Trust Charter
The GRC industry has a provenance problem. Artefacts get generated; nobody can tell which human reviewed which assertion, against what evidence, on what date.
These are the six commitments we make to every customer, backed by how the product is actually built.
No compliance artefact ships without a named human approver. Every version records who approved, when, and on what evidence.
How we prove it
Every policy version, evidence item, questionnaire answer, and vendor change request flows through a multi-step approval workflow with SLA, escalation, and a signed audit record. Drafts stay drafts until a human with the right role clicks approve.
Your policies and answers reflect your environment. AI drafts start the work. Your team finishes it.
How we prove it
AI-generated content is flagged in the database, visible in the UI, and tracked separately from human-verified content. Approval requires a human edit or an explicit attestation — you cannot rubber-stamp a whole batch at once.
Controls don't stand alone. Every attested control points to dated, versioned evidence tied to a source document or system.
How we prove it
Evidence items carry upload timestamps, effective dates, expiry dates, and the name of the person who uploaded them. Controls can't be marked effective without at least one approved evidence item. Evidence expiry triggers re-review.
Every AI-assisted artefact is labelled as such, with model, timestamp, source citations, and confidence visible to the reviewer.
How we prove it
AI drafts render with a visible badge — model name, generation timestamp, confidence score, and links to the source policies and evidence the model drew from. The person approving sees what the model saw.
An observation window means what it says. Controls can't be attested for a period their evidence doesn't cover.
How we prove it
The platform enforces observation-window bounds in software. A control attested effective from January to June requires evidence whose dates land inside that window. Gaps and violations surface in the Audit Readiness dashboard before they reach an auditor.
We don't take referral fees from auditors. Customers choose their assessor. We publish our posture in writing.
How we prove it
EquanimGRC does not operate an auditor marketplace, does not receive revenue share from audit firms, and does not route customers toward a preferred pool. You bring your auditor. If this policy ever changes, we will announce it loudly and in advance.
Read further
Our principles for AI in compliance: where we use it, where we don't, and what we tell you about every artefact we help you draft.
The numbers we commit to publishing every quarter — human-approval rates, edit-before-approval rates, incident counts, AI models in production.
Our written policy on auditor relationships. No referral fees. No captive audit-firm pool. Customers choose their assessor.
Our PGP public key, signed documents, and instructions to independently verify the integrity of everything we publish.