Current Trust Statement
Use precise language:
- Read-only source credentials are recommended
- Connection secrets should be encrypted at rest
- Encrypted connections should be used where the source supports them
- Query and export actions should be logged where implemented
- Receipts should state what was verified and what was not verified
Claims Not Made
Do not claim:
- External security certification
- HIPAA eligibility
- Absolute client-only encryption architecture
- Absolute data-residency claims
- Always-accurate answers
- AI cannot be wrong
- Enterprise procurement readiness
Add those claims only after implementation, documentation, and review support them.
What a Receipt Proves
A receipt proves how a specific answer was produced:
- Query or calculation text
- Query fingerprint
- Source context
- Row counts where available
- Evidence hash
- Generated time
- Source path and assumptions
A receipt does not prove upstream source completeness, universal metric correctness, or that a business decision is automatically correct.