Evidence bundles for procurement & regulators

{
  "type": "trustplane.action_certificate.v1",
  "certificate_id": "cert_8f24a3d1",
  "issued_at": "2025-03-12T18:05:11.000Z",
  "certified_write": {
    "use_case": "ap-invoice-matching",
    "policy_version_hash": "sha256:9c73…f5a0",
    "evaluation_contract": "golden:v1",
    "approvals": ["security","finops","data-owner"],
    "rollout": { "percent": 25, "mode": "governed_canary" }
  },
  "audit": {
    "request_hash": "sha256:2a6e…8d4b",
    "response_hash": "sha256:7f1c…a2b1",
    "transparency_log": "merkle:5d9f…"
  },
  "budget_snapshot": { "monthly_budget_usd": 25000, "spent_usd": 8300 },
  "slo_snapshot": { "latency_p95_ms": 910, "availability": "99.95%" },
  "signatures": [
    { "alg": "Ed25519", "key_id": "k-prod-us-1", "format": "COSE_Sign1", "sig": "base64:…" }
  ]
}

Verify this sample at /verify to see signature and policy-hash checks succeed.

• Purpose, lawful basis, and human oversight plan mapped to Action Certificates.
• Data boundary worksheet (residency, BYOK/KMS, retention, masking).
• Evaluation contract summary referencing Learning Controls.
• Transparency log and revocation procedures with policy hash references.

• HSM-backed keys in AWS KMS, Azure Key Vault, or Google Cloud KMS with automatic rotation.
• Per-environment signing keys with key_id references in every certificate.
• Key custody never leaves your account; TrustPlane publishes attestation documents for gateway images.

SOC 2 Type II program is underway (coverage: Control plane, SDKs, managed support). External auditor engaged; audit fieldwork begins October 2025 with an expected report window of Q2 2026. Auditor engagement letter is available under NDA.

• Sev1 triage ≤15 minutes, customer comms ≤60 minutes, mitigation updates every 4 hours.
• Post-incident report within 5 business days with corrective actions tracked.
• Business continuity and disaster recovery tests run semi-annually with evidence in bundles.