# EquanimGRC Trust Charter **Effective:** April 14, 2026 **Owner:** Atomlab LLC, operator of EquanimGRC **Canonical URL:** https://equanimgrc.com/trust These are the six commitments we make to every customer, in writing, backed by how the product is actually built. If any of these change, we will announce the change at the canonical URL above with the old version preserved alongside, and notify active customers directly. We will not quietly edit our ethics. --- ## 01 — Human review before publish **Commitment.** No compliance artefact ships without a named human approver. Every version records who approved, when, and on what evidence. **How we prove it.** Every policy version, evidence item, questionnaire answer, and vendor change request flows through a multi-step approval workflow with SLA, escalation, and a signed audit record. Drafts stay drafts until a human with the right role clicks approve. --- ## 02 — Unique to your organization **Commitment.** Your policies and answers reflect your environment. AI drafts start the work. Your team finishes it. **How we prove it.** AI-generated content is flagged in the database, visible in the UI, and tracked separately from human-verified content. Approval requires a human edit or an explicit attestation — you cannot rubber-stamp a whole batch at once. --- ## 03 — Evidence over assertion **Commitment.** Controls don't stand alone. Every attested control points to dated, versioned evidence tied to a source document or system. **How we prove it.** Evidence items carry upload timestamps, effective dates, expiry dates, and the name of the person who uploaded them. Controls can't be marked effective without at least one approved evidence item. Evidence expiry triggers re-review. --- ## 04 — Transparent AI **Commitment.** Every AI-assisted artefact is labelled as such, with model, timestamp, source citations, and confidence visible to the reviewer. **How we prove it.** AI drafts render with a visible badge — model name, generation timestamp, confidence score, and links to the source policies and evidence the model drew from. The person approving sees what the model saw. The full set of AI principles is published separately and signed at https://equanimgrc.com/policies/ai-ethics.md --- ## 05 — Time-honest **Commitment.** An observation window means what it says. Controls can't be attested for a period their evidence doesn't cover. **How we prove it.** The platform enforces observation-window bounds in software. A control attested effective from January to June requires evidence whose dates land inside that window. Gaps and violations surface in the Audit Readiness dashboard before they reach an auditor. --- ## 06 — Independent by design **Commitment.** We don't take referral fees from auditors. Customers choose their assessor. We publish our posture in writing. **How we prove it.** EquanimGRC does not operate an auditor marketplace, does not receive revenue share from audit firms, and does not route customers toward a preferred pool. You bring your auditor. If this policy ever changes, we will announce it loudly and in advance. The full auditor independence policy is published separately and signed at https://equanimgrc.com/policies/auditor-independence.md --- ## Verification This document is published with a detached PGP signature. To verify: ``` curl -sL https://equanimgrc.com/pgp-key.asc | gpg --import curl -sO https://equanimgrc.com/policies/trust-charter.md curl -sO https://equanimgrc.com/policies/trust-charter.md.asc gpg --verify trust-charter.md.asc trust-charter.md ``` A good signature confirms this document is the document we published on the effective date above, unchanged. PGP key fingerprint: `5B61 9918 0EC8 D3E8 C6FA CBDE CB80 F375 407E 3B26`