Trust Center

proofoffit.com is committed to security, fairness, and verifiable accountability. Every control listed below is live today or labelled explicitly as “in progress.”

Security at a glance

TLS 1.2+ encryption in transit

AES-256 encryption at rest

Hardened cloud perimeter and network segmentation

SSO / SAML & optional SCIM provisioning

MFA required for administrative access

Role-based access control and least privilege

Comprehensive audit logging and daily reviews

Daily backups with point-in-time recovery

Quarterly incident tabletop exercises

Annual vendor risk assessments

Compliance status: SOC 2 Type II in audit (FY2025–FY2026). A public Letter of Attestation will be linked here when available; the full report is provided under NDA through our request process.

Security documentation:

Sub-processors and data locations are listed with purpose, region, and DPA references in ourdata handling overview. Cross-border transfers rely on SCCs/UK Addendum with supplementary safeguards.

Fairness, validation & human oversight

What we measure

Adverse Impact Ratio (AIR): Selection rate of each protected group divided by the highest selection rate.
Error parity: False positive/negative rates monitored across groups when ground truth is available.
Calibration & drift: Segment-level calibration checks and alerts when feature distributions shift.

How we run studies

Fairness attributes collected only with explicit opt-in consent.
Attributes excluded from production decision features—used solely for validation/auditing.
Minimum sample thresholds and confidence intervals accompany every finding.
Model cards, validation reports, and change logs document methods and limitations.

Human-in-the-loop: Automated outputs are assistive. Customers review results, provide required notices, and maintain appeal channels. We do not claim bias-free outcomes; we publish metrics, methods, and limits.

Cryptographic audit trail (verifiable integrity)

ProofOfFit produces tamper-evident records for high-value actions. Each record is transformed into a deterministic form, hashed, cryptographically signed, and anchored into a daily Merkle tree. This enables independent verification that records were not altered after the fact.

This approach supports:

Operational trust: detect tampering or unauthorized changes
Audit readiness: reproduce verification from published artifacts
Governance: preserve a verifiable history of key actions and updates

What gets recorded (high level)

We protect the integrity of events such as:

Score generated
Decision reviewed
Record accessed
Model version applied (high level)
Policy or threshold updated (high level)

Public-facing examples are intentionally generic. Detailed schemas, field definitions, and realistic examples are provided to customers in an evidence pack.

Verification method (overview)

Verification checks four things:

Deterministic representation
We canonicalize the event so it serializes the same way every time (deterministic JSON).
Event fingerprint
We hash the canonical event using SHA-256. This hash is the event's immutable fingerprint.
Signature validation
We sign the event hash using Ed25519 (JWS alg=EdDSA). Anyone can verify the signature using our published public keys.
Daily inclusion proof
Each day, event hashes are added to a Merkle tree and a daily Merkle root is published. Customers can verify that a specific event hash is included in the published root using an inclusion proof.

Result: independent validation of event -> hash -> signature -> Merkle inclusion.

Public verification artifacts

We publish the minimum necessary artifacts for independent verification:

Public signing keys (JWKS): /trust/crypto-proof/jwks.json
Daily Merkle roots: /trust/crypto-proof/roots/
Verifier: /trust/crypto-proof/verify

Customer evidence pack (authenticated / on request)

For security and privacy, detailed schemas and realistic examples are not published publicly. Customers can obtain documentation, redacted examples, and event-specific inclusion proofs through the evidence pack.

Evidence & footnotes

SOC 2 Letter of Attestation (forthcoming) — request via security@proofoffit.com.
Sub-processor list with DPAs — see Subprocessor Register (or request via privacy@proofoffit.com).
Model cards, validation reports, and change logs — available to customers on request.
Public keys and daily Merkle roots — posted in /trust/crypto-proof.

Any numerical claim (for example, “37% faster time-to-hire”) must link to a methods note covering sample size, time period, control group, and statistical test. We will only publish metrics that meet this standard.