Public trust page

What it does: Customer-facing trust.tappass.ai page covering 0-training, residency, encryption, sub-processors, certifications.

1. Vision context

EU and US enterprise CISOs filter on these properties before the architecture conversation begins. Stating them explicitly (and honestly) is procurement-defensibility. This page is the public artifact those buyers point at to clear their first compliance review.

The trust center already exists per working-assets references; this component is the expansion to cover everything in architecture §17.

2. Functional specification

Sections per architecture §17.1–§17.5:

Data handling commitments — 0-training, residency, encryption (rest + transit), deletion / right-to-erasure
Certifications — SOC 2 (current + roadmap), GDPR, EU AI Act readiness, ISO 27001 (roadmap), HIPAA BAA (case-by-case)
Sub-processor disclosure — full list with cadence, OpenChain ISO 5230 mapping link
Tenant isolation guarantees — logical isolation, no shared compute path, audit cross-tenant isolation
Operational transparency — status page link, planned public incident database

3. Technical design

Lives in the existing trust.tappass.ai repo (Astro static site per memory project_repo_structure.md). Expansion is content + page-tree work, not engineering.

4. Definition of done

All acceptance_criteria pass.
Legal review of all claims (especially EU AI Act readiness and 0-training language).
DPA template available for download.
Sub-processor list refreshed (last refresh, next refresh dates visible).

5. Coordination notes

With soc2-type1-audit: auditor verifies what this page claims. Don't claim what isn't true.

With Legal/Compliance: copy reviewed before publication.

6. Out of scope

Customer-specific DPAs (those are the customer's contracts; templates live here).
Marketing pages (different surface; tappass.ai homepage).