Verified 180 days
Verified seal
Three to five automated checks. Auto-issued on pass. 180-day validity, re-scanned daily.
Incorporator Certifications
What an Incorporator seal asserts.
An Incorporator seal is a dated, HMAC-signed attestation that a named organization passed a named rubric at a specific version, issued by a named reviewer and revocable in public. A verifier recomputes the signature from the seal URL alone; a reader confirms the scope, the reviewer, and the controls the auditor checked on the verify page.
Seals are graduated into three tiers: Verified (automated floor), Certified (human audit), Accredited (continuous monitoring). The tier tells a procurement reader how much work the seal represents.
The three tiers
Verified, Certified, Accredited.
Real certifying bodies graduate their artifacts to the cost and consequence of what is being attested. AICPA ships SOC 2 Type I and Type II. ISO ships the 27001/27017/27018 family. B Lab publishes the 80-point threshold. Incorporator uses the same shape: one ladder per subject, three rungs.
Certified 365 days
Certified seal
Full rubric, human auditor, weighted score with a required-control gate. 365-day validity.
Accredited 365 days (annual)
Accredited seal
Every Certified control plus daily auto-rescan, quarterly human spot-check, and a 72-hour breach-disclosure obligation. 365-day validity, priced annual.
Subjects
Standard subjects.
Standard subjects cover the posture that most public websites need to assert. Industry subjects (fintech, SaaS, healthcare, e-commerce, nonprofit) live on the programs page with the same tier structure.
| Subject | Verified | Certified | Accredited |
|---|---|---|---|
| Incorporator Seal | not offered | not offered | not offered |
| Privacy | not offered | not offered | not offered |
| Trust | not offered | not offered | not offered |
| Editorial | not offered | not offered | not offered |
| Affiliate | not offered | not offered | not offered |
Industry subjects (fintech, SaaS, healthcare, e-commerce, nonprofit) follow the same ladder; see the full programs page for details and pricing.
Issuance
What happens between apply and seal.
- №01Apply
Four intake steps: organization identity, scope, attestations, payment. Nothing is submitted until the last button press.
- №02Evidence
Upload documents and URLs the controls reference. Signed attestations are collected here for the control kinds that need them.
- №03Audit
Five scanners run (privacy, DNS, TLS, policy, filing). An editor reviews manual and attested controls and signs the decision.
- №04Seal
A signed seal goes live at a permanent URL. Expiry runs nightly; revocation is a public status flip.
If a control fails, the finding and the remediation the auditor would accept are published to the applicant dashboard within the program's SLA. Denials name each failed control.
What a seal contains
Signed over seven fields.
The HMAC-SHA256 signature on every seal covers a canonical JSON payload of seven fields: seal identifier, organization slug, program slug, rubric version, issue date, expiry date, and scope. Any verifier with the public key can recompute the signature from the seal URL alone; a revoke is a DB status flip, read live on every verify page.
Verified seals are valid for 180 days. Certified seals are valid for 365 days. Accredited seals are valid for 365 days and renewed annually. A cron runs nightly and marks expired seals; the verify page also computes effective status inline, so a reader never sees a stale "active" pill.
Every program page lists every control, its weight, whether the control is scanned, reviewed, or attested, and the pass criteria. The rubric is a document. If you read it and think a control is wrong, write to us; we publish corrections as versioned releases.