HATS Certificate Lifecycle Policy

DRAFT -- Subject to revision by legal counsel

This document defines the complete lifecycle of a HATS certificate from initial application through issuance, continuous monitoring, renewal, suspension, revocation, and archival. It establishes the rights and obligations of Certificate Holders, certification bodies, and H33.ai, Inc. ("H33") at each stage. HATS certification is continuous, not point-in-time. Unlike audit frameworks that assess controls at a moment and issue a report, HATS requires ongoing attestation and monitoring throughout the certificate validity period. This distinction is fundamental to the HATS model and is reflected in every stage of the lifecycle defined below. This policy is mandatory for all HATS certifications issued under v1.0 of the standard.

1. Definitions

1.1. "Certificate" means the formal HATS certification instrument issued to a Certificate Holder, specifying the certified system, tier level, validity period, and applicable cryptographic profile.

1.2. "Certification Body" means H33 or an entity authorized by H33 to issue HATS certifications.

1.3. "Continuous Monitoring" means the ongoing process of submitting governance graph bundles at intervals prescribed by the certificate tier, for automated verification against HATS requirements.

1.4. "Material Change" means any alteration to the certified system's architecture, governance graph structure, cryptographic key infrastructure, or attestation pipeline that could affect the system's conformance with HATS requirements at the certified tier level.

1.5. "FATAL-level failure" means a violation classified as FATAL under HATS-FP (Frozen Protocol) Section 3, including but not limited to graph cycles, orphan references, hash mismatches, invalid signatures, cross-tenant contamination, denied execution with successful event, failed result with state mutation, continuity breaks, and unsupported cryptographic profiles.

2. Issuance Prerequisites

2.1. General Prerequisites (All Tiers). Before a HATS certificate may be issued at any tier, the applicant must:

(a) Submit a complete governance graph bundle for the system under assessment.

(b) Demonstrate that the governance graph passes HATS verification with zero FATAL-level violations and zero ERROR-level violations.

(c) Identify the legal entity that will serve as Certificate Holder and provide organizational documentation sufficient for the Certification Body to confirm the entity's legal existence and authority over the system.

(d) Designate a HATS Responsible Officer -- a named individual authorized to receive certification communications, respond to suspension notices, and authorize corrective actions.

(e) Execute the HATS Certification Agreement, acknowledging the Reliance Boundary (HATS-LEGAL-001), Certification Mark Policy (HATS-LEGAL-002), and this Lifecycle Policy.

(f) Pay applicable certification fees.

2.2. Tier-Specific Prerequisites.

(a) Tier 1 -- Structural Validity. The governance graph must achieve a replay integrity level of STRUCTURALLY_VALID or higher. Hash verification required. Signature verification not required.

(b) Tier 2 -- Cryptographic Validity. The governance graph must achieve CRYPTOGRAPHICALLY_VALID or higher. All hashes and signatures must verify. The cryptographic profile must be a HATS-approved profile (e.g., HATS-PROFILE-PQ-SHA3-256-v1). Proof profile must include HATS-PROOF-SIGNED-v1.

(c) Tier 3 -- Federation Validity. The governance graph must achieve FEDERATION_VALID or higher. Federation quorum must be met. Checkpoint freshness must be within the threshold defined for the certified deployment.

(d) Tier 4 -- Full Replayability. The governance graph must achieve FULLY_REPLAYABLE. Deterministic replay must produce byte-identical frame hashes across independent verification runs.

(e) Tier 5 -- Enforcement Complete. The governance graph must achieve ENFORCEMENT_COMPLETE. All enforcement decisions must be present, auditable, and themselves governed within the governance chain. No enforcement action may exist outside the verifiable graph.

2.3. Assessment Process. The Certification Body will: (a) Perform initial automated verification of the submitted governance graph bundle; (b) Conduct a structural review of the governance architecture to confirm that the graph represents the system's actual governance flow, not a synthetic or test graph; (c) Verify that continuous monitoring infrastructure is in place and operational; (d) Issue the certificate only after all prerequisites are satisfied.

3. Validity Periods

Tier	Validity Period	Continuous Monitoring Interval
1	12 months	Monthly
2	12 months	Bi-weekly
3	12 months	Weekly
4	12 months	Weekly
5	12 months	Daily

3.2. Effective Date. The certificate validity period begins on the date of issuance.

3.3. Renewal Window. Certificate Holders may apply for renewal beginning 90 days before the expiration date. If renewal is completed before expiration, the new validity period begins on the expiration date of the prior certificate (not the date of renewal), ensuring continuous coverage.

3.4. Lapsed Certificates. A certificate that expires without renewal is lapsed. A lapsed certificate cannot be renewed; the Certificate Holder must apply for a new certification. The lapsed certificate record remains in the public registry with a status of EXPIRED.

4. Continuous Monitoring Requirements

4.1. Submission Obligation. Certificate Holders must submit governance graph bundles to the Certification Body at the interval specified for their tier. Each submission must represent the governance graph state as of the submission timestamp, not a cached or historical snapshot.

4.2. Automated Verification. Each continuous monitoring submission is automatically verified against the full HATS verification check suite. The verification result is recorded in the certificate record and reflected in the public certificate status registry.

4.3. Passing Criteria. A continuous monitoring submission passes if: (a) zero FATAL-level violations; (b) zero ERROR-level violations; (c) the replay integrity level meets or exceeds the level required for the certificate's tier.

4.4. Warning Accumulation. WARNING-level violations are informational and do not individually trigger suspension. However, if the same WARNING violation recurs in three consecutive monitoring submissions, it is escalated to the HATS Responsible Officer for acknowledgment and remediation plan.

4.5. Missed Submissions. If a Certificate Holder misses a scheduled continuous monitoring submission: (a) One missed submission: The HATS Responsible Officer is notified. No immediate impact on certification status. (b) Two consecutive missed submissions: The certificate is placed on probation. The Certificate Holder must submit within 7 calendar days or the certificate will be suspended. (c) Three consecutive missed submissions: The certificate is automatically suspended.

4.6. Submission Integrity. Continuous monitoring submissions must be made from the production environment of the certified system. Submissions from staging, development, or test environments are not accepted for continuous monitoring purposes. The Certification Body may implement technical controls (e.g., IP attestation, deployment fingerprinting) to verify submission provenance.

5. Suspension

5.1. Suspension Triggers. A HATS certificate may be suspended upon the occurrence of any of the following: (a) A continuous monitoring submission produces one or more FATAL-level violations; (b) A continuous monitoring submission produces one or more ERROR-level violations; (c) Three consecutive missed continuous monitoring submissions; (d) The Certificate Holder notifies H33 of a Material Change and requests suspension pending reassessment; (e) H33 receives credible information suggesting that the certified system's governance graph no longer conforms to HATS requirements at the certified tier; (f) The Certificate Holder fails to comply with the Certification Mark Policy and does not cure the non-compliance within the specified cure period.

5.2. Suspension Process. (a) The Certification Body issues a written suspension notice to the HATS Responsible Officer, specifying the trigger, the effective date (immediate for FATAL violations, 48 hours for other triggers), and the required corrective action. (b) The certificate status in the public registry is updated to SUSPENDED. (c) The Certificate Holder must comply with badge cessation requirements within 48 hours.

5.3. Suspension Duration. A suspension remains in effect until: (a) the Certificate Holder submits a corrected governance graph bundle that passes all verification checks at the certified tier level; and (b) the Certification Body confirms reinstatement.

5.4. Maximum Suspension Period. If a certificate remains suspended for more than 90 calendar days, it is automatically revoked.

6. Revocation

6.1. Revocation Triggers. A HATS certificate shall be revoked upon the occurrence of any of the following: (a) Material Misrepresentation: The Certificate Holder provided materially false or misleading information in its certification application, continuous monitoring submissions, or communications with the Certification Body. (b) Fundamental Architecture Change: The Certificate Holder made a Material Change to the certified system that renders the original certification assessment inapplicable, and the change was not reported to the Certification Body within 30 calendar days. (c) Persistent Attestation Failure: The certified system's governance graph fails HATS verification with FATAL-level violations in three or more continuous monitoring submissions within any 90-day period. (d) Breach Notification Failure: The Certificate Holder became aware of a security breach affecting the certified system's governance integrity and failed to notify the Certification Body within 72 hours. (e) Extended Suspension: The certificate has been suspended for more than 90 consecutive calendar days without reinstatement. (f) Fraudulent Use of HATS Marks: The Certificate Holder engaged in fraudulent or intentionally deceptive use of the HATS Marks. (g) Non-Payment: The Certificate Holder failed to pay required certification fees and did not cure the delinquency within 30 calendar days of notice.

6.2. Revocation Process. (a) The Certification Body issues a written revocation notice to the HATS Responsible Officer. The effective date is immediate for triggers (a), (d), and (f). For other triggers, the effective date is 15 calendar days after notice, during which the Certificate Holder may appeal. (b) The certificate status in the public registry is updated to REVOKED. (c) The Certificate Holder must cease all use of the HATS Marks within 24 hours of the revocation effective date.

6.3. Non-Reversibility. Revocation is permanent for the specific certificate. A Certificate Holder whose certificate is revoked may apply for a new certification, subject to: (a) a mandatory waiting period of 180 calendar days from the revocation date (except for revocations due solely to non-payment, which have no waiting period); (b) full re-assessment at the time of reapplication.

7. Appeal and Reassessment

7.1. Right to Appeal. A Certificate Holder may appeal a suspension or revocation decision within 30 calendar days of receiving the notice.

7.2. Appeal Process. (a) The Certificate Holder submits a written appeal to H33 at standard@h33.ai. (b) H33 convenes an independent review within 30 calendar days. The review is conducted by personnel who were not involved in the original decision. (c) The review panel issues a written decision within 60 calendar days.

7.3. Reassessment Windows. (a) 30-Day Expedited Reassessment: Available for suspensions triggered by a single FATAL-level violation that has been demonstrably remediated. (b) 60-Day Standard Reassessment: Available for suspensions triggered by ERROR-level violations or missed submissions. (c) 90-Day Full Reassessment: Required for suspensions involving multiple FATAL-level violations or credible third-party reports.

8. Public Certificate Status Registry

8.1. H33 maintains a publicly accessible certificate status registry that displays the current status of every HATS certificate ever issued.

8.2. Registry Fields. Each registry entry contains: (a) Certificate ID; (b) Certificate Holder name; (c) Certified system identifier; (d) Tier level; (e) Cryptographic profile; (f) Proof profile; (g) Issuance date; (h) Expiration date; (i) Current status (ACTIVE, SUSPENDED, REVOKED, EXPIRED); (j) Last successful continuous monitoring date; (k) Verifier link.

8.3. Status changes are reflected in the registry within one hour of the effective time. The registry exposes a machine-readable API that allows automated systems to query certificate status without authentication.

9. Stale Certificate Handling

9.1. A "stale certificate" is a certificate whose status is ACTIVE but whose last successful continuous monitoring submission is older than twice the required monitoring interval for its tier. Stale certificates are flagged in the public registry. A stale certificate not cured within 30 calendar days is automatically suspended.

10. Incident Disclosure and Record Retention

10.1. Certificate Holders must notify the Certification Body within 72 hours of becoming aware of any incident that may affect the integrity of the certified system's governance graph. H33 retains all certificate records for a minimum of seven (7) years after the certificate's final status change.

11. Certificate Portability and Amendments

11.1. HATS certificates are not transferable. In the event of a corporate transaction, the surviving entity must apply for reassessment within 90 calendar days. H33 reserves the right to amend this policy with at least 90 days' notice.

HATS Certificate Lifecycle Policy v1.0 -- H33.ai, Inc.