SynOI

Standards · alignment

We did not invent the cryptography.

Every primitive SynOI relies on is a published, third-party-reviewed standard. Every body we align with is named below, with the artifact, the status, and where it shows up in the product. If something is "planned," we say so.

TRACK AVendor credentials

Certifications SynOI Inc holds

The audits, attestations, and memberships your procurement team asks us for. Standard SaaS-vendor credentials. Required to sell; not part of what you buy.

TRACK BCustomer Compliance Packs

Frameworks we help you comply with

Pre-built mappings + dashboards + audit exports for NIST AI RMF, ISO 42001, EU AI Act, HIPAA, and others. What makes SynOI a compliance product for your AI program. See /solutions/compliance.

Active · in production todayIn flight · application or audit underwayPlanned · scheduled, not started

Cloud Security Alliance

STAR for AI

In flight

Application materials in flight; CSA category alignment confirmed since the Agentic Control Plane announcement (March 2026).

Governance posture · Trust center

Cloud Security Alliance

Corporate membership

Planned

Planned membership concurrent with STAR submission.

Governance posture

OpenSSF

Open Source Security Foundation

Active

Best-practices alignment: scorecard, SLSA-style attestations, sigstore integration, supply-chain controls.

SCG, registry mirror, OID resolver

sigstore

Rekor + cosign

Active

Receipt roots anchorable to Rekor for tamper-evidence beyond SynOI infrastructure.

SRAID log anchoring

in-toto

Attestation framework

Active

SCG produces in-toto-compatible attestations on publish, consumable by any SLSA-aware verifier.

Supply Chain Guard

IPLD

InterPlanetary Linked Data

Active

Content-addressed linking model. SRAID/CDRO OIDs are IPLD-compatible CIDs.

SRAID object layer

IETF

Internet-Draft draft-shovan-gap-00

In flight

Governed Action Protocol: four-phase lifecycle (Declare, Grant, Invoke, Receipt), CDRO object model, grant evaluation algorithm, and conformance tiers L1-L4. Submitted as an IETF Individual Internet-Draft.

GAP protocol

IETF

RFC 8032: EdDSA

Active

Ed25519 signature algorithm. Every receipt signed; any compliant library can verify offline.

Receipt signature

IETF

RFC 8949: CBOR

Planned

Concise Binary Object Representation. A future SRAID binary profile will use CBOR; current wire format is canonical JSON.

SRAID (future)

IETF

RFC 8152: COSE

Planned

CBOR Object Signing and Encryption. Planned for a future SRAID signing envelope; current Decision Receipts use hybrid Ed25519 + ML-DSA-65 on canonical JSON.

SRAID (future)

IETF

RFC 7519: JWT

Active

Portal session and magic-link tokens use JWT with type-claim separation to block cross-type replay.

Portal auth

NIST

FIPS 204: ML-DSA

Active

Post-quantum signature scheme. ML-DSA-65 ships alongside Ed25519 in hybrid receipt signing today. KMS-backed PQ key rotation is a planned upgrade.

Decision Receipt signing

NIST

AI Risk Management Framework

Active

Governance posture mapped to GOVERN / MAP / MEASURE / MANAGE functions. Used to structure policy packs.

Policy Packs · Trust center

NIST

SP 800-53 / 800-171 control language

Active

Receipt and policy schemas borrow control-family vocabulary for regulated procurement.

Regulated industries

ISO/IEC

42001: AI Management Systems

Planned

Targeted following SOC 2 Type II. Independent management-system certification for AI governance.

Governance posture

ISO/IEC

27001: InfoSec management

Planned

Targeted following SOC 2 Type II to support international procurement.

Governance posture

AICPA

SOC 2 Type II

In flight

Audit in progress. Target window: Q1 2027.

Trust center

HHS

HIPAA BAA template

Planned

Template Business Associate Agreement ships with SOC 2 cutover. Enables healthcare deployments.

Healthcare solution

European Union

GDPR data-residency controls

Planned

Region-pinned receipt retention and tenant-scoped right-to-erasure flows. Enterprise tier.

Enterprise solution

European Union

EU AI Act

Planned

Designed to map to human-oversight (Art. 14) and record-keeping (Art. 12) obligations: approval checkpoints + signed Decision Receipts are the evidence trail.

Governance posture · Decision Receipts

Cloud Security Alliance

AI Controls Matrix (AICM)

In flight

STAR for AI is built on the AICM. Receipt compliance tags are being mapped to AICM control domains.

Governance posture

FedRAMP

FedRAMP (Moderate)

Planned

Sequenced after SOC 2 Type II. Target for federal and public-sector deployments.

Government solution

DoD / CISA

Continuous ATO (cATO)

Planned

Real-time signed Decision Receipts + continuous evidence are the cATO posture: ongoing authorization rather than a point-in-time ATO.

Government solution

Procurement questionnaire?

We fill in security questionnaires directly, no NDA gate, no sales detour. Use the contact form with your spec and we'll return a completed version.

Use the contact formVisit the trust center →