Transparency Endpoints

Transparency beats spin.

VexVor publishes its public checksums, signed governance minutes, reserves snapshots, and incident records. This page is the single canonical entry point. As Phase I matures, each endpoint links to a live feed.

01 — Foundation Status

Stiftung in formation

VexVor will be operated by a Swiss federal foundation (Stiftung) established under Art. 80 ZGB. The foundation acts as legal and ethical guardian of the project — independent from the Operating Company and the DAO.

Structure
Swiss federal foundation (Stiftung)
Legal basis
Art. 80 ZGB · ESA-supervised
Canton
To be announced upon registration
Founding act
In drafting · publication on registration
02 — Endpoint Registry

What is published, where, and how often.

Endpoint
Master Blueprint
Cadence
On version
Status
v1.0 · 2025-08-19

Single source of truth. Marketing copy yields to it.

Endpoint
Policy checksum family
Cadence
On change
Status
hash_policy_v6

All scoring receipts reference this checksum.

Endpoint
Governance minutes
Cadence
Per session
Status
Phase II onward

Signed minutes (minutes.v1) with decisions, votes, dissent.

Endpoint
Reserves snapshots
Cadence
Monthly
Status
Phase II onward

Operating-days runway, liquidity tier breakdown.

Endpoint
Incident reports
Cadence
Per incident
Status
Live from Phase I

First update ≤60min · hourly until mitigated · post-mortem.

Endpoint
Algorithmic Impact Assessment
Cadence
Per scoring change
Status
Live from Phase I

Shadow run · fairness diff · 5% canary with rollback triggers.

Endpoint
Fairness pulse
Cadence
Monthly
Status
Phase II onward

ΔA-Score parity ≤3pp across cohorts; appeal-adjust rate parity.

Endpoint
Sub-processor list
Cadence
On change
Status
Live from Phase I

Vendor purpose, region, last review date.

Endpoint
Status page
Cadence
Real-time
Status
Live from Phase I

Components, incidents, next update times.

03 — Engineering Posture

How the system protects your data and your receipts.

Auth
OAuth2 (PKCE), JWT (EdDSA, 30m), passkeys for staff
Receipts
ed25519 signed · canonical JSON · yearly key rotation
DR
PITR · RPO ≤15m · RTO ≤2h · quarterly drill
SLOs
Attempts write p95 <600ms · Receipt lag p95 <120s · Escrow 99.9%
Headers
CSP strict-dynamic · COOP same-origin · COEP require-corp
Egress
Proxy allowlist · no user-supplied URLs without signed allow
Privacy
GDPR · CCPA · CNIL · DSAR ≤30d · consent receipts
A11y
WCAG 2.2 AA gate · Playwright + axe · 0 violations to GA
Bug Bounty
Critical €5,000+ · safe-harbor terms
04 — Privacy & Legal

The pillars, briefly.

Collection

Account basics. App events (PII-free). Optional proofs (time log, text, geohint). Payments and escrow. Optional loan artifacts.

Retention

Proofs: 7/30/180 days or per project (user-selectable). Receipts and invoices: 10 years. Analytics: 12–18 months. Logs: 30–90 days hot, audit WORM 12 months.

Rights

Access, export, delete, restrict, object. 30-day SLA (45 days if complex, with notice). Consent is reversible. Exports redact third-party PII.

Acceptable Use

Allowed: keep small promises, collaborate, deliver scoped milestones, appeal scores. Not allowed: harassment, doxxing, fraud, buying or selling reputation, spam, exploitation, malware. Enforcement ladder: coach → cool → quarantine → ban.

Press & research inquiries

For journalist or academic access to the Master Blueprint, scoring AIA, or governance documents, request via the Foundation.

transparency@vexvor.com