Checklist for independent audit of claims and documents (legal / technical / compliance) before moving from TESTNET to FULL LIVE. This is a readiness checklist โ it does not replace an external auditor's report.
| โ/โ | Checklist item | Acceptance criterion | Evidence |
|---|---|---|---|
| โ | Claims without certification/notification suggestion | No wording suggesting a certificate, accreditation or notified-body status; services described as advisory/readiness. | /en/trust-center |
| โ | Audit-only / readiness positioning | Public materials consistently position the offering as audit/readiness, not as implementation or compliance guarantee. | /docs/ai-act-readiness.html |
| โ | GRL legal umbrella | Responsible entity and legal umbrella (GRL) clearly identified; UnionAI โ legal entity relationship documented. | /en/governance |
| โ | GDPR / data protection | Privacy policy published, processing bases and data subject rights described; DPO contact indicated. | /en/privacy |
| โ | No AI Act overclaims | No statement declares "full AI Act compliance"; claims limited to mapping/readiness scope. | /docs/ai-act-readiness.html |
| โ/โ | Checklist item | Acceptance criterion | Evidence |
|---|---|---|---|
| โ | Authentication boundary | Private resources require a token; anonymous access to PRIVATE-scope data returns 401/403 (no payload or metadata leak). | /api/auth/* |
| โ | Rate limiting | Request limit active on sensitive endpoints; mechanism with fallback (Redis โ in-memory), verified under load. | smoke / CI |
| โ | Hash-chain evidence | Evidence chain verifiable end-to-end; no validation bypass; local artefact integrity confirmed. | /api/evidence/verify |
| โ | HA / backup | Multi-machine deployment (HA) and backup policy; state persistence survives restart. | /en/status |
| โ | Smoke CI | CI pipeline (Unit + Smoke) green on last deploy; regression tests for auth and evidence. | CI (Unit + Smoke) |
| โ | No secrets in repo/UI | Keys and tokens exclusively in environment secrets; no sensitive values in code, repository or UI layer. | repo audit + secret scan |
| โ/โ | Checklist item | Acceptance criterion | Evidence |
|---|---|---|---|
| โ | AI Act readiness matrix | Readiness matrix maps requirements to implementation status; gaps labelled and assigned. | /docs/ai-act-readiness.html |
| โ | Risk register | Risks catalogued with assessment, owner and mitigation status; current. | /en/risk-register |
| โ | Incident policy | Incident reporting, classification and communication process documented and publicly available. | /en/incidents |
| โ | Human oversight | Human oversight mechanisms over agent actions described; intervention and escalation points defined. | /en/human-oversight |
| โ | Evidence manifest | Evidence manifest complete; artefacts with sha256 hashes; no unexplained null entries. | /evidence/manifest.json |
The external review must be performed by independent third parties โ self-assessment does not satisfy this gate's criterion. Recommended composition:
Output: an external report with date, scope, findings and status of each checklist item. Items โ move to โ only on the basis of auditor confirmation.
First non-invasive review: 2026-05-24. Report and remediation status: docs/reports/EXTERNAL_REVIEW_2026-05-24.md.
โ
2026-05-24 โ GO CONTROLLED / NOT FULL GO. Report: EXTERNAL_REVIEW_2026-05-24.mdโ
2026-05-24 โ GO CONTROLLED; claims softened (LEGAL_CLAIMS_MATRIX).โ
2026-05-24 โ GO CONTROLLED conditionally. Report: AI_ACT_READINESS_REVIEW_2026-05-24.mdโ
2026-05-24 โ 0 BLOCKER/CRITICAL/MAJOR. Report: SELF_PENTEST_2026-05-24.mdโ
2026-05-25 โ completed and accepted; all CRITICAL + MAJOR addressed, verified live.Remediation: CRITICAL-01 (CSP), CRITICAL-02 (CORS allowlist), BLOCKER-01/02 โ closed. Details in report.
Aggregate status: independent pentest (RSpace) COMPLETED and ACCEPTED 2026-05-25; all CRITICAL + MAJOR addressed, verified live and accepted by the auditor. FULL GO (P2-07) REACHED: 3 signatures on /production-gate + NETWORK_STATUS=PRODUCTION switched 2026-05-26.