Trust is an engineering property.
Evidence-first decision authority: pinned semantics, replayable receipts, fail-closed control.
This legacy trust hub remains public for deep review. First-time partners should start at Trust Center, then move into deeper release or transparency details only as needed.
Appendix surfaces stay public, but they do not outrank the flagship or authority rails.
Prefer email? security@meridianverity.com. No tracking by default.
Trust pillars
Evidence-first signals that survive skeptical review — without relying on trust alone.
Canonical public authority: PROD. Demo remains available for demonstration only and is not the primary trust surface.
Website release proof (offline‑verifiable)
This site ships as explicit releases: a Site Release Manifest + headchain, with fail‑closed posture. If authenticity or integrity cannot be established, treat the state as HOLD.
Assurance artifacts
Procurement‑grade assurance bundle with integrity proofs and a local verifier workflow — built for skeptical review and clean audit attachments.
Air‑gapped reviewer kit
Run MVG verifiers in fully disconnected environments (no internet) — with self‑verify, audit‑ready print summaries, and ticket‑bound approvals.
Verifiable contact channels
Canonical routing for licensing, procurement, security, privacy, and legal — published as a verifiable descriptor.
Evidence acceptance criteria
We define what counts as evidence before asking you to trust a claim.
Control points that can’t be bypassed
If required evidence is missing or invalid, the safe outcome is HOLD and side effects remain blocked.
Third‑party replay
Reviewers can reproduce verification steps using deterministic receipts and audit‑ready records.
Artifacts manifest (SHA‑256)
Integrity inventory for reviewers. DSSE‑signed.
Policy & Evidence index
Compact JSON + DSSE pointers for procurement automation: official policy anchors + verifiable evidence rails.
SCITT bridge export
Export-only mapping: MVG DSSE evidence → SCITT “Signed Statement” concepts (issuer, subject digest, policy id, references).
Verifier SBOM
CycloneDX SBOM for the offline verifier assets.
Release signature (DSSE)
Binds this site’s artifacts manifest under pinned trust anchors.
Verifier signing keys
Report signer: ta.mvg.verifier.signing.2026-02-09.v31.demo
Fingerprint: sha256:3c78f8fb3ad3ca4059852ad858a1ee253dbf2a11525f3e649d7dae95a311ec74
Artifacts for review
Start here for security, procurement, or technical diligence.
Assurance Pack (offline‑verifiable)
Executive summary + scope + attestations, with integrity proofs and an offline verifier.
Sample Conformance Pack
Download the exact pack used for the 30‑second offline proof.
Run the verifier (offline)
Buyer‑run verification of pins + receipts. No uploads.
Signed website release manifest
Verify the verifier UI: SRI + signed release pointers, with fail‑closed HOLD posture.
Security Disclosure Policy
Coordinated disclosure, scope, and safe‑harbor terms.
security.txt
Canonical contact + disclosure pointers.
Trust Brief (PDF)
One-page summary for procurement and security review.
Legal + procurement policies
Terms, Privacy, DPA, Subprocessors, and cookie disclosures.
Public drafts (optional)
Deep context for reviewers who want primary sources.
Fail‑closed UX
If any link fails, email security@meridianverity.com and we’ll route you. Do not include sensitive personal data. Note: some PDF artifacts may retain legacy contact headers; operational routing is via role aliases on this site.
Responsible disclosure
Please email security reports to security@meridianverity.com and include: (1) reproduction steps, (2) impact assessment, (3) affected components, and (4) relevant logs (if safe).
We prefer private reporting before public disclosure and coordinate fixes and timelines in good faith.
Do not include sensitive personal data.
Response targets (best effort)
- Acknowledge: within 2 business days
- Initial triage: within 5 business days
- Coordination: timeline depends on severity + reproducibility
How we work with reviewers
We align on: (1) the highest‑risk action surface, (2) what evidence is acceptable, and (3) how a reviewer can replay verification.
- Identify the control point (what must not be bypassed)
- Define evidence acceptance criteria (what must be proven)
- Replay verification using deterministic receipts
Security‑attended deep dive
If you need an expedited, security‑attended evaluation, email us with your control point and threat model assumptions. We’ll propose an evidence plan and a short review path your security team can validate.
Privacy by default
This site ships with no analytics and no third‑party scripts by default. Where we publish policies or artifacts, we keep them reviewable and portable.