Posture
Certifications & Posture
We are direct about what we hold today and what is on the roadmap. Fidacy is notcurrently SOC 2 or ISO 27001 certified. Those are planned. We will not display a seal we don't hold or claim a date we can't commit to.
Certification roadmap
| Standard | Status |
|---|---|
| SOC 2 Type II | Planned. On our roadmap; not yet certified. Target date: contact us. No interim seal is implied. |
| ISO 27001 | Planned. On our roadmap; not yet certified. Target date: contact us. |
No certifications claimed.Until an audit completes and a report is issued, Fidacy makes no SOC 2 or ISO 27001 representation. The security architecture described under Security stands on its own and is independent of certification status. For the current state of any certification effort, contact
sales@fidacy.com.PCI scope statement
Fidacy does not expand your PCI DSS scope. The engine never touches card numbers. The AP2
payment_instrument schema it receives carries only an id, a type, and a description, no PAN, no track data, no credential. Fidacy decides on signed mandates and risk_data, never on a primary account number, so adding Fidacy does not bring cardholder data into a new system.Framework alignment (not certification)
Separately from certifications, Fidacy is built to provide evidence for the regulatory and threat-model frameworks below. These are alignment and positioning claims, detailed in Compliance & Regulatory.
- ·EU AI Act-native; GDPR applies.
- ·NIST AI RMF, Govern, Map, Measure, Manage mapping.
- ·US Treasury FS AI RMF, evidence artifacts a deployer maps to its controls.
- ·OWASP Agentic Top 10, the external-control threat model.
- ·Colorado ADMT-ready (SB 26-189, effective Jan 1, 2027).
Corporate entity
Fidacy is operated by ZEEPCODE GROUP LLC, a Florida limited liability company. Master agreement, DPA, and any contractual SLA are available on request.