Compare · software trust evidence
Public trust center vs verifiable evidence packet
A public trust center is a page a buyer reads: posture, badges, and policy summaries laid out for first contact. A verifiable evidence packet is a signed record a buyer can independently check instead of taking a badge on faith.
| Trust center | Verifiable evidence packet | |
|---|---|---|
| What it produces | A published posture and policy summary page | A signed, buyer-readable evidence packet and dossier |
| The human decision | Summarizes posture, not per-finding decisions | Records the risk decision with owner and expiry |
| Buyer can independently check | Reader takes the badge on faith | Buyer checks the signature and artifact binding |
| Re-run vs durable record | A page kept current as posture changes | A durable signed record bound to the finding |
| Scope | The published page a buyer reads | A portable record with review history attached |
What trust centers do well
A public trust center is an excellent front door. It gathers your posture, badges, sub-processors, and policy summaries onto one page a buyer can read in five minutes, before any call or NDA. For early-stage diligence and self-serve buyers, that published summary answers the common questions fast and sets expectations cleanly.
Where the scope stops
A trust center publishes a summary the reader takes on faith: the page asserts a posture, but the reader cannot independently check the signature, the artifact it came from, or the review history behind a badge. Its scope is the published page, not a portable record bound to a specific finding and the human decision around it. When a reviewer wants to confirm origin and integrity for themselves, the static summary has nothing for them to check.
What verifiable evidence packet adds
OpenSoyce observes your dependency, CI, package, and AI-agent evidence and binds each item to its source. When you accept a risk, it records the entry with an owner and an expiry without resolving or hiding the original finding, and it surfaces contradictions between sources as review signals. It assembles a signed evidence packet plus a buyer-readable dossier, with a JSON export and signed webhook events that carry the same record into a buyer's process. A buyer can independently check the signature and artifact binding, which attest integrity and origin, and read the full review history that travels with the record.
When to use which
Use both. A public trust center is the right front door for first-contact diligence and self-serve buyers reading your posture at a glance. Reach for an OpenSoyce evidence packet when a reviewer wants to check origin and integrity themselves and read the decision behind a specific finding, not just the summary.
The boundary
OpenSoyce preserves and explains the evidence and the decision around it; it does not certify, verify, or approve anything. A signature proves integrity and origin, not that a finding is resolved, and your buyer's policy decides trust.