External attestations · current as of 2026-04-15

Independent firms, looking at our chain.

Five attestations stand against the HCR protocol today. Three SOC reports, one reserve attestation against the Coverdell pool, and one annual covenant-compliance opinion. Each is hashed and pinned to chain so the document on this page is canonically the same document the firm signed.

● Active SOC 2 Type II · Q1 2026

Conceptual Chain operating controls

12-month operating-effectiveness opinion on the chain's security, availability, and processing integrity. Issued by Schellman & Co. Trust services criteria 1–4 fully met; criterion 5 (privacy) not in scope of this engagement.

Period: 2025-04-01 → 2026-03-31 Auditor: Schellman Opinion: Unqualified

chain-pinned · 0x7a31:d40e:bb09:c7…f24a

Download report Verify hash

● Active SOC 1 Type II · Q1 2026

HCR mint pipeline — financial controls

Operating-effectiveness opinion on the controls surrounding mint authorisation, license verification at signing, and burn classification. Critical for downstream payers who rely on HCR-event provenance for value-based contracts.

Period: 2025-04-01 → 2026-03-31 Auditor: KPMG Opinion: Unqualified

chain-pinned · 0x4b0e:9c12:ee0a:a4…0091

Download report Verify hash

● Active Reserve attestation · quarterly

Coverdell custody pool — Q1 2026

Independent attestation that the on-chain Coverdell Reserve balance (889,206 HCR at 2026-03-31) matches the institutional custodian's books, and that the pool holds no off-chain liabilities against it. Issued by Armanino LLP under AICPA AT-C 105.

Snapshot: 2026-03-31 Firm: Armanino Result: Match · 0 variance

chain-pinned · 0xd1a7:08b3:fc4e:b1…e8d2

Download report Verify hash

● Active Covenant-compliance opinion · annual

Covenant compliance · 2025

Independent legal opinion from Ostrand & Vogel LLP that the protocol, as operated during calendar year 2025, complied with the eight articles of the HCR Covenant. Includes the only-ever covenant exception (a 2025-Q3 inheritance-routed wallet, properly handled per Article II).

Period: CY 2025 Counsel: Ostrand & Vogel Opinion: In compliance

chain-pinned · 0x9f3c:6a02:11b8:0e…a47b

Download opinion Verify hash

⌛ In progress ISO 27001 · Stage 1 audit

ISO/IEC 27001:2022 — first certification

Stage 1 readiness audit completed February 2026; Stage 2 surveillance audit scheduled for June 2026. We will publish the full certificate and Statement of Applicability immediately on issue, hashed and pinned to chain.

Stage 1: Complete · 2026-02-12 Stage 2: 2026-06-08 Body: BSI

chain-pinned (intent-to-certify) · 0x0c44:81fe:3a91:dd…7771

● Active HIPAA Security Rule · independent assessment

HIPAA assessment · CY 2025

Annual independent assessment against 45 CFR §164.308–§164.312. Conducted by Clearwater. All required and addressable specs found to be either implemented or addressed via a documented compensating control.

Period: CY 2025 Firm: Clearwater Findings: 0 high · 2 low

chain-pinned · 0x612b:dd47:09ae:c1…3340

How "chain-pinned" works

If the document moved, the hash would change.

Every attestation we receive is hashed (SHA-256) at the moment we receive it. The hash is signed by the issuing firm and the Trust Council, and the signed hash is written to a dedicated lane on the Conceptual Chain.

If the PDF you download from this page does not produce the chain-pinned hash, then the document is not the document the firm signed. The "Verify hash" button on each card is a one-click check: it computes SHA-256 on the file you have, queries the chain for the canonical hash, and reports match or mismatch.

This is not a clever trick — it is the same mechanism every attestation registry uses. We surface it because, unlike most issuers, we publish the verifier in the same page as the artifact.

Want to see governance in motion?

Governance log Audit history