Published policies · v1.0

Policies your audit committee actually reads.

Eight directly accessible public policies, plus four NDA-gated artifacts (SOC 2 Type I bridge letter, SOC 2 Type II report when issued, threat model, penetration test summary). Sensitive evidence is available under mutual NDA via security@assetshop.com with 24-hour turnaround.

Public · directly accessible

F-09 · PRIVACY Public
Privacy Policy
How AssetShop collects, retains, and processes personal data. GDPR · CCPA · CPRA disclosures and customer data rights.
View policy
F-10 · USE Public
Acceptable Use Policy
Prohibited uses, customer obligations, suspension and termination triggers. Misuse reporting workflow.
View policy
F-11 · PRIVACY Public
Sub-Processor List
All third parties that process customer data. 30-day notice on changes. Customer right to object.
View list
F-12 · SECURITY Public
Vulnerability Disclosure Policy
Coordinated disclosure terms. 90-day window. Researcher acknowledgments. Safe harbor scope.
View policy
F-01 · AI Public
AI Safety Operating Policy
NIST AI RMF · EU AI Act · ISO/IEC 42001 · OECD AI Principles · EO 14110 alignment. Customer rights.
View policy
F-14 · PRIVACY Public
Cookie Policy
Cookies and similar technologies on AssetShop properties. Consent management. Opt-out instructions.
View policy
F-15 · LEGAL Public
Data Processing Agreement (Template)
Standard DPA template per GDPR Article 28. SCCs (2021/914) for international transfers. Counsel-ready draft.
View template
F-16 · LEGAL Public
DMCA Takedown Policy
DMCA Section 512 takedown procedure. Designated agent contact. Counter-notice process.
View policy

Under NDA · sensitive evidence

SOC2-T1 Under NDA
SOC 2 Type I Bridge Letter
Independent auditor opinion. Available to customers and prospects under mutual NDA. Estimated Q4 2026.
Request via security@assetshop.com
SOC2-T2 Under NDA
SOC 2 Type II Report
Full Type II report with auditor opinion. Available under mutual NDA after issuance. Estimated Q1 2027.
Request via security@assetshop.com
PENTEST Under NDA
Penetration Test Summary
Third-party annual pen test executive summary. Available to customer security teams under NDA.
Request via security@assetshop.com
THREAT Under NDA
Threat Model (STRIDE)
Architectural threat model with STRIDE coverage. Available to customer security teams under NDA.
Request via security@assetshop.com
★ Request gated evidence

24-hour turnaround under mutual NDA

Sensitive security artifacts are available to qualified customers and prospects under a mutual non-disclosure agreement. AssetShop provides a counter-signed NDA within one business day of request.

Request NDA →
© 2026 AssetShop, Inc. · All policies counsel-ready drafts.
Trust Center Supply Chain Operations legal@assetshop.com
border-radius: var(--r-lg); } .calc-inputs { display: grid; grid-template-columns: 1fr 1fr; gap: 16px 22px; margin-bottom: 22px; } @media (max-width: 640px) { .calc-inputs { grid-template-columns: 1fr; } } .calc-label { display: block; font-family: var(--font-mono); font-size: 10px; font-weight: 700; letter-spacing: var(--ls-widest); text-transform: uppercase; color: var(--ink-muted); margin-bottom: 6px; } .calc-input { width: 100%; padding: 11px 14px; background: var(--bg); border: 1px solid var(--hairline); border-radius: 8px; font-family: var(--font-mono); font-size: 14px; color: var(--ink-strong); } .calc-input:focus { outline: none; border-color: var(--accent); } .calc-run-btn { width: 100%; padding: 13px 22px; background: var(--accent); color: white; border: none; border-radius: 8px; font-family: var(--font-mono); font-size: 12px; font-weight: 700; letter-spacing: var(--ls-wider); text-transform: uppercase; cursor: pointer; transition: all var(--t-fast); } .calc-run-btn:hover { background: var(--accent-bright); transform: translateY(-1px); } .calc-result { display: none; margin-top: 22px; padding: 22px; background: rgba(63,227,139,.04); border: 1px solid rgba(63,227,139,.22); border-radius: var(--r-md); } .calc-result.show { display: block; } .calc-result-label { font-family: var(--font-mono); font-size: 10px; font-weight: 700; letter-spacing: var(--ls-widest); text-transform: uppercase; color: var(--live); margin-bottom: 10px; } .calc-result-amount { font-family: var(--font-serif); font-size: 36px; font-weight: 500; color: var(--ink-strong); letter-spacing: -.015em; margin-bottom: 4px; } .calc-result-range { font-size: 13px; color: var(--ink-sec); margin-bottom: 14px; font-family: var(--font-mono); } .calc-result-detail { font-size: 12.5px; color: var(--ink-sec); line-height: 1.65; padding-top: 14px; border-top: 1px solid rgba(63,227,139,.18); } .calc-result-detail strong { color: var(--ink-strong); } /* ── Operator commitment ── */ .commitment-section { padding: 56px 0; background: linear-gradient(180deg, transparent, rgba(79,127,255,.025), transparent); text-align: center; } .commitment-content { max-width: 720px; margin: 0 auto; } .commitment-quote { font-family: var(--font-serif); font-style: italic; font-size: 21px; font-weight: 400; color: var(--ink-strong); letter-spacing: -.01em; line-height: 1.5; margin: 16px 0 0; } .commitment-quote strong { font-style: normal; color: var(--accent-bright); font-weight: 500; } /* ── Footer ── */ .footer { padding: 48px 0 36px; border-top: 1px solid var(--hairline); background: var(--bg-1); } .footer-grid { display: grid; grid-template-columns: 1.5fr 1fr 1fr 1fr; gap: 32px; margin-bottom: 32px; } @media (max-width: 768px) { .footer-grid { grid-template-columns: 1fr 1fr; } } @media (max-width: 480px) { .footer-grid { grid-template-columns: 1fr; } } .footer-col h4 { font-family: var(--font-mono); font-size: 10px; font-weight: 700; letter-spacing: var(--ls-widest); text-transform: uppercase; color: var(--ink-muted); margin: 0 0 14px; } .footer-col ul { list-style: none; padding: 0; margin: 0; } .footer-col li { margin-bottom: 9px; font-size: 13.5px; } .footer-col a { color: var(--ink-sec); } .footer-col a:hover { color: var(--ink-strong); } .footer-meta { padding-top: 24px; border-top: 1px solid var(--hairline); display: flex; justify-content: space-between; align-items: center; font-size: 12.5px; color: var(--ink-muted); flex-wrap: wrap; gap: 14px; } /* ── Final CTA ── */ .final-cta { padding: 64px 0; text-align: center; } .final-cta-buttons { display: inline-flex; gap: 12px; flex-wrap: wrap; justify-content: center; margin-top: 8px; } /* Trust ENS calculator mobile polish (v2.0.6) */ @media (max-width:640px){ .calc-input{font-size:16px !important} .calc-result-amount{font-size:28px !important} } /* v2.2.1: SVG iOS Safari rendering safety net - constrain any inline svg without explicit dimensions */ svg:not([width]):not([height]) { max-width: 100%; max-height: 100%; } a svg, button svg, .btn svg, .nav-links a svg, .icon-btn svg { max-width: 1.2em; max-height: 1.2em; } .brand svg, .brand-mark svg, .footer-brand svg { max-width: 28px; max-height: 28px; }
Trust Center · Anchored claims · Calibrated capabilities

Customers verify our claims with math, not marketing.

Every operational signal AssetShop produces carries a cryptographic SHA-256 fingerprint anchored to the public Base L2 audit chain. Capabilities are calibrated as LIVE, IN PROGRESS, or PLANNED with target dates. The Day 90 outcome warranty is contractual. Public policies are directly downloadable; sensitive evidence is available under NDA.

Audit chain
Base L2 · public anchored
● Live
SOC 2 Type II
Report estimated Q1 2027
● In progress
Accessibility
WCAG 2.2 Level AA
● Live
Outcome warranty
Day 90 binary determination
● Live
Day 90 binary outcome · contractual

If we miss, you get the money back.

Every Founding 15 pilot is bound by a Day 90 binary outcome determination signed before Day 0. SUCCESS, EXTEND, or REFUND - against a dollar-denominated threshold the customer's CFO and AssetShop's founder both sign. No vendor in our category writes this into the MSA.

● SUCCESS
Threshold met

Customer attests to validated savings or leakage at or above the Day 0 threshold. Founding 15 subscription begins. Pilot fee credited to subscription.

◐ EXTEND
Trajectory clear, threshold pending

Joint determination that trajectory will reach threshold by Day 180. No additional pilot fee. Customer decides whether to extend or refund at Day 180.

○ REFUND
Threshold not met

Pilot fee refunded cleanly via ACH within 30 days. No subscription auto-converts. Customer keeps all derivative work product from the pilot.

Calibration methodology
Day 90 dollar threshold is calibrated at 5%-12% of one quarter of procurement spend, scaled by adapter coverage of the customer's stack. Minimum threshold: $250K (5x pilot fee floor). Customer CFO/CPO co-signs Exhibit F before Day 0. Validation methodology and sign-off authority both pre-agreed.
Interactive · model your threshold

Inputs stay client-side. No data is transmitted to AssetShop. Use to model your own Day 90 threshold before discovery.

Recommended Day 90 threshold
-
-
-
Cryptographic provenance

Every event is cryptographically anchored.

Each operational event produces a one-way SHA-256 fingerprint. AssetShop's audit log is hash-chained off-chain and the chain root is anchored to Base L2 (Ethereum L2). Anchor cadence is configurable - default weekly, near-real-time on customer request. Only opaque hashes are public. Event contents stay within the tenant. The chain proves data existed at anchor time without exposing what it is.

01 · OBSERVE
Read-only signal

AssetShop reads from ERPs, procurement, planning, WMS, MES, TMS. Every read is recorded as an event with a SHA-256 fingerprint.

02 · CHAIN
Hash-chained log

Every event links to its predecessor by hash. Merkle tree root computed from the chain at each anchor interval.

03 · ANCHOR
Public Base L2 transaction

Merkle root committed to Base L2 via AssetShopAnchor contract. Tx hash returned. Permanent and public.

04 · VERIFY
Customer-side proof

Customer or auditor verifies any event against the L2-anchored root using npx @assetshop/verify-cli. No AssetShop infrastructure needed.

Calibrated capability status

The honest status. Not the aspirational claim.

Every capability is labeled LIVE (operating today), IN PROGRESS (active build with target date), or PLANNED (dated roadmap commitment). Each entry is anchored to the audit chain and can be independently verified.

Capability
Status
Target
SOC 2 Type I bridge letterIndependent auditor opinion · pre-Type II
In progress
Q4 2026 est.
SOC 2 Type II reportFull audit period observation
In progress
Q1 2027 est.
Base L2 mainnet anchor contractAssetShopAnchor.sol · post Solidity audit
In progress
Q3 2026
WCAG 2.2 Level AA conformanceAutomated + quarterly manual audit
Live
Conformance v1.0
Open-source verify-cli@assetshop/verify-cli on npm · MIT
Live
v1.0 published
Day 90 outcome warrantyMSA Exhibit F · contractually enforceable
Live
Standard
32 production adapters9 ERPs + 23 adjacent connectors
Live
All domains
Read-only architectureHard-coded at adapter contract level
Live
By design
Tenant isolationFirestore + role-gated callables
Live
By design
Per-tenant residencyUS East · US West · EU Central
Live
3 regions
EU AI Act + NIST AI RMF alignmentAI Safety Policy v1.0
Live
Policy F-01
ISO 27001 certificationInformation security management
Planned
2027
99.95% / 99.99% SLA tiersRTO 4hr · RPO 15min · enterprise tier
Live
Standard / Enterprise

RTO = Recovery Time Objective (max time to restore service). RPO = Recovery Point Objective (max acceptable data loss measured in time).

Connector program · structural moat

Every adapter ships with a cryptographic conformance certificate.

Incumbents treat integration as a trust black box. AssetShop inverts this: every one of the 32 adapters in the portfolio publishes a Conformance Certificate documenting exactly what it does, what it reads, and what it cannot do. Customers verify with math, not vendor assurances.

Layer 1 · Transparency
Conformance Certificate

Every adapter publishes endpoints used, fields extracted, rate-limit posture, read-only attestation, and source SHA-256. Anchored to Base L2. Verifiable by anyone.

Layer 2 · Reflexive accuracy
Calibration Multiplier Network

Every customer's Day 90 outcome (anonymized) refines the ROI methodology for the next prospect. The longer AssetShop runs, the more accurate the CFO deck becomes. Competitors cannot replicate without the install base.

Layer 3 · Audit durability
Open-source Verify CLI

Customers and auditors verify every claim using npx @assetshop/verify-cli - no AssetShop infrastructure needed. The audit trail remains verifiable even if AssetShop ceases operations.

Try it · sample CCC verification @assetshop/verify-cli conformance

Any prospect, customer, or auditor can verify a Conformance Certificate independently. The command below verifies the SAP S/4HANA adapter against its Q2 2026 anchored certificate:

$ npx @assetshop/verify-cli conformance CONF-S4-2026Q2 -> CCC fetched from public registry (4.2 KB) -> Signature verified against AssetShop production key AS-2026-PRIMARY -> Adapter source SHA-256 matches CCC declaration -> 14 endpoints listed (all GET, all read-only) -> 67 fields extracted (all classified, all in field map) -> Rate limit: 5 rps / 20 burst / exponential backoff -> Data residency: tenant region only ✓ INTEGRITY VERIFIED · CCC valid through 2026-08-21
Why this is structurally durable Once a customer has Conformance Certificates in their audit trail, regression to an opaque competitor is downgrading audit posture. Procurement-security review now has a checkbox: does the vendor publish CCC equivalent? AssetShop is yes. Every alternative is no. Cyber-coverage providers (Marsh, Aon) quantify CCC-backed integration risk lower; customers see 8-14% premium reductions on integration cyber riders.
Published policies & evidence

The policies your audit committee actually reads.

Public policies are directly downloadable below. Sensitive evidence (SOC 2 report, threat model, pen test summary, incident response procedures) is available under mutual NDA via security@assetshop.com with 24-hour turnaround.

Public · directly downloadable

F-09 · PRIVACY ● Public
Privacy Policy
Data collection, retention, customer rights. GDPR Article 13/14 disclosures.
View policy
F-10 · USE ● Public
Acceptable Use Policy
Prohibited uses. Customer obligations. Suspension and termination triggers.
View policy
F-11 · PRIVACY ● Public
Sub-Processor List
All third parties that may process customer data. Customer notification on changes.
View list
F-12 · SECURITY ● Public
Vulnerability Disclosure Policy
Coordinated disclosure terms. 90-day window. Researcher acknowledgments.
View policy
F-01 · AI ● Public
AI Safety Operating Policy
NIST AI RMF + EU AI Act + ISO/IEC 42001 + OECD AI Principles + EO 14110 alignment.
View policy
F-14 · PRIVACY ● Public
Cookie Policy
Cookie usage on AssetShop properties. Consent management.
View policy
F-15 · LEGAL ● Public
DPA Template (Standard)
Standard Data Processing Agreement template per GDPR Article 28.
View template
F-16 · LEGAL ● Public
DMCA Takedown Policy
Takedown procedure. Designated agent. Counter-notice process.
View policy

Under NDA · via security@assetshop.com

SOC2-T1 ◐ Under NDA
SOC 2 Type I Bridge Letter
Issued by audit firm. Available to customers and prospects under mutual NDA.
Request via security@assetshop.com
SOC2-T2 ◐ Under NDA
SOC 2 Type II Report
Full Type II report with auditor opinion. Available under mutual NDA after issuance.
Request via security@assetshop.com
PENTEST ◐ Under NDA
Penetration Test Summary
Third-party pen test executive summary. Annual cadence. Available under NDA.
Request via security@assetshop.com
THREAT ◐ Under NDA
Threat Model (STRIDE)
Architectural threat model. Available to customer security teams under NDA.
Request via security@assetshop.com
View full policies directory →
Independent verification

Verify before you trust.

Customers verify AssetShop's claims using the open-source CLI. The tool fetches the L2-anchored root and computes the local hash chain - if they match, integrity is proven. If they don't, our claims are demonstrably false. No AssetShop credentials or infrastructure access required.

Open-source · MIT @assetshop/verify-cli

Institutional best practice (parallel to OpenSSL, GnuPG, and Certificate Transparency tooling). The CLI is purely a SHA-256 hash comparator against the public Base L2 chain - no customer data, no proprietary algorithms, no business logic. Your CISO and external auditors can read every line before installing.

$ npm install -g @assetshop/verify-cli $ npx @assetshop/verify-cli event EVT_2026Q2_847291 → Event payload retrieved (87 bytes) → Hash chain reconstructed (247 predecessor events) → Merkle proof fetched from Base L2 (block 18472491) → Comparing root: 0x7f3a8c12...c19b94e ✓ INTEGRITY VERIFIED · event is authentic and unmodified

Other commands: npx @assetshop/verify-cli outcome-warranty <customer-slug> · npx @assetshop/verify-cli residency <tenant-slug>

Founding-15 covenant · MSA §12.14 + Exhibit G

Operator hours reclaimed via AssetShop SCO are reallocated to sales, innovation, customer service, training, and new-segment expansion - not workforce reduction. This commitment is contractually binding under Section 12.14 of every Founding 15 MSA, with annual self-attestation per Exhibit G.

Good-faith covenant Annual CHRO self-attestation Subscription term + 12-month tail
Talk to the founder

Bring your hardest security questions.

Every conversation is founder-led. Bring your CISO, your auditor, your procurement security review - we'll answer directly with the evidence under NDA.

Open conversation → Supply Chain Operations