Trust & compliance posture

Honest status,
named timelines.

This page tells procurement reviewers exactly where Roam stands on SOC 2 Type II, ISO/IEC 42001, EU AI Act Article 12 record-keeping, and the NIST AI Risk Management Framework — and what artifacts (DPA, sub-processor list, security contact, vulnerability disclosure, data-flow diagram) we can hand over today. Evidence support and control mapping. Not certification.

Where we are today Procurement artifacts

Built in Athens · Made in the EU · Evidence stays on your machine and hash-verifies offline · No analytics · No cookies

Where we are today

Four frameworks procurement teams ask about, with our actual status and named timelines. No current independent attestation against any of these; when that changes we will publish the auditor or certification-body name and the report excerpts directly on this page.

SOC 2 Type II — in design Controls in design. Audit kickoff scheduled Q4 2026; Type II report expected Q1 2027. No current independent attestation. We will publish the auditor name and the report excerpts on this page when the report is issued.

ISO/IEC 42001 — gap analysis underway AI management system gap assessment in progress against the ISO/IEC 42001:2023 control set. Target certification-body engagement Q2 2027; expected certificate Q3 2027. No current certification.

EU AI Act Article 12 — evidence layer shipped Roam's tamper-evident audit-trail and proof-bundle substrate generates the record-keeping evidence Article 12 requires for high-risk AI systems listed in Annex III. Whether your system falls under Article 12 is your DPO's and counsel's call; Roam supplies the evidence layer to support that determination.

NIST AI RMF — voluntary frame The NIST AI Risk Management Framework 1.0 (Jan 2023) is a voluntary framework. We map Roam's evidence outputs to the MAP / MEASURE / MANAGE / GOVERN categories so customers without a mandated regime can still anchor their AI-agent change-control program to a recognized reference.

See the governance page control mapping for the row-by-row table tying each evidence type to the SOC 2, ISO 42001, NIST AI RMF, and EU AI Act Article 12 clauses it supports.

What we have right now

Artifacts a procurement reviewer can collect today, before the Q1/Q3 2027 attestation milestones above. All five are public on GitHub or this site; nothing is gated behind a sales conversation.

1 Data Processing Addendum (DPA). GDPR-aligned DPA template covering the customer-as-controller, Roam-as-processor relationship for Roam Review engagements. Lists processing categories, retention windows, sub-processor change notice, and audit rights. Published at templates/legal/dpa.md.
2 Sub-processor list. Current sub-processors are listed in section 6 of the privacy policy with their purpose and EU/US location. Material additions trigger 30-day advance notice per the DPA. The CLI has no runtime sub-processors — it executes entirely on your machine.
3 Security contact. [email protected] — OpenPGP key auto-published by Proton. Discoverable via the security.txt file at the standard well-known location. Acknowledgement within one business day.
4 Vulnerability disclosure policy. Full coordinated-disclosure policy on the security page: scope, safe-harbor terms, remediation SLAs (high within 30 days, medium within 90, low at next scheduled release), and a default 90-day public-disclosure window we extend on reporter request.
5 Data-flow diagram. The CLI's data flow is short enough to inline: your source code is read from the local working tree, parsed and indexed into a local SQLite database under .roam/, and analyzed by local processes. Nothing leaves the machine — there is no telemetry, no analytics, no model-training upload, and no inbound network listener. Roam Review and Roam Cloud data flows are documented inside the procurement packet.

Roam's evidence layer

While the framework attestations are in flight, the free CLI already ships four evidence substrates auditors and reviewers can consume directly. None of them is a substitute for a SOC 2 or ISO 42001 report; they are the inputs an audit would draw from.

Tamper-evident audit trail CGA-signed event records covering every command an agent or human ran against the local repo. Forwards-compatible with cryptographic signature schemes; today the bundles are signed with in-toto v1 + cosign so reviewers can verify integrity without contacting us.

Proof bundles per PR roam pr-bundle init / emit packages the preflight, impact, critique, and test artifacts associated with a single change into one signed bundle. Reviewers see exactly what context the agent consumed before editing.

Mode enforcement Four cumulative action surfaces — read_only, safe_edit, migration, autonomous_pr — declared per run and enforced by the local control plane. Mode escalations are logged with timestamps and the lease record of the human approver.

Run ledger with HMAC chain Each roam runs session opens an event ledger with HMAC-chained entries. Tampering with any historical entry breaks the chain; roam runs verify reports the first divergent event so a reviewer can identify any post-hoc edits without trusting our infrastructure.

For the full control-mapping table from these four substrates to SOC 2 CC8.1, ISO/IEC 42001 Annex A, NIST AI RMF, and EU AI Act Article 12, see the Agent Governance Evidence Pack page.

Security policy Threat model, secure-coding posture, vulnerability disclosure terms, and PGP key locations live on the security page. That's the operational companion to this posture page.

Agent governance pack For the agent-governance-specific evidence pack — control mapping table, sample report, in-toto attestation format — see the governance page (the AI-agent change-governance companion to this trust posture).

Privacy policy GDPR data-processing details, retention windows, lawful basis, and the current sub-processor list are on the privacy page.

Procurement packet A single bundle for vendor reviewers — DPA, NDA template, security-procurement packet, and master SOW — is published at templates/legal/.

Evidence support, not certification This page is evidence support, not a certification claim. Roam Code provides evidence-export and control-mapping support for AI-agent change governance; it does not perform compliance attestation, and nothing here should be read as a statement of formal conformity against any framework. Consult qualified counsel and auditors for formal certification against SOC 2, ISO/IEC 42001, the EU AI Act, or any other regime.

Article 12 framing EU AI Act Article 12 (record-keeping) attaches to providers of high-risk AI systems listed in Annex III. Code-generation tooling is not itself in Annex III. If your own product is a high-risk AI system, Roam's tamper-evident ledger is useful evidence we collect for the Article 12 record-keeping expectation and the Article 14 human-oversight expectation; whether the obligations apply to your system is a call for your DPO and counsel.

Timeline candor The Q1 2027 SOC 2 and Q3 2027 ISO/IEC 42001 dates above are plans, not commitments. If a kickoff slips we will update this page rather than silently extend. Procurement reviewers who need a binding date should email [email protected] for the current schedule and the named external partners.

EU-based, GDPR-native Built in Athens. Made in the EU. The CLI runs entirely on your machine; nothing leaves the local environment unless you explicitly upload a bundle. See the security policy and the procurement packet for DPA, no-training commitment, and supply-chain posture.

Need a question answered for an in-flight procurement review, or a redacted DPA reviewed against your standard? Email [email protected] — acknowledgement within one business day.