Trust Center
Trust, by construction
Fidacy is the verifiable trust layer for AI agents, not a payment processor. It verifies the agent, checks the action against the user's signed intent, scores the risk, issues a cryptographically signed verdict, and for money it can enforce a hard gate before funds move. Every decision is recorded in a hash-chained audit whose head is committed to Bitcoin, so the record is tamper-evident and verifiable offline. This Trust Center is the procurement reference: what Fidacy is, what it never touches, and the frameworks it's built to address.
A decision layer, not a processor
Fidacy sits beside the money path, not on it. It receives a signed mandate plus structured risk_data and returns a decision, approve, review, or deny, plus a signed Risk Payload and an audit entry. It does not move funds, hold balances, or store payment credentials. It is the accountability layer the payment protocols (AP2, A2A) deliberately leave open.
That signed verdict can be advisory, or it can be enforcing. For agent-initiated payments, the Payment Firewall is a hard gate: the agent calls request_payment, an approve issues a short-lived signed grant, and the executor refuses to move money without it. A deny means no grant and no payment, so a duplicate invoice or a redirected wire (BEC) is stopped by Fidacy, not by the PSP. Both the verdict and the firewall ship in one install, npx -y @fidacy/mcp.
What Fidacy never touches
payment_instrument schema Fidacy receives carries only an id, a type, and a description, no card number, no track data, no credential. Fidacy decides on signed mandates and risk_data, never on a primary account number. Integrating Fidacy does notexpand your PCI DSS scope.Frameworks addressed
These are alignment and positioning claims, the regulatory and threat-model frameworks Fidacy is designed to provide evidence for. They are not certifications (see Certifications & Posture).
Where to go next
Responsible disclosure
We welcome reports from security researchers. In scope: the Fidacy API, the signing and verification path, the audit chain, and tenant isolation. Out of scope: denial-of-service, social engineering, and findings in third-party sub-processor infrastructure (report those to the vendor).
- ·Email
security@fidacy.comwith details and a proof-of-concept. - ·Please give us reasonable time to remediate before public disclosure.
- ·We respond promptly and credit reporters who follow this policy.
Corporate entity
Fidacy is operated by ZEEPCODE GROUP LLC, a Florida limited liability company. A Data Processing Agreement (DPA) and a master enterprise agreement, including any contractual SLA, are available on request through sales@fidacy.com.