Audit‍/Native
live · signed 2026-05-15 14:14:02 UTC

Trust Surface — Acme Robotics

This is a live attestation surface, not a static PDF. Every claim below resolves to a cryptographic proof anchored to the Sigstore Rekor public transparency log.

Active certifications

active
HIPAA
2026-01-152027-01-14
Mercer & Hale CPA
sha256: 990c9b7163a72f39ec1ae0373e706691
active
ISO 27001:2022
2025-09-012026-08-31
Mercer & Hale CPA
sha256: 1d69a873958df939a25a0000edf80033
active
SOC 2 Type II
2026-02-012026-04-30
Mercer & Hale CPA
sha256: 19ddaa4c065f23494c591738abe7b048

Verify the attestation

Verify
# GET /api/public/trust/acme.json
{
  "org": "Acme Robotics",
  "slug": "acme",
  "certifications": [
    {
      "framework": "HIPAA",
      "status": "active",
      "period": [
        "2026-01-15",
        "2027-01-14"
      ],
      "auditor": {
        "firm": "Mercer & Hale CPA",
        "cpa": "J. Mercer, CPA · AICPA #84421"
      },
      "payload_sha256": "990c9b7163a72f39ec1ae0373e7066919935eda73bd333b39895ff3d0ba2828a",
      "signature": "QU1mSvUeGwqoAA0F3NlEkaqV…"
    },
    {
      "framework": "ISO 27001:2022",
      "status": "active",
      "period": [
        "2025-09-01",
        "2026-08-31"
      ],
      "auditor": {
        "firm": "Mercer & Hale CPA",
        "cpa": "J. Mercer, CPA · AICPA #84421"
      },
      "payload_sha256": "1d69a873958df939a25a0000edf800338a108dced0c7131f5e7bfb4b6967d130",
      "signature": "DkzHcf3H9wHGmVODyh8ckGMu…"
    },
    {
      "framework": "SOC 2 Type II",
      "status": "active",
      "period": [
        "2026-02-01",
        "2026-04-30"
      ],
      "auditor": {
        "firm": "Mercer & Hale CPA",
        "cpa": "J. Mercer, CPA · AICPA #84421"
      },
      "payload_sha256": "19ddaa4c065f23494c591738abe7b04834e6394587cd6afc3709f853c4fc7acc",
      "signature": "SaUzO0dBwe86vdmxAUUX9rdb…"
    }
  ],
  "controls": {
    "total": 5,
    "satisfied": 2,
    "exceptions": 2
  },
  "anchor": {
    "merkle_root": "3c370df9afe8290976e939605cca700b377b9e27ea43a9e8c973133e05bfef21",
    "rekor_uuid": "local-3c370df9afe8290976e93960",
    "anchored_at": "2026-05-18T13:28:37.358847+00:00",
    "leaf_count": 30
  }
}
Fetch signed JSONVerify on Rekor
fetches /api/public/trust/acme.json · recomputes SHA-256 Merkle root client-side
Verify a single evidence leaf
Fetches /api/public/trust/acme/proof.json?leaf=… · recomputes the root from the returned audit path in your browser · compares against the anchored root.
Verify multiple evidence leaves
POST /api/public/trust/acme/proofs.json · verifies every returned audit path locally · compares each recomputed root against the anchored root.

Continuous monitoring & open exceptions

Controls
2 / 5 satisfied
2 exceptions · anchored 2026-05-18
3 open findings
  • CC1.4Annual security training completion 87%open
  • CC6.2Joiner pre-provisioning patternopen
  • CC8.1Branch protection gap on production reposin remediation

Anyone can independently verify this attestation: fetch the JSON, recompute the SHA-256 of any referenced artifact, and confirm inclusion in the Rekor log via its entry ID. No trust in Audit-Native required.