AAIPROCUREMENT.CLUBMEMBER
Trust center

Security enforced at the kernel, not bolted on.

Immutable GAAP ledger · cryptographic audit trail · zero-trust architecture · evidence accessible via public API. SOC 2 Type II and ISO 27001 ready.

142,310
Ledger events
88,421
State transitions
412,884
Agent runs
28,190
Approval decisions
100%
Hash chain integrity

Compliance frameworks

SOC 2 Type II
CC-series controls
View evidence →
ISO 27001
Annex A controls
View evidence →
GDPR Art. 30
Processing register
View evidence →
SHA-256 Audit Chain
Cryptographic
View evidence →
STRIDE Threat Model
Threat analysis
View evidence →

Sub-processors register

ProcessorRegionPurposeCertifications
SupabaseEU (Frankfurt)Postgres, edge functions, authSOC 2 Type IIISO 27001HIPAA
OpenRouterUS / EULLM gateway (Claude Opus 4.6, Gemini Flash)SOC 2 Type II
VercelGlobal edgeStatic + edge runtimeSOC 2 Type IIISO 27001
HetznerEU (Falkenstein)Self-hosted compute & storageISO 27001

Evidence API

Public, no-auth, machine-readable. 10 req/min rate-limited. Returns the head of the SHA-256 audit chain along with framework-specific evidence pointers.

GET /v1/audit/verify
{
  "head_hash":   "sha256:c8f29a1e...",
  "merkle_root": "sha256:7a1f0c92...",
  "tree_size":   142310,
  "events":      142310,
  "verified_at": "2026-05-02T11:00:00Z",
  "frameworks": {
    "soc2":        { "report_request": "trust@aiprocurement.club" },
    "iso27001":    { "soa_url": "/openapi.json#evidence/iso27001" },
    "gdpr-art30":  { "register_url": "/openapi.json#evidence/gdpr-art30" },
    "audit-chain": { "head_hash": "sha256:c8f29a1e..." },
    "merkle":      { "root": "sha256:7a1f0c92...", "proof_endpoint": "/v1/audit/proof?id=:event_id" },
    "stride":      { "model_url": "/openapi.json#evidence/stride" }
  }
}

The Merkle root commits to all {tree_size} events. Inclusion proofs are RFC 6962 (CT-style) — a single event can be proven member of the log with ⌈log₂(n)⌉ sibling hashes, no full-chain replay needed. See /admin/audit.

Security contact

Report a vulnerability, request a SOC 2 Type II report, or request our DPA at trust@aiprocurement.club. PGP key fingerprint: 0xC8F2 9A1E 4421 8F3A

Last reviewed: 2026-04-30 · Next review: 2026-07-30 · Owner: AIPROCUREMENT.CLUB security team