DevOps | Needed | Sanitize secrets |