DEFONEOS · Acceptance Criteria Matrix · Tick 112
ACID — every sovereign claim, mapped to verifiable artefact.
This matrix is the buyer-side Acceptance-Criteria/Identifier (ACID) table. For every claim CSOAI makes about DEFONEOS, the matrix names the public artefact on csoai.org that proves it. If a row is unproven, the claim is removed until evidence catches up.
5 categories of claim
Sovereignty Audit Commercial Operational Compliance
The matrix
| # | Claim | Category | Verifiable artefact | How to verify |
|---|---|---|---|---|
| 1 | UK-only data residency | Sov | sovereign-tls-pinning-spec.html | UK-only Root CA + UK-only transit |
| 2 | Ed25519 every state change | Aud | sigil-ledger-specification.html | SIGIL SoT root published weekly |
| 3 | 33-agent BFT quorum | Sov | bft-quorum-cryptography-spec.html | Threshold vote tally in receipts |
| 4 | Zero foreign inference | Sov | sovereign-inference-routing-spec.html | Inference receipts signed by sovereign runtime |
| 5 | Human-always-wins override | Sov | sovereign-identity-attestation-spec.html | Biometric-gated cosign path |
| 6 | Open-source core | Op | defoneos-knowledge.html | Repo listing on csoai.org |
| 7 | SIGIL 7-year retention | Aud | sovereign-incident-response-runbook.html | 7-year retention in IR §6 |
| 8 | Cyber Essentials Plus | Comp | Filed T73 (P0 gate) | CE certificate on receipt |
| 9 | JSP 936 §4.6 conformance | Comp | readiness checklist §5 | Cross-walk in checklist |
| 10 | EU AI Act Art 15 conformance | Comp | prompt-injection-defense-spec.html | 7 defense layers mapped to Art 15 |
| 11 | OWASP LLM01 mitigation | Comp | prompt-injection-defense-spec.html | Trusted Instruction Hierarchy |
| 12 | NIST AI 600-1 conformance | Comp | supply-chain scan | Cross-walk in spec |
| 13 | UK GDPR right-to-erasure | Comp | identity attestation | Receipt signed at erasure |
| 14 | Sovereign data escrow protocol | Op | escrow-deploy-guide.html | Auditable release chain |
| 15 | Zero-downtime key rotation | Sov | key-rotation.html | 142 rotations, 0 downtime |
| 16 | MCP admission control | Aud | admission checklist | Receipt signed at admission |
| 17 | Supply-chain SBOM | Aud | supply-chain scan | SPDX + Ed25519 SIGIL |
| 18 | Operator-side incident response | Op | operator troubleshooting | 12 scenarios + 5-step ladder |
| 19 | Identity attestation | Aud | identity attestation spec | 3-witness BFT + biometric |
| 20 | Tiered commercial pricing | Com | deal room | Pricing tiers + per-seat terms |
| 21 | 30-day UAT exit | Op | buyer acceptance test pack | 30-day exit gates listed |
| 22 | Crown Commercial Service enrolment | Com | Filed (P0 gate) | CCS reference on receipt |
| 23 | DEFONEOS-SEAL credential | Aud | emergency session | BFT supermajority vote + 33-agent council |
| 24 | UK AISI evaluation pack | Comp | UK AISI pack | System Card + sovereign receipts |
| 25 | Live evidence freshness | Aud | live evidence freshness probe | 7 freshness probes per tick |
How to verify a row
Each row maps a claim to one public artefact on csoai.org. The artefact is signed by the SIGIL ledger. To independently verify:
- Open the artefact URL.
- Read the SIGIL or section cited.
- Compare against the claim language in this matrix.
If a row's verdict does not hold, the claim is removed until evidence catches up.