Trust posture

Verification infrastructure has to be trustworthy in detail.

This page consolidates Certisyn's public posture across security, privacy, residency, key management, audit readiness, and the regimes institutional procurement asks about first. Every claim here is backed by an artefact that ships under it.

Open standards

Three protocols, contributed to the public record.

Certisyn does not ask institutions to take the verification layer on trust. Three of its core protocols are contributed as Internet-Drafts at the IETF — readable, citable, and on the public record — so the parties that rely on them can read the protocol, not just the vendor's word for it.

IETF Internet-Draft · SCITT · Standards Track

Attestation Reconciliation Protocol

draft-hillier-scitt-arp-00  ·  intended status: Standards Track

A deterministic, zero-knowledge-capable mechanism for reconciling a verification claim against multiple sovereign authoritative registers — sanctions lists, beneficial-ownership registers, export-control registers — without any raw register record leaving its jurisdiction. It extends the SCITT and RATS architectures to cross-sovereign reconciliation, seals every result against a policy-version hash, and carries a post-quantum upgrade path inside the protocol itself.

Read on the IETF Datatracker → Read the full draft
IETF Internet-Draft · Informational

Essential Eight Verified

draft-hillier-certisyn-essential-eight-verified-00

A cryptographic verification standard for the ACSC Essential Eight Maturity Model — the deterministic, auditor-grade, independently reconstructable attestation the model was designed to imply but does not deliver.

View on the IETF Datatracker →
IETF Internet-Draft · Informational

AI Governance Verified

draft-hillier-certisyn-ai-governance-verified-00

A cryptographic verification standard for agentic AI governance in regulated industries — sits beneath ISO/IEC 42001 and the NIST AI Risk Management Framework and produces the verifiable artefact they imply but do not deliver.

View on the IETF Datatracker →

Internet-Drafts are working documents of the IETF, valid for a maximum of six months and to be cited only as “work in progress.” These are individual submissions; they are not, and do not claim to be, IETF-endorsed or ratified standards. Further protocol contributions are in preparation and will be published here as each enters the public record.

In place today

Six controls operating in production right now.

Bastion AAA+

Self-graded posture

certisyn.com scores AAA+ on the Bastion catalog v2.1 across transport security, email authentication, web headers, cookie security, cross-origin policy, information disclosure, surface exposure, DNS posture, and compliance signals. The catalog is signed; the scan is reproducible.

Run the scan →
Sentinel Squadron

Continuous monitoring

Five autonomous agents — Sentinel, Warden, Auditor, Chronicler, Envoy — operate against the Certisyn estate continuously. Audit-event immutability, RLS coverage, retention adherence, supply-chain posture, and access integrity are verified without human intervention.

Compliance Vault

Evidence registry

Every policy, control, evidence artefact, control assessment, and gap item is held under SHA-256 digest in a versioned vault designed for audit-evidence projection. Not a theoretical document store — a live system feeding the regimes below.

23-policy ISMS

Information Security Management System

Master policy plus twenty-two subordinates spanning acceptable use, access control, cryptography, data classification, incident response, business continuity, supplier security, change management, secure SDLC, asset management, physical security, logging, HR security, third-party risk, privacy and DSAR, AI and ML governance, mobile and BYOD, chain of custody, standards authoring, cross-border verification, sanctions, and reserve treasury. Each is version-tracked and bound to the Compliance Vault as living evidence.

Cryptography

Post-quantum-ready

AES-256-GCM at rest. TLS 1.2/1.3 in transit. RSA-4096-OAEP for bilateral register channels. X25519 ECDH with HKDF and AES-256-GCM for forward-secret corridors; a hybrid X25519 with ML-KEM-1024 (NIST FIPS 203) sealing path is implemented and conformance-tested for post-quantum forward secrecy. Transport is hash-agile — SHA-512 by default, SHA3-512 (Keccak) for construction-family diversity, SHA-256 for constrained corridors — HKDF keyed to the negotiated family. Attestations carry a hybrid dual-signature envelope binding a classical HMAC-SHA-256 signature to an ML-DSA-65 (NIST FIPS 204, CRYSTALS-Dilithium 3) post-quantum signature, both required to validate. The post-quantum primitives are the audited noble implementation, conformance-tested in CI. Keys generated in hardware-backed KMS, never exportable, rotated annually, predecessor retained seven years for historical verification.

Derivation chain

Tamper-evident audit trail

Every Verification Attestation Object carries an append-only, cryptographically linked derivation chain replayable by any party with access to the canonical evidence set. Reliance is verifiable without trusting the issuer.

Compliance regimes

Posture across the regimes institutional buyers ask about.

Every regime below has a documented Statement of Applicability, a control-by-control mapping, and named target dates for independent attestation. We publish dates because institutional procurement deserves a calendar, not an aspiration. Where a certificate is not yet held, we say so.

ISO/IEC 27001:2022
International
Audit underway
Jun 2026
ISMS scope and Statement of Applicability published. All 93 Annex A controls applicable; zero excluded. Stage-2 certification audit underway with an accredited certification body (June 2026); certificate issuance expected this month.
ISO 9001:2015
International
Audit underway
Jun 2026
Quality Management System established with documented processes, internal audit, and management review across the verification operation. Stage-2 certification audit underway with an accredited certification body (June 2026); certificate issuance expected this month.
SOC 2 Type 2
United States
In progress
Q1 2027
System Description published. Trust Services Criteria covered: Security, Availability, Processing Integrity, Confidentiality, Privacy. Six-month observation window opens Q3 2026 under a CPA firm engagement. Type 2 report target Q1 2027.
HIPAA Security Rule
United States · Health
Implemented
BAA available
Security Officer designated under §164.308(a)(2). Privacy Officer designated under §164.530(a)(1). Administrative, physical and technical safeguards implemented. Business Associate Agreement available on engagement. (HIPAA does not certify; no logo exists.)
GDPR · UK GDPR
European Union · United Kingdom
Implemented
Operational
DPO designated (Article 37(4) voluntary). Records of Processing Activities maintained per Article 30. Data Processing Agreement available per Article 28. Sub-processor list published. EU SCCs 2021 Module 2 + UK IDTA in place for international transfers. Privacy Notice published under Articles 13 / 14. (GDPR does not certify; no logo exists.)
DORA
European Union · Financial
In progress
TLPT Q1 2027
Article 28 ICT Third-Party Register published with concentration-risk and substitutability assessment. Risk management framework, incident response, BCP/DR, supplier security and information sharing all operational. Threat-led penetration test (CREST or TIBER-EU) scheduled Q1 2027.
AU Essential Eight
Australia · ASD ACSC
Self-assessed ML2
IRAP Q4 2026
Maturity Level 2 self-assessed against seven of the eight strategies. Application Control progressing to ML2 with managed-endpoint allow-list. Independent IRAP-endorsed assessment Q4 2026 ahead of Australian Government engagement.
UK Cyber Essentials Plus
United Kingdom · NCSC / IASME
Self-assessed
IASME Q3 2026
All five technical themes (firewalls, secure configuration, security update management, user access control, malware protection) self-assessed as compliant. IASME-accredited assessor scheduled Q3 2026.
EU NIS2 Directive
European Union
Aligned
Operational
All ten cyber-security risk-management measures under Article 21 implemented. 24-hour early-warning, 72-hour notification, intermediate and final-report cadence aligned to RTS/ITS taxonomy.
US CMMC Level 2
United States · DoD
Self-attested
C3PAO on demand
NIST SP 800-171 Rev. 2 control families implemented across all fourteen domains. Plan of Action and Milestones (POAM) published. C3PAO assessment scoped on contract demand.
NIST CSF 2.0
United States · NIST
Tier 3
Repeatable
Tier 3 Repeatable across all six Functions: Govern, Identify, Protect, Detect, Respond, Recover. Profile published with crosswalk to ISO 27001:2022 Annex A and NIST SP 800-53 Rev 5.
PCI-DSS v4.0
Payment Card Industry
SAQ-A
Out of scope
Cardholder data never traverses Certisyn systems. Payments processed by Stripe (PCI-DSS Level 1 Service Provider). SAQ-A applicable; all 22 requirements met through ISMS controls and the Stripe attestation.
Operational transparency

Where the data lives, who touches it, how long it stays.

Sub-processors

Ten named sub-processors covering hosting, edge security, source control, observability, secrets management, payments, email delivery, and the agentic-workforce LLM. Each is contracted under a Data Processing Agreement. Material changes are notified fourteen days in advance.

Sub-processor list →

Data residency

Per-customer residency election against the customer's jurisdiction of operation. Cross-jurisdiction transfer requires SCCs 2021 (Module 2 or 3) plus supplementary Schrems II measures, recorded in the Records of Processing Activities.

Retention

Tier-by-tier retention schedule under POL-ISMS-04. Crypto-erase, overwrite or physical destruction at end of life with certificate of destruction. Default seven years for institutional reliance evidence; engagement-letter override available.

Backup and recovery

4-hour RTO and 1-hour RPO for the verification spine. Backup capture cadence aligned to RPO. Quarterly restore test. Cross-region failover tested semi-annually with evidence written to the Compliance Vault.

Incident response

Four-severity model with named SLAs. Severity 1 includes attestation-key compromise, Vault compromise, material PII breach. 72-hour breach-notification cycle aligned to GDPR Article 33. Tabletop exercise semi-annually.

Audit posture

Append-only derivation chain replayable on supervisory demand. Sealed outputs verifiable against the chain without trusting the issuer. SHA-256 digest on every Vault artefact. HMAC-SHA256 on every Bastion scan.

Document library

Every artefact a procurement office needs, in one place.

Public notices
Contractual templates
Audit-ready artefacts (under NDA)
  • ISO 27001 Statement of Applicability
  • SOC 2 Type 2 System Description
  • DORA Article 28 ICT Third-Party Register
  • GDPR Article 30 ROPA
Self-assessments
  • AU Essential Eight ML2
  • UK Cyber Essentials Plus
  • EU NIS2 Article 21 measures
  • US CMMC Level 2 / NIST SP 800-171
  • NIST CSF 2.0 Profile

Audit-ready artefacts and self-assessments are released to procurement offices and counsel under a mutual NDA. Email trust@certisyn.com with your buying-side function and the regimes you need to evidence; we typically respond inside one business day.

Subservice attestations

The infrastructure under Certisyn is itself attested.

Certisyn's controls are layered on top of subservice organisations that independently maintain current attestations. The carve-out method is used in our SOC 2 System Description; Certisyn's own controls are designed to address the user-entity controls referenced by each subservice attestation.

Vercel

SOC 2 Type 2 attested. Application deployment and edge compute.

Supabase

SOC 2 Type 2 attested. Managed Postgres and authentication.

AWS

SOC 2 / ISO 27001 / FedRAMP Moderate / HIPAA-eligible. Underlying cloud.

Cloudflare

SOC 2 Type 2 attested. DNS, edge security, DDoS protection.

GitHub

SOC 2 Type 2 attested. Source control and CI.

Stripe

PCI-DSS Level 1 Service Provider. Payment processing.