HATS Auditor and Assessor Independence Policy

DRAFT -- Subject to revision by legal counsel

1. Purpose and Scope

1.1 Purpose

This document establishes the independence, qualification, and conduct requirements for auditors and assessors performing HATS certification assessments. The integrity of the HATS certification framework depends on the independence and competence of the assessors who evaluate conformance. This policy ensures that HATS certification carries verifiable assurance that the certified organization satisfies the standard's defined controls, as independently evaluated by a qualified and unconflicted party.

1.2 Scope

This policy applies to:

(a) All persons and organizations performing HATS certification assessments at any tier; (b) Organizations seeking or holding HATS certification; (c) H33.ai, Inc. when performing self-certification or certification of third parties; (d) The Issuing Authority in maintaining the registry of qualified assessors.

1.3 Normative References

- HATS Standards Governance Model (HATS-GOV-001) - HATS Conformance Testing License (HATS-GOV-002) - HATS Marketing Claims Policy (HATS-GOV-004) - HATS Verifier Guarantees v1.0 (GUARANTEES.md) - ISO/IEC 17021-1:2015, Conformity assessment -- Requirements for bodies providing audit and certification - ISO/IEC 17065:2012, Conformity assessment -- Requirements for bodies certifying products, processes, and services

1.4 Definitions

"Assessor" means any natural person who performs evaluation activities as part of a HATS certification assessment.

"Assessment Organization" means any legal entity that employs or contracts assessors to perform HATS certification assessments.

"Assessed Organization" means the organization seeking or holding HATS certification.

"Financial Interest" means any direct or indirect ownership interest, investment, debt relationship, revenue-sharing arrangement, commission, bonus, or other financial benefit tied to the Assessed Organization, excluding fees charged for the assessment itself.

"Consulting Relationship" means any engagement in which the Assessor or Assessment Organization provides advice, implementation assistance, design services, integration services, training (beyond HATS assessor training), or other professional services to the Assessed Organization, excluding the assessment itself.

"Cooling-Off Period" means the minimum period that must elapse between the termination of a Consulting Relationship and the commencement of an assessment engagement.

"Assessment Cycle" means one complete certification assessment, from engagement to issuance of the assessment report, regardless of duration.

2. Tier-Based Independence Requirements

2.1 Overview

The HATS standard defines three certification tiers with progressively increasing independence requirements. The independence requirements are cumulative: Tier 2 requirements include all Tier 1 requirements, and Tier 3 requirements include all Tier 1 and Tier 2 requirements.

2.2 Tier 1: Self-Assessment with Verifier Output

#### 2.2.1 Independence Requirements

Tier 1 certification is based on self-assessment. No external assessor independence is required. The Assessed Organization performs its own evaluation using the HATS verifier and produces verifier output demonstrating conformance.

#### 2.2.2 Requirements

(a) The Assessed Organization shall execute the HATS verifier (reference implementation or a HATS-conformant implementation) against its governance graphs; (b) The verifier output shall demonstrate that all applicable checks pass with no FATAL or ERROR violations; (c) The Assessed Organization shall retain the verifier output, including the complete JSON output, the version of the verifier used, and the date of execution; (d) Tier 1 certification is valid for twelve (12) months from the date of the self-assessment, unless the Assessed Organization's systems undergo material changes that affect the scope of certification, in which case re-assessment is required.

#### 2.2.3 Limitations

Tier 1 certification carries the following limitations:

(a) Tier 1 certification may not be described as "independently assessed" or "independently audited"; (b) Tier 1 certification is not eligible for the "HATS-certified" mark (which requires Tier 2 or Tier 3); (c) Tier 1 certification may be described as "HATS Tier 1 self-assessed" or "HATS-verified (self-assessment)."

2.3 Tier 2: Qualified Assessor

#### 2.3.1 Independence Requirements

Tier 2 certification requires evaluation by a Qualified Assessor who satisfies the following independence criteria:

(a) No Financial Interest. Neither the Assessor nor the Assessment Organization shall hold a Financial Interest in the Assessed Organization during the assessment engagement or for twelve (12) months prior to engagement.

(b) Documented Competence. The Assessor shall demonstrate competence through one or more of the following: - (i) Professional certification in information security, governance, risk, or compliance (e.g., CISA, CISSP, ISO 27001 Lead Auditor, PCI QSA, SOC 2 examiner); - (ii) A minimum of five (5) years of professional experience in governance, compliance, or information security auditing; - (iii) Completion of a HATS Assessor Training program, when such program is established by the Issuing Authority.

(c) No Active Consulting Relationship. The Assessor and Assessment Organization shall not have an active Consulting Relationship with the Assessed Organization at the time of assessment. A Cooling-Off Period of twelve (12) months applies between the termination of any Consulting Relationship and the commencement of a Tier 2 assessment.

#### 2.3.2 Scope of Evaluation

The Tier 2 assessment shall include, at minimum:

(a) Independent execution of the HATS verifier against the Assessed Organization's governance graphs; (b) Review of the governance graph structure, including node types, parent references, and tenant isolation; (c) Review of the Assessed Organization's signer key management practices; (d) Verification that the Assessed Organization's systems produce governance receipts in conformance with the HATS specification; (e) Issuance of an assessment report documenting findings, conclusions, and the basis for the certification determination.

2.4 Tier 3: Independent Auditor

#### 2.4.1 Independence Requirements

Tier 3 certification requires evaluation by an Independent Auditor who satisfies all Tier 2 requirements and the following additional criteria:

(a) No Financial Interest -- Extended. Neither the Auditor nor the Assessment Organization shall hold a Financial Interest in the Assessed Organization during the assessment engagement or for twenty-four (24) months prior to engagement.

(b) No Consulting Relationship -- Extended Cooling-Off. The Auditor and Assessment Organization shall not have had a Consulting Relationship with the Assessed Organization within twenty-four (24) months prior to the commencement of the assessment. This extended cooling-off period applies to consulting relationships of any nature, including but not limited to: - (i) HATS implementation or integration services; - (ii) Governance system design or architecture consulting; - (iii) Information security consulting; - (iv) General management consulting that materially relates to the systems within the certification scope.

(c) Issuing Authority Approval. The Auditor and Assessment Organization must be approved by the Issuing Authority prior to conducting Tier 3 assessments. Approval is based on the qualification criteria in Section 7 and is subject to periodic renewal.

(d) Organizational Independence. The Assessment Organization shall be legally and structurally independent from the Assessed Organization. The following relationships disqualify an Assessment Organization from Tier 3 independence: - (i) Common ownership or control (direct or indirect); - (ii) Shared governance (overlapping board members or officers); - (iii) Revenue dependency exceeding fifteen percent (15%) of the Assessment Organization's total revenue derived from the Assessed Organization; - (iv) Joint venture or partnership agreements related to the systems within the certification scope.

#### 2.4.2 Scope of Evaluation

The Tier 3 assessment shall include all Tier 2 evaluation elements and the following:

(a) Review of the Assessed Organization's internal controls related to governance graph generation, including change management, access controls, and key management; (b) Sampling and independent verification of governance receipts against source system records; (c) Evaluation of the Assessed Organization's incident response procedures as they relate to governance integrity; (d) Assessment of the Assessed Organization's compliance with applicable HATS governance documents (Marketing Claims Policy, Data Processing Position); (e) A formal opinion on whether the Assessed Organization's governance implementation satisfies the HATS standard's defined controls within the stated scope.

3. Conflict-of-Interest Rules

3.1 Disclosure Obligation

Assessors and Assessment Organizations shall disclose to the Assessed Organization and the Issuing Authority any actual or potential conflict of interest prior to commencing an assessment. Disclosable interests include:

(a) Financial interests in the Assessed Organization, its parent, subsidiaries, or affiliates; (b) Current or prior employment relationships (within the past thirty-six (36) months) between the Assessor and the Assessed Organization; (c) Family relationships (spouse, domestic partner, parent, child, or sibling) between the Assessor and any officer, director, or key governance personnel of the Assessed Organization; (d) Pending or anticipated business relationships with the Assessed Organization beyond the assessment engagement; (e) Investments in competitors of the Assessed Organization that could create bias; (f) Any other circumstance that a reasonable, informed third party would consider likely to compromise the Assessor's objectivity.

3.2 Conflict Resolution

Upon disclosure of a conflict:

(a) If the conflict is disqualifying under Section 2, the Assessor or Assessment Organization shall not proceed with the assessment; (b) If the conflict is not disqualifying but material, the Issuing Authority shall evaluate whether the conflict can be adequately mitigated (e.g., through assignment of a different assessor within the same Assessment Organization) and shall document the mitigation measures; (c) If the conflict cannot be adequately mitigated, the Assessment Organization shall not proceed.

3.3 Ongoing Monitoring

Assessors and Assessment Organizations shall monitor for conflicts of interest throughout the assessment engagement and shall promptly disclose any new conflicts that arise during the engagement.

4. Separation Between Certification and Consulting

4.1 Prohibition on Simultaneous Services

An Assessment Organization shall not simultaneously provide both HATS certification assessment services and HATS-related consulting services to the same Assessed Organization. "Simultaneously" means at any overlapping point in time, from engagement to report issuance.

4.2 Structural Separation

Assessment Organizations that offer both assessment and consulting services shall maintain structural separation between these functions, including:

(a) Separate personnel: no individual shall perform both assessment and consulting functions for the same Assessed Organization; (b) Separate management: the assessment function shall report to management that is independent from the consulting function's management; (c) Separate compensation: compensation for assessment personnel shall not be contingent on consulting revenue from the same Assessed Organization; (d) Information barriers: assessment personnel shall not have access to confidential information obtained through consulting engagements with the same Assessed Organization, and vice versa.

4.3 Permitted Activities

The following activities are not considered consulting and do not trigger the cooling-off period:

(a) HATS assessor training provided by the Issuing Authority; (b) Responses to factual inquiries about the HATS specification during the normal course of assessment; (c) Post-assessment debriefing in which the Assessor explains findings, provided the Assessor does not provide specific remediation recommendations.

5. Assessor Rotation

5.1 Maximum Consecutive Cycles

No individual Assessor shall serve as the lead assessor for the same Assessed Organization for more than three (3) consecutive Assessment Cycles. After three consecutive cycles, the Assessor must rotate off for a minimum of two (2) Assessment Cycles before serving as lead assessor for the same Assessed Organization again.

5.2 Assessment Organization Rotation

At Tier 3, the Issuing Authority recommends (but does not require in v1.0) rotation of the Assessment Organization after five (5) consecutive Assessment Cycles for the same Assessed Organization. The Issuing Authority reserves the right to make Assessment Organization rotation mandatory in future versions of this policy.

5.3 Rotation Records

Assessment Organizations shall maintain records of assessor assignments by Assessed Organization and Assessment Cycle, and shall make these records available to the Issuing Authority upon request.

6. H33 Self-Certification Rules

6.1 Tier 1 and Tier 2

H33.ai, Inc. may seek HATS certification for its own systems at Tier 1 (self-assessment) and Tier 2 (qualified assessor) under the same rules that apply to any other organization. For Tier 2, H33 shall engage an external Qualified Assessor who satisfies the independence requirements of Section 2.3.

6.2 Tier 3

H33.ai, Inc. may not perform Tier 3 self-certification. As the Issuing Authority, H33 has an inherent conflict of interest that cannot be mitigated for Tier 3 purposes. H33 shall engage an external Independent Auditor approved by the Technical Review Committee (TRC) for Tier 3 certification. The TRC's approval of the selected auditor shall be documented and published.

6.3 TRC Oversight

When H33 seeks Tier 2 or Tier 3 certification, the TRC shall review the assessment engagement terms and the assessment report. TRC members who are H33 employees shall recuse themselves from this review.

7. Assessor Qualification Criteria

7.1 Individual Assessor Qualifications

To be recognized as a qualified HATS assessor, an individual shall demonstrate:

(a) Technical competence in at least two of the following domains: - (i) Cryptographic systems and protocols, including hash functions and digital signature schemes; - (ii) Distributed systems, including consensus mechanisms and federation protocols; - (iii) Governance, risk, and compliance frameworks (e.g., PCI DSS, SOC 2, ISO 27001, FedRAMP); - (iv) Post-quantum cryptography; - (v) Formal verification or deterministic system design.

(b) Professional experience of at least five (5) years in auditing, assessment, or compliance evaluation roles;

(c) HATS-specific knowledge demonstrated through: - (i) Successful execution of the Canonical Test Vectors against at least one implementation; or - (ii) Completion of a HATS Assessor Training program, when available; or - (iii) Peer-reviewed publication or demonstrated professional contribution related to the HATS standard or its constituent technologies.

(d) Ongoing education: Qualified assessors shall complete a minimum of twenty (20) hours of continuing professional education per year in domains relevant to HATS assessment.

7.2 Assessment Organization Qualifications

To be approved for Tier 3 assessments, an Assessment Organization shall demonstrate:

(a) A minimum of three (3) qualified individual assessors on staff or under exclusive contract; (b) Professional liability insurance with coverage adequate for the scope of assessments undertaken; (c) A documented quality management system for assessment engagements; (d) No history of enforcement actions by the Issuing Authority or relevant regulatory bodies within the preceding thirty-six (36) months; (e) Compliance with the conflict-of-interest and structural separation requirements of this policy.

8. Evidence Review Integrity Standards

8.1 Evidence Collection

Assessors shall collect and review evidence sufficient to support their certification determination. At minimum, evidence shall include:

(a) HATS verifier output (complete JSON) for the governance graphs within the certification scope; (b) Documentation of the Assessed Organization's governance architecture and data flows; (c) Records of signer key management practices, including key generation, distribution, rotation, and revocation; (d) Samples of governance receipts verified against the HATS specification; (e) Records of the Assessed Organization's conformance testing against Canonical Test Vectors.

8.2 Evidence Integrity

Assessors shall ensure the integrity of collected evidence by:

(a) Obtaining evidence directly from the Assessed Organization's systems or from independent verification, not solely from management representations; (b) Independently executing the HATS verifier rather than relying on verifier output provided by the Assessed Organization; (c) Documenting the chain of custody for all evidence collected; (d) Retaining evidence for the duration of the certification period plus thirty-six (36) months.

8.3 Assessment Report

The assessment report shall include:

(a) The scope of the assessment, including the specific systems, processes, and governance domains covered; (b) The certification tier assessed; (c) The HATS version and test vector version against which conformance was evaluated; (d) A summary of findings, including any non-conformities identified; (e) The certification determination (certified, certified with conditions, or not certified); (f) A statement of the Assessor's independence, including disclosure of any conflicts reviewed and mitigated; (g) The date of the assessment and the validity period of the certification.

9. Public Registry of Qualified Assessors

9.1 Establishment

The Issuing Authority shall establish and maintain a public registry of qualified HATS assessors and approved Assessment Organizations ("Assessor Registry"). The Assessor Registry shall be accessible without fee, registration, or API key.

9.2 Registry Contents

The Assessor Registry shall include, for each listed assessor or Assessment Organization:

(a) Name and contact information; (b) Tiers for which the assessor or organization is qualified (Tier 2, Tier 3, or both); (c) Date of initial qualification and most recent renewal; (d) Any current restrictions, suspensions, or conditions on qualification; (e) Geographic regions or industry sectors of demonstrated competence, if applicable.

9.3 Qualification Renewal

Assessor qualifications are valid for three (3) years and must be renewed through a process that includes:

(a) Demonstration of ongoing competence (continuing education records, recent assessment experience); (b) Confirmation that no disqualifying conflicts, enforcement actions, or complaints have arisen; (c) Updated professional liability insurance documentation (for Assessment Organizations).

9.4 Timeline

The Assessor Registry is designated as a future capability. Until the Assessor Registry is operational, the Issuing Authority shall maintain a private list of approved Tier 3 Assessment Organizations and shall provide this list to any Assessed Organization upon request.

10. Assessment Dispute Resolution

10.1 Grounds for Dispute

An Assessed Organization may dispute an assessment determination on the following grounds:

(a) The Assessor failed to comply with the independence requirements of this policy; (b) The Assessor applied the HATS specification incorrectly; (c) The Assessor failed to consider material evidence provided by the Assessed Organization; (d) The assessment report contains factual errors that affected the certification determination; (e) The Assessor failed to follow the evidence review integrity standards of Section 8.

10.2 Dispute Process

Assessment disputes shall be resolved through the following process:

(a) Direct Resolution (30 days). The Assessed Organization shall first attempt to resolve the dispute directly with the Assessment Organization. The Assessment Organization shall respond in writing within fifteen (15) business days.

(b) Independent Panel (60 days). If direct resolution fails, either party may request the convening of an independent review panel. The panel shall consist of three (3) members: one selected by the Assessed Organization, one selected by the Assessment Organization, and one selected by the Issuing Authority. Panel members shall satisfy the independence requirements of Section 2.3 with respect to both the Assessed Organization and the Assessment Organization.

(c) Panel Determination. The panel shall review the assessment evidence, the assessment report, and submissions from both parties. The panel shall issue a written determination within sixty (60) calendar days of convening. The panel may: - (i) Uphold the original assessment determination; - (ii) Overturn the assessment determination and direct certification or re-assessment; - (iii) Order a re-assessment by a different Assessment Organization; - (iv) Identify procedural deficiencies and remand to the original Assessment Organization for correction.

(d) Costs. Each party bears its own costs of the dispute process. The cost of the independent panel member selected by the Issuing Authority is borne by the Issuing Authority.

10.3 Effect on Certification

During the dispute process:

(a) If the dispute concerns a denial of certification, the Assessed Organization does not hold HATS certification pending resolution; (b) If the dispute concerns a revocation of existing certification, the certification status is suspended (not revoked) pending resolution, unless the revocation was based on a security concern that poses imminent risk to relying parties.

10.4 Public Record

Panel determinations are published to the HATS Standards Registry. The identities of the Assessed Organization and Assessment Organization are included unless either party demonstrates that publication would cause disproportionate harm unrelated to the substance of the dispute.

11. Enforcement Against Assessors

11.1 Grounds for Action

The Issuing Authority may take enforcement action against a qualified assessor or approved Assessment Organization on the following grounds:

(a) Failure to comply with the independence requirements of this policy; (b) Issuance of a certification determination that is not supported by the evidence; (c) Failure to maintain required qualifications; (d) Refusal to cooperate with the Issuing Authority's oversight activities; (e) Material misrepresentation in the qualification application or renewal process.

11.2 Enforcement Actions

Available enforcement actions, in order of severity:

(a) Written Warning with required corrective action; (b) Conditional Qualification imposing additional requirements (e.g., increased oversight, mandatory re-training); (c) Suspension of Qualification for a specified period, during which the assessor may not conduct HATS assessments; (d) Revocation of Qualification and removal from the Assessor Registry.

11.3 Due Process

Before taking enforcement action at the level of Conditional Qualification or above, the Issuing Authority shall:

(a) Provide written notice of the grounds for the proposed action; (b) Allow the assessor thirty (30) calendar days to respond in writing; (c) Consider the response before issuing a final determination; (d) Provide a written final determination with the basis for the action taken.

12. Effective Date and Transition

12.1 Effective Date

This policy is effective as of the date of publication by the Issuing Authority.

12.2 Transition Period

Assessment Organizations and assessors who are engaged in HATS assessments at the time this policy becomes effective shall have ninety (90) calendar days to come into full compliance with its requirements. Assessments commenced before the effective date may be completed under the terms in effect at the time of engagement.

HATS Auditor and Assessor Independence Policy v1.0 -- H33.ai, Inc.