# SigmaShake — Trust Center > SigmaShake builds AI governance tooling. This trust center publishes our security, privacy, and compliance posture for procurement teams, vendor-risk crawlers, and AI agents. Our compliance evidence is **cryptographically signed** (Ed25519) and the daily Merkle root is **anchored into a public transparency log**. Anyone — human or agent — can verify any evidence artefact against the published public key. ## Machine-readable manifest - [Compliance manifest (JSON)](https://trust.sigmashake.com/.well-known/compliance.json) — every framework, control, and attestation level - [Sub-processor feed (JSON)](https://compliance.sigmashake.com/api/v1/sub-processors.json) — current third-party processors - [Verification public key](https://compliance.sigmashake.com/.well-known/compliance-pubkey) — Ed25519, SPKI hex - [Verify endpoint](https://compliance.sigmashake.com/api/v1/verify) — POST content_hash + signature + kid - [Security disclosure (RFC 9116)](https://trust.sigmashake.com/.well-known/security.txt) ## Frameworks & attestation levels | Framework | Status | Attestation level | |-----------|--------|------------------| | SOC 2 Type II (2017 TSC) | Observation window 2026-05-18 → 2026-11-17 | internally_audited → third_party_audited (2026-12-31) | | ISO/IEC 27001:2022 | 93 controls mapped | self_assessed | | GDPR (EU 2016/679) | 31 articles catalogued (25 applicable), compliant | internally_audited | | UK GDPR + DPA 2018 | Compliant via UK IDTA | internally_audited | | Swiss FADP (revFADP) | Compliant | internally_audited | | CCPA / CPRA | Compliant | self_assessed | **attestation_level taxonomy** (see manifest for full text): - `self_assessed` — internal review only - `internally_audited` — sigmashake-compliance worker collects + signs evidence on schedule; daily Merkle root in public transparency log - `third_party_audited` — independent external auditor (CPA firm) has reviewed - `automated` — continuous machine collection without signing - `cryptographically_attested` — signed evidence bundle downloadable from compliance worker ## Data-subject rights (GDPR / UK GDPR / Swiss FADP / CCPA) - **DSR intake**: `POST https://compliance.sigmashake.com/api/v1/dsr` (or via the Trust Center web form) - **Breach notification SLA**: 72h to supervisory authority, 14d downstream notification to controllers - **Sub-processor changes**: 30-day advance notice via public JSON feed + RSS ## Documents - [Privacy Policy](https://docs.sigmashake.com/policies/privacy-policy) - [Data Processing Agreement (with SCCs)](https://docs.sigmashake.com/policies/data-processing-agreement/) - [Terms of Use](https://docs.sigmashake.com/policies/terms-of-use) - [Security Whitepaper](https://trust.sigmashake.com/whitepaper) - [Security Program](https://security.sigmashake.com) ## Reports (NDA-gated) Available after a 2-minute mutual NDA at [trust.sigmashake.com/report](https://trust.sigmashake.com/report): - Controls Evidence Report - Penetration Test Report (most recent: Claude Opus 4.7 sweep, 2026-05-13) - SOC 2 Readiness Report ## Contact - Security & vulnerability reports: security@sigmashake.com — [submission form](https://trust.sigmashake.com/vulnerability-report) - Privacy / DSR / DPA: privacy@sigmashake.com - Sales / procurement: sales@sigmashake.com