Every section below links to a working endpoint, a file in this repo, or a real status check. Paste this URL into a procurement response — every claim is independently verifiable.
Every agent run produces an HMAC-SHA256-signed receipt over a canonical projection. Tamper one byte, the signature breaks. On Pro+ the receipts are also Ed25519-signed for non-repudiation; on Team they're notarized to Bitcoin via OpenTimestamps.
VAOS 1.0 specAny party — compliance auditor, customer, journalist — can verify any public receipt by POSTing canonical + signature to /api/verify. Open CORS so the check runs in the verifier's own browser. Same endpoint the embed badge uses.
Live verifier demoA public, real-time feed of receipts being signed (visibility=public only — unlisted stays share-by-link). Compliance buyers can audit current platform activity without needing access to the dashboard.
Open the explorerEvery relevant Trust Services Criterion is mapped to a concrete control in this codebase. The map lives in the repo alongside the implementation — no glossy PDF disconnected from reality.
Read the controls mapRight-to-access (Art. 15 / s.23) + right-to-erasure (Art. 17 / s.24) + right-to-portability (Art. 20) all exposed as authenticated API endpoints. Cookie consent enforced per POPIA + GDPR at first paint.
Privacy policyCritical 24h, high 48h, medium 7d. Safe-harbor terms for good-faith researchers documented in SECURITY.md. No bug bounty yet, but written disclosure response.
Disclosure policyPublic status page driven by cron-triggered synthetic probes of the actual API endpoints. Not a green-light marketing widget — real HTTP calls with budgeted response-time SLOs.
Live statusEvery third-party vendor that touches tenant data is listed, with the data category and DPA link. Neon (DB), Clerk (auth), Stripe (billing), Anthropic / OpenAI / NVIDIA / Cerebras (model providers), Resend (email), Sentry (errors), Vercel (hosting).
Full listNeed a security questionnaire response, DPA, or SOC 2 evidence pack? security@sovereignmatrix.agency — 24h response SLA for procurement requests. Include your vendor-risk vendor (Vanta / Drata / etc.) so we can grant access directly.