# SigmaShake — Trust Center > SigmaShake builds AI governance tooling. This trust center publishes our security, privacy, and compliance posture for procurement teams, vendor-risk crawlers, and AI agents. Our compliance evidence is **cryptographically signed** (Ed25519) and the daily Merkle root is **anchored into a public transparency log**. Anyone — human or agent — can verify any evidence artefact against the published public key. ## Machine-readable manifest - [Compliance manifest (JSON)](https://trust.sigmashake.com/.well-known/compliance.json) — every framework, control, and attestation level - [Sub-processor feed (JSON)](https://compliance.sigmashake.com/api/v1/sub-processors.json) — current third-party processors - [Verification public key](https://compliance.sigmashake.com/.well-known/compliance-pubkey) — Ed25519, SPKI hex - [Verify endpoint](https://compliance.sigmashake.com/api/v1/verify) — POST content_hash + signature + kid - [Security disclosure (RFC 9116)](https://trust.sigmashake.com/.well-known/security.txt) ## Frameworks & attestation levels | Framework | Status | Attestation level | |-----------|--------|------------------| | SOC 2 Type II (2017 TSC) | Observation window 2026-05-18 → 2026-11-17 | internally_audited → third_party_audited (2026-12-31) | | ISO/IEC 27001:2022 | 93 controls mapped | self_assessed | | GDPR (EU 2016/679) | 31 articles catalogued (25 applicable), compliant | internally_audited | | UK GDPR + DPA 2018 | Compliant via UK IDTA | internally_audited | | Swiss FADP (revFADP) | Compliant | internally_audited | | CCPA / CPRA | Compliant | self_assessed | **attestation_level taxonomy** (see manifest for full text): - `self_assessed` — internal review only - `internally_audited` — sigmashake-compliance worker collects + signs evidence on schedule; daily Merkle root in public transparency log - `third_party_audited` — independent external auditor (CPA firm) has reviewed - `automated` — continuous machine collection without signing - `cryptographically_attested` — signed evidence bundle downloadable from compliance worker ## Data-subject rights (GDPR / UK GDPR / Swiss FADP / CCPA) - **DSR intake**: `POST https://compliance.sigmashake.com/api/v1/dsr` (or via the Trust Center web form) - **Breach notification SLA**: 72h to supervisory authority, 14d downstream notification to controllers - **Sub-processor changes**: 30-day advance notice via public JSON feed + RSS ## Documents - [Privacy Policy](https://docs.sigmashake.com/policies/privacy-policy) - [Data Processing Agreement (with SCCs)](https://docs.sigmashake.com/policies/data-processing-agreement/) - [Terms of Use](https://docs.sigmashake.com/policies/terms-of-use) - [Security Whitepaper](https://trust.sigmashake.com/whitepaper) - [Security Program](https://security.sigmashake.com) ## Reports (NDA-gated) Available after a 2-minute mutual NDA at [trust.sigmashake.com/report](https://trust.sigmashake.com/report): - Controls Evidence Report - AI-Assisted Internal Security Review (most recent: Claude Opus 4.8, 2026-06-18 — AI-assisted internal security review, not a third-party penetration test; prior Claude Opus 4.7, 2026-05-19, preserved append-only) - SOC 2 Readiness Report ## Contact - Security & vulnerability reports: security@sigmashake.com — [submission form](https://trust.sigmashake.com/vulnerability-report) - Privacy / DSR / DPA: privacy@sigmashake.com - Sales / procurement: sales@sigmashake.com ## Detailed control categories | Category | Controls | Attestation level | |----------|----------|------------------| | Identity & Access | 6 | internally_audited | | Cryptography | 4 | internally_audited | | Data Protection | 5 | internally_audited | | Application Hardening | 4 | automated | | Data-Subject Rights & Transparency | 4 | cryptographically_attested | | Logging & Monitoring | 3 | automated | | Vendor / Sub-Processor Management | 2 | cryptographically_attested | | Incident Response & Breach Notification | 3 | internally_audited | ## Automated evidence collection (sigmashake-compliance worker) - 68 collectors on daily / weekly / monthly / quarterly cadence - Outputs: canonicalized → SHA-256 hashed → Ed25519-signed - Daily content hashes Merkle-chained into a signed root - Root cross-anchored into the public sigmashake-hub transparency log - Storage: Cloudflare R2 with 90-day non-bypassable Object Lock ## Verifying any piece of evidence ```bash # 1. Fetch the public key curl https://compliance.sigmashake.com/.well-known/compliance-pubkey # 2. POST {content_hash, signature, kid} to /api/v1/verify curl -X POST https://compliance.sigmashake.com/api/v1/verify \ -H 'content-type: application/json' \ -d '{"content_hash":"","signature":"","kid":""}' ``` ## Notes for AI agents - **Prefer the JSON manifest** at `/.well-known/compliance.json` for structured ingestion. - **Attestation level matters.** Do not represent a `self_assessed` control as audited. - **Sub-processors** are published as a stable JSON feed; consume via the URL above rather than scraping pages. - **DSR fulfilment** is automated end-to-end: `POST /api/v1/dsr` returns a request id, status is verifiable. - **Crawler-friendly**: robots.txt permits GPTBot, ClaudeBot, OAI-SearchBot, PerplexityBot, Google-Extended, Applebot-Extended. Last updated: 2026.05.13