An immutable GAAP ledger, cryptographic audit trail, and zero-trust architecture — not bolted on, but enforced at the database kernel level.
Pulled from production database in real time — every number is verifiable via the Evidence API.
Each framework is mapped to actual database controls, not checkbox compliance. Click any card to view the underlying evidence artifact.
Trust Services Criteria mapped to platform controls: CC6 (access), CC7 (change management), CC8 (risk), CC9 (vendor management). Immutable ledger satisfies evidence requirements.
Annex A controls: A.9 (access control via RLS + service role), A.12 (operations — agent kill switch, health checks), A.14 (system acquisition — migration audit trail), A.16 (incident management — stuck event recovery).
Records of processing activities: requestor PII (name, email, Telegram ID), supplier data (legal name, contacts, IBAN), invoice data. Data residency: Supabase EU region. Retention: 10 years for financial records per Dutch law.
Every AI agent decision and treasury state transition is linked in a SHA-256 hash chain. Each row's hash encodes its predecessor — any tampering is instantly detectable via proc_check_chain_integrity(). Satisfies FDA 21 CFR Part 11 §11.70 (tamper-evident records) and SEC Rule 17a-4 (WORM audit trail). Most competitors claim immutability via policy; this proves it mathematically.
Spoofing (JWT + service role segregation), Tampering (immutability triggers on ledger + state transitions), Repudiation (proc_agent_runs with full reasoning), Information Disclosure (RLS + service role), DoS (pg_net rate limiting), Elevation (role-based allowlists).
| Sub-Processor | Region | Data Category | Legal Basis | Certification |
|---|---|---|---|---|
| Supabase | EU (Frankfurt) | Database, Auth, Storage, Edge Functions | Contractual necessity (DPA available) | SOC 2 Type II |
| OpenRouter | US | LLM inference (agent reasoning only — no PII in prompts) | Legitimate interest (pseudonymised payload) | No PII transmitted |
| Vercel | US (Edge CDN) | Frontend hosting, serverless functions | Contractual necessity (DPA available) | SOC 2 Type II |
All compliance evidence is available as a public API endpoint. Use it to feed your GRC tooling, SIEM, or audit dashboards.
GET /api/trust/evidence?section=soc2&format=json GET /api/trust/evidence?section=iso27001&format=csv GET /api/trust/evidence?section=gdpr&format=json GET /api/trust/evidence?section=all&format=json GET /api/trust/evidence?section=soc2&from=2026-01-01&to=2026-03-31 # Rate limit: 10 requests/minute per IP # No authentication required
{
"generated_at": "2026-04-11T10:00:00Z",
"period": { "from": "2026-01-01", "to": "2026-03-31" },
"framework": "soc2",
"evidence": {
"agent_success_rate_pct": 98.7,
"approval_chain_records": 142,
"ledger_event_count": 847,
"last_state_transitions": [...]
}
}Full SOC 2 Type II report and Data Processing Agreement (DPA) available to enterprise prospects under NDA. Security vulnerability disclosures welcome.