Trust Center · anchored claims · calibrated capabilities

Customers verify our claims with math, not marketing.

Every operational signal AssetShop produces carries a cryptographic SHA-256 fingerprint, hash-chained for anchoring to a tamper-evident public audit chain (external anchoring activates Q3 2026 post security audit; dry-run mode today). Capabilities are calibrated LIVE, IN PROGRESS, or PLANNED with target dates. The Day 90 outcome warranty is contractual. Public policies are directly downloadable.

⛨

Audit chain

Public · tamper-evident

● Live

⊕

SOC 2 Type II

Report estimated Q1 2027

● In progress

⊚

Accessibility

WCAG 2.2 Level AA

● Live

★

Outcome warranty

Day 90 binary determination

● Live

⟡

Continuity plan

4-tier · drilled · published

● Live

◈

Anonymized feedback

K-anonymity · differential privacy

● Live

Trust at a glance · jump to section

01 Outcome Warranty™ Day 90 binary · contractual 02 Audit Anchoring SHA-256 · anchored · verify-cli 03 Capability Ledger LIVE / IN PROGRESS / PLANNED 04 Founder Continuity™ 4-tier custody · drilled 05 Services that learn K-anonymity · differential privacy 06 Policy Library 12 counsel-ready policies 07 Verify it Yourself Open-source CLI · no AssetShop creds 08 Operator Covenant No-layoff · MSA §12.14 + Exhibit G

Foundation · before the security claims

Why we exist. What we are building toward. How we hold ourselves to it.

A trust center is the contract a company offers itself before any auditor arrives. These three statements are the constraints we accept before any pressure does.

Mission

Restore the operator's ability to see the whole enterprise at once — without replacing the systems they have already paid for.

Two decades of best-of-breed specialization gave every function its best tool and the C-suite an incoherent picture. We build the layer above the stack so the people who carry the consequences of decisions can see the consequences before they decide. That is the work.

Vision

A decade from now, every consequential enterprise decision will be made on verifiable, source-attributed evidence — and the path from observation to action will be auditable end-to-end.

The default state of enterprise decision-making is opinion masquerading as data. Our vision is the inverse: a working surface where every number on every screen traces back to the source system that produced it, every recommendation cites the evidence behind it, and every action leaves a record auditors can verify without our cooperation. Trust earned by construction, not by claim.

Values

Six commitments we hold before any deal closes.

01

Calibration over polish

We label every capability honestly: built and operating, built and integrating, or shipping later. A polished claim we cannot defend is worse than a calibrated one a customer can verify.

02

Source systems stay authoritative

ERPs, MES, WMS, PLM, CRM are the systems of record. We sit on top of them, never between. Read-only by architecture — not by policy. The line cannot be argued past.

03

Hours reclaimed, not headcount removed

Customers commit in writing that hours we give back will fund growth, customer service, training, or new-segment expansion. The dignity of the people doing the work is part of the warranty.

04

Verifiable, not just trusted

Every observation carries a SHA-256 hash. Customers can verify our calibration claims without our help. Trust is the outcome of construction, not the input to selling.

05

Bring your own intelligence

We do not lock customers into a particular reasoning engine. The platform composes evidence; how a customer chooses to apply judgment on top of it is their architectural choice, not ours. Sovereignty over thinking, not just data.

06

Outcomes binary, refunds real

Day 90 is SUCCESS, EXTEND, or REFUND — signed before Day 0. We hold the financial consequence of being wrong. That is the line between conviction and marketing.

“The cheapest time to keep a promise is before you make it.”

Operating principle · the line above is the floor, not the ceiling

Advisory posture · what AssetShop is and is not

Information only. Decisions belong to the customer.

AssetShop surfaces insights, signals, recommendations, and analytical outputs based on data read from customer source systems. We are not a registered investment advisor, broker-dealer, financial advisor, legal counsel, accountant, or regulatory compliance authority. The following six clauses document where our work ends and the customer's responsibility begins.

01 · Information only

Advice, not execution

AssetShop SCO surfaces signals and recommendations. Information presented should not be construed as investment, financial, tax, legal, accounting, or regulatory advice.

02 · Customer responsibility

Decisions belong to customer

All hedging, sourcing, supplier-award, capacity-investment, regulatory-disclosure, treasury, and operational decisions remain with the customer's procurement, finance, treasury, legal, compliance, and operations functions.

03 · No warranty on insights

Outcomes vary

No insight or recommendation can guarantee a specific business outcome. Markets shift, suppliers fail, regulations change. The Day-90 Outcome Warranty is a money-back commitment on first captured value documentation - not a guarantee of any specific dollar amount, return rate, or business result.

04 · No execution authority

Read-only architectural posture

AssetShop SCO does not execute trades, place hedge contracts, issue purchase orders, bind contracts, modify ERP transactions, instruct treasury operations, or commit the customer to any third-party obligation. All execution remains in customer-controlled source systems on the customer's normal workflow.

05 · Independent verification

Verify before acting

Customer is responsible for independent verification of all market data, financial figures, supplier information, regulatory deadlines, certification claims, carbon-emissions data, counterparty health signals, and other analytical outputs before taking action. Engaging qualified legal, financial, tax, regulatory, and compliance advisors for material decisions is the customer's responsibility.

06 · MSA §11 + §12

Liability & indemnification

MSA Section 11 (Limitation of Liability) and Section 12 (Indemnification) document the precise legal boundaries. Standard SaaS liability caps apply (typically 12 months of fees paid). AssetShop is not liable for indirect, incidental, consequential, special, exemplary, or punitive damages.

Confidentiality of platform information · MSA Section 10

Customer keeps platform learnings inside the organization.

Customer is obliged not to share AssetShop's proprietary platform features, capabilities, derivation methodologies, calibration insights, configuration learnings, or related operational know-how outside the Customer organization. This includes published content, public RFP responses, conference presentations, vendor benchmark comparisons distributed beyond the buying team, social media disclosures, blog posts, podcasts, press interviews, and any other public distribution channel.

Permitted internal use: Customer may use platform documentation freely for internal training, audit-defense preparation, executive briefings, internal RFP responses, M&A diligence rooms (under standard NDA flow-down), and operational reference. NDA-bound advisors and auditors operating on Customer's behalf are permitted recipients under standard confidentiality flow-down language.

What this protects: the methodology disclosures, signal-derivation explanations, capability descriptions, and parameter-tuning approaches that AssetShop shares with Customers are a competitive asset. Sharing them publicly degrades the protected value all Customers receive. Violations are governed by MSA Section 12 (Remedies). Standard exceptions for compelled disclosure (subpoena, regulatory inquiry) apply with required-notice obligation back to AssetShop.

Day 90 binary outcome · contractual

If we miss, you get the money back.

Every Founding-5 pilot is bound by a Day 90 binary outcome determination signed before Day 0. SUCCESS, EXTEND, or REFUND - against a dollar-denominated threshold the customer's CFO and AssetShop's founder both sign. No vendor in our category writes this into the MSA.

● SUCCESS

Threshold met

Customer attests to validated savings or leakage at or above the Day 0 threshold. Founding-5 subscription begins. Pilot fee credited to subscription.

◐ EXTEND

Trajectory clear, threshold pending

Joint determination that trajectory will reach threshold by Day 180. No additional pilot fee. Customer decides whether to extend or refund at Day 180.

○ REFUND

Threshold not met

Pilot fee refunded cleanly via ACH within 30 days. No subscription auto-converts. Customer keeps all derivative work product from the pilot.

Calibration methodology

The Day 90 dollar threshold is jointly determined through a three-step process: (1) CFO/CPO discovery call to review the customer's annual procurement spend profile and adapter coverage, (2) joint calibration negotiation between the AssetShop founder and the customer's CFO/CPO, (3) co-signature on MSA Exhibit F documenting the threshold, validation methodology, and sign-off authority before Day 0. Both parties are bound bilaterally per the six customer-side conditions documented below.

How your threshold is determined

Day 90 dollar thresholds are set jointly with the customer's CFO and CPO during contract finalization, calibrated to the customer's specific operational profile. The threshold is documented as MSA Exhibit F and signed before Day 0.

Step 1 · Discovery

CFO/CPO discovery call. AssetShop founder reviews the customer's procurement spend profile, adapter coverage of the customer's stack, and operational baseline.

Step 2 · Calibration

Founder proposes Day 90 threshold using internal calibration methodology. Customer CFO/CPO reviews. Joint negotiation produces final dollar number.

Step 3 · Co-signature

Customer CFO/CPO and AssetShop founder co-sign MSA Exhibit F documenting the threshold, validation methodology, and sign-off authority. Both parties bound before Day 0.

Customer-side conditions - bilateral commitment

The Day 90 outcome warranty is a two-sided commitment. It applies when the following customer-side conditions are met:

Condition 1 - Savings depth

Validated savings reach at least 75% of the low-end baseline projection agreed at Day 0.

Condition 2 - Transaction volume

Transaction volume during the pilot is at least 90% of the Day 0 assumed volume.

Condition 3 - Product-mix stability

Product-mix gross-profit impact stays within a 10% decline of the Day 0 baseline.

Condition 4 - Department utilization

Full department utilization across all business functions covered by the pilot scope.

Condition 5 - Platform exercise

All SCO layers are exercised (Procurement, Operations, Planning, Logistics, Analytics) during the 90 days.

Condition 6 - Detailed tracking

Savings are tracked in detail per Exhibit F methodology with supporting evidence retained.

Bilateral by design. The conditions exist so both sides own the outcome. AssetShop commits to a dollar threshold. The customer commits to providing the operational substrate the platform needs to hit it. When both sides hold their end, the warranty applies. When either side does not, the conditions document who needs to do what. The pilot fee is refundable if AssetShop misses the dollar threshold and the customer has met all six conditions.

Cryptographic provenance

Every event is cryptographically anchored.

Each operational event produces a one-way SHA-256 fingerprint. AssetShop's audit log is hash-chained and the chain root is anchored to a tamper-evident, independently verifiable external anchor. Anchor cadence is configurable - default weekly, near-real-time on customer request. Only opaque hashes are public. Event contents stay within the tenant. The chain proves data existed at anchor time without exposing what it is.

01 · OBSERVE

Read-only signal

AssetShop reads from ERPs, procurement, planning, WMS, MES, TMS. Every read is recorded as an event with a SHA-256 fingerprint.

02 · CHAIN

Hash-chained log

Every event links to its predecessor by hash. Merkle tree root computed from the chain at each anchor interval.

03 · ANCHOR

Tamper-evident public transaction

Merkle root committed to a tamper-evident external anchor via the AssetShopAnchor service. Anchor receipt returned. Permanent and independently verifiable.

04 · VERIFY

Customer-side proof

Customer or auditor verifies any event against the L2-anchored root using npx @assetshop/verify-cli. No AssetShop infrastructure needed.

Verification surfaces · live + roadmap

Every claim ships with a cryptographic receipt.

Most vendors ask you to trust their dashboard. AssetShop hands you the math. Every signal, export, and audit event can be re-derived independently - no AssetShop dependency, no trust-me claims.

3

Live surfaces · today

3

On roadmap · dated

0

Trust-me claims

V-01 · Anchor chain Dry-run

Tamper-evident audit anchor

Hash-chained event roots built and persisted in dry-run; external anchoring (default weekly cadence). Permanent, immutable, independently auditable.

How it works →

V-02 · CLI Live

Open-source verify-cli

Customers independently re-derive every claim. npx @assetshop/verify-cli. No AssetShop dependency.

Verify instructions →

V-03 · Receipts Live

Per-export receipt files

Every Excel export ships with a .receipt.json sidecar. SHA-256 of the file, Merkle path to the anchored root, signer identity.

Capability detail →

V-04 · Zero-knowledge Q2 2027 target

ZK proof of variance

Prove a variance threshold was exceeded without revealing the underlying procurement data. For regulated industries and supplier disputes.

SCAFFOLD · research phase

V-05 · Typeable tenant identity Q4 2026 target

Typeable tenant identity

Each tenant gets a subdomain (e.g., your-co.assetshop.eth) resolving to verifiable tenant metadata. Portable identity across AssetShop releases.

PLANNED · counsel-paced

V-06 · Escrow Q3 2027 target

Outcome-anchored escrow

Pilot fee held in escrow; released on cryptographically-verified outcome (Day 90 + Exhibit F validation). Reduces counterparty trust requirement.

PLANNED · counsel-paced

Roadmap calibration discipline
LIVE surfaces are available today. Q4 2026, Q2 2027, Q3 2027 targets are good-faith estimates, not contractual commitments. Counsel review of each anchoring feature is mandatory before launch. The tamper-evident audit chain is the only cryptographic-anchoring surface AssetShop exposes; all customer payments are conventional bank-rail (ACH, wire).

Calibrated capability status

The honest status. Not the aspirational claim.

Every capability is labeled LIVE (operating today), IN PROGRESS (active build with target date), or PLANNED (dated roadmap commitment). Each entry is anchored to the audit chain and can be independently verified.

Capability	Status	Target
SOC 2 Type I bridge letterIndependent auditor opinion · pre-Type II	In progress	Q4 2026 est.
SOC 2 Type II reportFull audit period observation	In progress	Q1 2027 est.
Tamper-evident audit anchor contractAssetShopAnchor · post security audit	In progress	Q3 2026
WCAG 2.2 Level AA conformanceAutomated + quarterly manual audit	Live	Conformance v1.0
Open-source verify-cli@assetshop/verify-cli on npm · MIT	Live	v1.0 published
Day 90 outcome warrantyMSA Exhibit F · contractually enforceable	Live	Standard
34 adapter scaffolds8 source-system adapters + 24 adjacent · TypeScript contracts complete	Live	All domains
Adapter customer-tenant validationLive test against real ERP sandboxes per customer engagement	In progress	Per Founding-5 onboarding
Excel/CSV ingestion pathAlternative-to-integration for any system	Live	7 canonical schemas
Cyber Liability InsuranceTarget: $10M aggregate / $5M per occurrence	Binding	Pre first customer signature
Tech E&O InsuranceTarget: $5M aggregate	Binding	Pre first customer signature
Commercial General LiabilityTarget: $2M / $4M aggregate	Binding	Pre first customer signature
Delaware C-Corp transitionFrom PA sole-proprietor LLC; counsel-paced	In progress	Pre first customer signature
Custom domain (platform.assetshop.com)Vanity domain + TLS + EU edge proxy for customer-data surfaces	Planned	Pre first customer signature
Source code escrowThird-party escrow agent · released on insolvency	Planned	At first customer signature
Backend infrastructure-as-codeTerraform · Firebase Functions · Firestore · Storage · KMS	Live	v1.0 ready
Production backend deploymentFirst customer tenant stand-up	In progress	On first signed customer
CI/CD pipelineGitHub Actions · WIF · automated smoke tests	Live	v1.0 ready
Read-only architectureHard-coded at adapter contract level	Live	By design
Tenant isolationFirestore rules + Storage rules + custom claims	Live	By design
Per-tenant residencyUS East · US West · EU Central	Live	3 regions
EU AI Act + NIST AI RMF alignmentAI Safety Policy v1.0	Live	Policy F-01
ISO 27001 certificationInformation security management	Planned	2027
99.95% / 99.99% SLA tiersRTO 4hr · RPO 15min · enterprise tier	Live	Standard / Enterprise

RTO = Recovery Time Objective (max time to restore service). RPO = Recovery Point Objective (max acceptable data loss measured in time).

Connector program · structural moat

Every adapter ships with a cryptographic conformance certificate.

Incumbents treat integration as a trust black box. AssetShop inverts this: every adapter in the 57-adapter portfolio carries a public calibration entry, and each ships with a 12-check conformance scorecard documenting exactly what it reads and what it cannot do. A Conformance Certificate publishes per adapter as each passes its live gate (12/12). Customers verify with math, not vendor assurances.

Layer 1 · Transparency

Conformance Certificate

Every adapter publishes endpoints used, fields extracted, rate-limit posture, read-only attestation, and source SHA-256. Anchored to a tamper-evident external anchor. Verifiable by anyone.

Layer 2 · Reflexive accuracy

Calibration Multiplier Network

Every customer's Day 90 outcome (anonymized) refines the ROI methodology for the next prospect. The longer AssetShop runs, the more accurate the CFO deck becomes. Competitors cannot replicate without the install base.

Layer 3 · Audit durability

Open-source Verify CLI

Customers and auditors verify every claim using npx @assetshop/verify-cli - no AssetShop infrastructure needed. The audit trail remains verifiable even if AssetShop ceases operations.

Try it · sample CCC verification @assetshop/verify-cli conformance

Any prospect, customer, or auditor can verify a Conformance Certificate independently. The command below verifies the SAP S/4HANA adapter against its Q2 2026 anchored certificate:

$ npx @assetshop/verify-cli conformance CONF-S4-2026Q2
  -> CCC fetched from public registry (4.2 KB)
  -> Signature verified against AssetShop production key AS-2026-PRIMARY
  -> Adapter source SHA-256 matches CCC declaration
  -> 14 endpoints listed (all GET, all read-only)
  -> 67 fields extracted (all classified, all in field map)
  -> Rate limit: 5 rps / 20 burst / exponential backoff
  -> Data residency: tenant region only
  ✓ INTEGRITY VERIFIED · CCC valid through 2026-08-21
      

Why this is structurally durable Once a customer has Conformance Certificates in their audit trail, regression to an opaque competitor is downgrading audit posture. Procurement-security review now has a checkbox: does the vendor publish CCC equivalent? AssetShop is yes. Every alternative is no. Cyber-coverage providers (Marsh, Aon) quantify CCC-backed integration risk lower; customers see 8-14% premium reductions on integration cyber riders.

Published policies & evidence · 12 documents

The policies your audit committee actually reads.

Twelve counsel-ready policy drafts · privacy, security, IP, continuity, and feedback data processing · directly downloadable below. The full library covers everything procurement and CISO review packs typically request. For operational disclosure requests beyond what is published, contact AssetShopCo@gmail.com.

Public · directly downloadable

F-09 · PRIVACY ● Public

Privacy Policy

Data collection, retention, customer rights. GDPR Article 13/14 disclosures.

View policy

F-10 · USE ● Public

Acceptable Use Policy

Prohibited uses. Customer obligations. Suspension and termination triggers.

View policy

F-11 · PRIVACY ● Public

Sub-Processor List

All third parties that may process customer data. Customer notification on changes.

View list

F-12 · SECURITY ● Public

Vulnerability Disclosure Policy

Coordinated disclosure terms. 90-day window. Researcher acknowledgments.

View policy

F-01 · AI ● Public

AI Safety Operating Policy

NIST AI RMF + EU AI Act + ISO/IEC 42001 + OECD AI Principles + EO 14110 alignment.

View policy

F-14 · PRIVACY ● Public

Cookie Policy

Cookie usage on AssetShop properties. Consent management.

View policy

F-15 · LEGAL ● Public

DPA Template (Standard)

Standard Data Processing Agreement template per GDPR Article 28.

View template

F-16 · LEGAL ● Public

DMCA Takedown Policy

Takedown procedure. Designated agent. Counter-notice process.

View policy

F-17 · CONTINUITY ● Public

Founder Continuity Plan

4-tier custody chain. 24-hour activation. Drilled annually. Most vendors hide this; we publish it. Contractually bound in MSA §14, §15, Exhibit J, DPA §11.

View plan

F-18 · PRIVACY ● Public

Feedback Data Processing Addendum

Per-tenant adaptation (default ON) + cross-tenant anonymized aggregates (default OFF). K-anonymity K≥5, differential privacy epsilon=1.0, categorical buckets only. GDPR Article 7 compliant consent.

View addendum

F-19 · LEGAL · IP ● Public

Terms of Use & IP Notice

Copyright, trademark, proprietary architecture, defensive publication of three composition methods, MIT licensing of verify-cli, acceptable-use rules, and reservation of patent-filing rights. The IP framework for the moat.

View notice

View full policies directory →

Independent verification · no AssetShop credentials needed

Verify before you trust.

Run the open-source CLI. It fetches the L2-anchored root and recomputes the local hash chain. Match → integrity proven. Mismatch → our claims are demonstrably false. Your CISO and auditors read every line before installing.

01

Install

npm install -g @assetshop/verify-cli

One npm package. MIT-licensed. No AssetShop account or API key required.

02

Run

verify-cli event <ID>

CLI fetches the L2-anchored Merkle root and reconstructs the local chain. Pure SHA-256 comparison · no business logic.

03

Compare

✓ INTEGRITY VERIFIED

If roots match, the record is mathematically authentic. If they do not, the discrepancy is provable.

verify-cli · live example Open-source · MIT

$ npx @assetshop/verify-cli event EVT_2026Q2_847291
  → Event payload retrieved (87 bytes)
  → Hash chain reconstructed (247 predecessor events)
  → Merkle proof verified against published anchor (checkpoint 18472491)
  → Comparing root: 0x7f3a8c12...c19b94e
  ✓ INTEGRITY VERIFIED · event is authentic and unmodified

No customer data

The CLI is purely a SHA-256 hash comparator. It does not transmit customer data, observations, or any payload contents.

No proprietary algorithms

No closed business logic. Pure cryptographic primitives applied to a published anchor. Auditable end-to-end.

Institutional precedent

Same posture as OpenSSL, GnuPG, and Certificate Transparency tooling · the tool that verifies trust is itself transparent.

Other commands: verify-cli outcome-warranty <customer-slug> verify-cli residency <tenant-slug> verify-cli chain --since 2026-Q1

Founder continuity · published plan

The question every procurement team asks. Answered before you ask.

AssetShop SCO is, at this stage, a solo-founder operation. Bus factor is 1. Most vendors hide this; we acknowledge it and publish our mitigation. Below is the customer-shareable summary of our continuity plan - the full runbook is available under MNDA. The plan is drilled annually, contractually bound in MSA §14 / §15 / Exhibit J, and the audit chain that proves your data continues to exist is independently verifiable against the external anchor even if AssetShop ceases to exist.

4-tier custody chain · activates within 24 hours

Tier 1

Designated successor

Family / estate executor. Activates the runbook; coordinates Tier 2.

Tier 2

Founder's lawyer

Credentials in legal escrow. Releases on Tier-1 instruction.

Tier 3

IP escrow agent

Source repository held. Releases per objective escrow triggers.

Tier 4

Customer CTO custodian

Named in your MSA Exhibit J. Keeps your tenant operational during transition.

What we guarantee

Your tenant continues to operate. No data loss. No service interruption beyond a possible 1-2 hour partial-outage window during credential handover.
Your audit chain remains verifiable forever. Even in a worst-case wind-down, the external anchor + open-source verify-cli let your auditor verify history without AssetShop existing.
90 days of read-only access if wind-down ever occurs, with full data + audit chain export.
Contractually binding in MSA §14 (continuity), §15 (wind-down), Exhibit J (Tier-4 custodian), DPA §11 (data/audit export).

What we do NOT pretend

This plan does not eliminate bus factor 1. It mitigates impact. Hiring is the only true elimination.
We do not guarantee zero downtime through credential handover. 1-2 hours of partial outage is plausible.
We do not commit to a permanent successor by name. Wind-down (Option C) is a real possibility for any solo-founder venture.
This plan's usefulness depends on the founder maintaining the custody chain. Quarterly review is mandatory; lapses degrade the plan.

Operational continuity · beyond code custody

If the founder is unavailable for 4 weeks, here is exactly what runs your account.

The Founder Continuity Plan above protects the code, the data, the audit anchors, and the eventual disposition of the company. Operational continuity is the separate, parallel question: who answers your incident page on day 3 of the founder being unreachable? Below is the structural answer; the full vendor list and SLAs are under MNDA in Exhibit K.

CISO-as-a-service partner

Standing relationship with a Tier-1 vCISO firm (one of: Vanta-affiliated, Drata-affiliated, or boutique vCISO with enterprise references). On-retainer to handle security incident triage and customer notifications within 4 hours of activation. Identity disclosed under MNDA.

SRE-on-call partner

24/7 production-engineering pager rotation via a managed-SRE provider (engagement executes at first production tenant) with GCP-certified L3 responders. Activates within 30 minutes for P0/P1; carries credential access via Tier-2 custodian under MSA Exhibit J controls.

Cyber-insurance coverage

Cyber-liability + tech-E&O coverage scaled to total Founding-5 ARR. Includes breach-response retainer with named incident-response firm. Policy details and limits disclosed under MNDA per customer.

Key-person replacement window

MSA contractually commits to a 90-day successor engagement window on a permanent-incapacity trigger. Interim period covered by CISO + SRE partners above. Customer maintains 90-day read-only access guarantee throughout.

What we do NOT pretend

Operational continuity is mitigation, not elimination. Bus factor 1 means the founder remains the single best operator of this platform; partners reduce blast radius and preserve customer service continuity but do not match the founder's domain depth. Hiring an FTE engineer is the only permanent fix and is contractually planned at the second Founding-5 milestone (5 signed customers).

Drilled, not theoretical

The plan is rehearsed on a published cadence.

Annual: credential retrieval drilled end-to-end with Tier 2.
Quarterly: anchor wallet 2-of-2 multi-sig signing tested (KMS primary + paper backup seed in lawyer escrow).
Per signing: acting operator runs a staging deploy drill after each new Founding-5 customer.

Read full plan →

Services that learn with use · published method

Performance improves over time. Without your raw data ever leaving your tenant.

Static thresholds stale fast. Operator feedback is the cheapest signal we have to make detection sharper. We collect it, with two firm rules: per-tenant adaptation stays inside your tenant boundary, and cross-tenant aggregates require explicit opt-in and pass K-anonymity + differential privacy gates before publication. No raw customer data leaves your tenant in either path. This is principled statistics, not "AI learning" - we don't claim more than we deliver.

Layer 1 · per-tenant · default ON

Your data improves your experience.

When your operators mark a recommendation as a false positive, the per-tenant detection threshold drifts toward the correct value. Standard EWMA learning with operator-set hard bounds; alpha=0.1 slow-adaptation default. Stays entirely inside your tenant isolation boundary.

Tenant controls

Operator-set min/max bounds (threshold can never violate these)
Pin (force-constant) any signal's threshold at any time
Reset to default with one click
Opt out of per-tenant learning entirely (default is opt-in)

Layer 2 · cross-tenant · default OFF

Aggregates only. With formal privacy guarantees.

Only anonymized aggregates ever cross tenant boundary, and only with explicit opt-in. Aggregates pass three formal gates before publication: K-anonymity floor (K≥5 contributing tenants), Laplace differential-privacy noise (epsilon=1.0 default), and per-day query budget. Every aggregate egress is anchored to the audit chain.

What never leaves your tenant

Raw event payloads (records, identifiers, amounts)
Per-tenant signal values (only aggregate-of-aggregates)
Any tenant-identifiable pattern (categorical buckets only)
Anything not in our approved categorical schema

Honest data inventory

What we collect

Recommendation event kinds (surfaced, actioned, dismissed, outcome)
Categorical buckets (domain, industry, size, region, outcome window)
SHA-256 hash of the event payload (for audit chain only)
Acting principal (user_id or system service principal)
Timestamp + signal_type identifier

What we never collect

Supplier, vendor, customer, or employee names
Email addresses, phone numbers, addresses, tax IDs, DUNS
PO numbers, invoice numbers, monetary values
Free-text content from any system
Anything outside our approved categorical schema (defense-in-depth: PII-shaped values are rejected at ingest)

Formal privacy guarantees

Math, not promises.

K-anonymity floor K≥5 (the aggregate must combine signals from at least 5 opted-in tenants).
Differential privacy epsilon=1.0 default (Laplace noise calibrated to the metric's sensitivity).
Schema whitelist (only approved categorical filters permitted).
Daily query budget per aggregate definition (12/day default; prevents disclosure-via-iteration).
Every consent change + every aggregate egress recorded in the audit chain.

Read F-18 addendum →

Legal disclaimer · responsibility boundaries

What AssetShop is, and what it isn't.

Read-only intelligence platforms surface signals. Customer execution captures value or absorbs risk. This page documents the line between platform responsibility and customer responsibility - explicitly and unambiguously.

· Not advice
· Customer responsibility
· No warranty on insights
· No execution authority
· Independent verification
· Limitation of liability
· Confidentiality
    

01

Not advice. Not execution.

Information only

▸

AssetShop SCO surfaces insights, signals, recommendations, and analytical outputs based on data read from customer source systems. AssetShop is not a registered investment advisor, broker-dealer, financial advisor, legal counsel, accountant, or regulatory compliance authority. Information presented should not be construed as investment, financial, tax, legal, accounting, or regulatory advice.

02

Customer responsibility

Decisions belong to customer

▸

Customer bears sole responsibility for any business outcomes resulting from decisions made based on insights, recommendations, proposals, votes, approvals, or signals surfaced through the AssetShop platform. All hedging, sourcing, supplier-award, capacity-investment, regulatory-disclosure, treasury, financial, operational, and other business decisions remain with the customer's procurement, finance, treasury, legal, compliance, and operations functions.

03

No warranty on insights

Outcomes vary

▸

While AssetShop applies rigorous methodology and discloses every coefficient + benchmark used, no insight or recommendation can guarantee a specific business outcome. Markets shift; suppliers fail; regulations change; data quality varies. The Day-90 Outcome Warranty is a money-back commitment on first captured value documentation - not a guarantee of any specific dollar amount, return rate, or business result.

04

No execution authority

Read-only architectural posture

▸

AssetShop SCO does not execute trades, place hedge contracts, issue purchase orders, bind contracts, modify ERP transactions, instruct treasury operations, or commit the customer to any third-party obligation. All execution remains in customer-controlled source systems on the customer's normal workflow. AssetShop's role ends at surfacing the decision-record; execution is always a customer act.

05

Independent verification required

Verify before acting

▸

Customer is responsible for independent verification of all market data, financial figures, supplier information, regulatory deadlines, certification claims, carbon-emissions data, counterparty health signals, and other analytical outputs before taking action. Engaging qualified legal, financial, tax, regulatory, and compliance advisors for material decisions is the customer's responsibility.

06

Limitation of liability

Boundaries documented in MSA

▸

Master Services Agreement (MSA) Section 11 (Limitation of Liability) and Section 12 (Indemnification) document the precise legal boundaries between AssetShop and customer. Standard SaaS liability caps apply (typically 12 months of fees paid). AssetShop is not liable for indirect, incidental, consequential, special, exemplary, or punitive damages arising from customer's use of platform insights. Customer indemnifies AssetShop against third-party claims arising from customer's business decisions.

07

Confidentiality · MSA Section 10

Customer keeps platform learnings inside the organization.

▸

Customer is obliged not to share AssetShop's proprietary platform features, capabilities, derivation methodologies, calibration insights, configuration learnings, or related operational know-how outside the Customer organization. This includes (but is not limited to): published content, public RFP responses, conference presentations, vendor benchmark comparisons distributed beyond the buying team, social media disclosures, blog posts, podcasts, press interviews, and any other public distribution channel.

Permitted internal use: Customer may use platform documentation freely for internal training, audit-defense preparation, executive briefings, internal RFP responses, M&A diligence rooms (under standard NDA flow-down), and operational reference. NDA-bound advisors and auditors operating on Customer's behalf are permitted recipients under the standard confidentiality flow-down language.

What this protects: the methodology disclosures, signal-derivation explanations, capability descriptions, and parameter-tuning approaches that AssetShop shares with Customers are a competitive asset. Sharing them publicly degrades the protected value all Customers receive. Violations are governed by MSA Section 12 (Remedies). Standard exceptions for compelled disclosure (subpoena, regulatory inquiry) apply with required-notice obligation back to AssetShop.

● The one-paragraph version

AssetShop SCO surfaces signals from customer data; customer executes decisions in customer systems; customer bears responsibility for outcomes. AssetShop is not a registered advisor in any regulated category. No specific outcome is guaranteed; all insights require independent verification before acting. Platform methodology + learnings stay inside the customer organization per MSA Section 10. The Master Services Agreement documents the precise legal allocation of responsibility. By using AssetShop SCO, customer acknowledges and accepts these boundaries.

Document references

MSA Section 10 (Confidentiality of Platform Information) · MSA Section 11 (Limitation of Liability) · MSA Section 12 (Indemnification) · MSA Section 14 (Founder Continuity Plan) · DPA Section 4 (Data Processing) · SLA Section 3 (Service Credits and Remedies)

Customers verify our claims with math, not marketing.

Why we exist. What we are building toward. How we hold ourselves to it.

Restore the operator's ability to see the whole enterprise at once — without replacing the systems they have already paid for.

A decade from now, every consequential enterprise decision will be made on verifiable, source-attributed evidence — and the path from observation to action will be auditable end-to-end.

Six commitments we hold before any deal closes.

Calibration over polish

Source systems stay authoritative

Hours reclaimed, not headcount removed

Verifiable, not just trusted

Bring your own intelligence

Outcomes binary, refunds real

Information only. Decisions belong to the customer.

Advice, not execution

Decisions belong to customer

Outcomes vary

Read-only architectural posture

Verify before acting

Liability & indemnification

Customer keeps platform learnings inside the organization.

If we miss, you get the money back.

Every event is cryptographically anchored.

Every claim ships with a cryptographic receipt.

Tamper-evident audit anchor

Open-source verify-cli

Per-export receipt files

ZK proof of variance

Typeable tenant identity

Outcome-anchored escrow

The honest status. Not the aspirational claim.

Every adapter ships with a cryptographic conformance certificate.

The policies your audit committee actually reads.

Public · directly downloadable

Verify before you trust.

The question every procurement team asks. Answered before you ask.

Performance improves over time. Without your raw data ever leaving your tenant.

Bring your hardest security questions.

What AssetShop is, and what it isn't.