HATS Marketing Claims Policy

DRAFT -- Subject to revision by legal counsel

1. Purpose and Scope

1.1 Purpose

This policy governs the use of language, claims, and representations made in connection with the HATS (H33 Attestation and Trust Standard) in marketing materials, press releases, product documentation, sales collateral, websites, social media, and all other public communications. The purpose is to ensure that all public claims about HATS certification and the HATS standard are accurate, substantiated, and not misleading.

1.2 Applicability

This policy applies to:

(a) H33.ai, Inc. and its employees, contractors, and agents ("Internal Parties") in all marketing and communications regarding the HATS standard; (b) Certified organizations that have achieved HATS certification and wish to reference their certification status; (c) Partners, resellers, and affiliates authorized to market HATS-related products or services; (d) Assessors and auditors qualified under the HATS Auditor and Assessor Independence Policy (HATS-GOV-006) who reference HATS in their marketing.

1.3 Enforcement Authority

The Issuing Authority (H33.ai, Inc. or its successor) is responsible for enforcing this policy. Enforcement actions are described in Section 9.

2. Approved Language

2.1 Approved Terms and Phrases

The following terms and phrases are approved for use in public communications regarding the HATS standard, subject to the accuracy requirements in this policy:

(a) "HATS-certified" -- An organization that has achieved certification through a HATS assessment at the applicable tier. Use only when certification is current and not suspended or revoked.

(b) "HATS-conformant" -- An implementation that has achieved 100% pass rate against the Canonical Test Vectors for the applicable version, as defined in the HATS Conformance Testing License (HATS-GOV-002). This is a technical property of software, not an organizational certification.

(c) "Continuously attested" -- Systems operating under HATS governance that produce verifiable governance receipts on an ongoing basis, not solely at point-in-time audit intervals.

(d) "Independently verifiable" -- HATS verification requires zero network access, zero API keys, and zero trust in H33 or any platform, as defined in the Verifier Guarantees.

(e) "Governance-proven" -- Governance decisions that are cryptographically committed, deterministically replayable, and independently verifiable through the HATS framework.

(f) "Post-quantum attested" -- Systems whose governance receipts are signed using post-quantum signature schemes (ML-DSA-65 by default) as defined in the HATS cryptographic profiles.

(g) "Deterministically replayable" -- Same governance graph plus same timestamp produces identical frame hash across all conformant implementations.

2.2 Usage Requirements for Approved Terms

Each approved term carries specific accuracy requirements:

(a) "HATS-certified" shall be followed by the tier level and scope (e.g., "HATS-certified at Tier 2 for payment processing governance"). General claims of "HATS-certified" without tier and scope are prohibited.

(b) "HATS-conformant" shall specify the version and proof profile (e.g., "HATS-conformant with HATS v1.0 test vectors, HATS-PROOF-HASH-ONLY-v1").

(c) "Independently verifiable" shall not be modified with qualifiers that imply more than the Verifier Guarantees provide (e.g., do not say "independently verifiable as mathematically correct" -- HATS does not guarantee content correctness).

3. Prohibited Language

3.1 Absolutely Prohibited Terms

The following terms and phrases shall not be used in any public communication regarding the HATS standard or HATS certification, whether by Internal Parties, certified organizations, or partners:

(a) "Hack-proof" or "unhackable" -- HATS does not prevent security breaches; it provides governance attestation and auditability.

(b) "Breach-proof" -- No standard can guarantee the prevention of all security breaches.

(c) "Fully compliant" -- HATS is a conformance standard, not a comprehensive compliance framework. HATS certification does not constitute compliance with any regulatory requirement unless explicitly stated by the relevant regulator.

(d) "Government-approved" -- Unless and until a specific government agency has issued formal approval or recognition of the HATS standard, this phrase is misleading and prohibited.

(e) "Eliminates risk" -- HATS provides governance evidence and auditability; it does not eliminate risk.

(f) "Guarantees security" -- HATS provides structural, cryptographic, and governance guarantees as defined in the Verifier Guarantees document. It does not guarantee the security of the underlying systems being governed.

(g) "Zero-trust verified" -- While HATS verification requires zero trust in H33, the phrase "zero-trust" in the cybersecurity context has a specific meaning (NIST SP 800-207) that HATS does not fully address. Do not conflate HATS independent verification with a zero-trust architecture.

(h) "Replaces [SOC 2 / PCI DSS / ISO 27001 / FedRAMP / any named standard]" -- HATS is complementary to existing compliance frameworks, not a replacement.

(i) "100% secure" or "complete security" -- No system or standard provides complete security.

(j) "Certified by H33" when referring to Tier 1 self-assessment -- Tier 1 is self-assessment with verifier output. Only Tier 2 and Tier 3 involve external assessment.

3.2 Contextually Prohibited Phrases

The following phrases are prohibited unless accompanied by the specified qualification:

(a) "HATS-certified" without tier and scope designation -- Always specify the tier level and the scope of certification.

(b) "Verifies correctness" without clarification that HATS verifies governance structure, not computational correctness -- Include the distinction from the "What HATS Does NOT Guarantee" section of the Verifier Guarantees.

(c) "Real-time verification" -- HATS verification is batch-oriented. Do not claim real-time verification unless the specific implementation has been independently benchmarked and the claim specifies the implementation, not the standard.

4. Rules for Certified Organizations

4.1 Describing Certification

Certified organizations may describe their certification in public communications subject to the following rules:

(a) Tier and scope required. Every public reference to HATS certification must include the tier level (Tier 1, Tier 2, or Tier 3) and the scope of certification (the specific systems, processes, or domains covered by the assessment).

(b) Current status. Certification claims must reflect the current status. If certification has expired, been suspended, or been revoked, the organization must cease making certification claims within five (5) business days of the status change.

(c) Certification date. Public claims should include the certification date or the period of validity (e.g., "HATS-certified at Tier 2 since May 2026" or "HATS Tier 2 certified, valid through May 2027").

(d) No extrapolation. Certification at one tier does not imply certification at a higher tier. Certification for one scope does not imply certification for a broader scope. Organizations shall not make or imply claims beyond their actual certification.

4.2 Approved Certification Language Examples

The following are examples of approved language for certified organizations:

- "[Organization] has achieved HATS Tier 2 certification for its AI model governance pipeline, independently assessed by [Assessor Name]." - "[Organization]'s identity verification system is HATS-certified at Tier 3, covering biometric enrollment, authentication, and lifecycle governance." - "Our governance infrastructure is continuously attested under HATS v1.0, with independent verification available to any party."

4.3 Prohibited Certification Language Examples

The following are examples of prohibited language:

- "[Organization] is HATS-certified." (Missing tier and scope.) - "Our systems are fully HATS-compliant." ("Fully compliant" is prohibited.) - "HATS certification proves our AI is trustworthy." (Implies content correctness guarantee that HATS does not provide.) - "We are the first HATS-certified company." (Unless independently verifiable as factually accurate and approved by the Issuing Authority.)

5. Partner, Reseller, and Affiliate Rules

5.1 Authorized Partners

Partners, resellers, and affiliates who are authorized to market HATS-related products or services shall:

(a) Execute a partner agreement with the Issuing Authority that incorporates this Marketing Claims Policy by reference; (b) Submit all HATS-related marketing materials to the Issuing Authority for review prior to publication, unless the partner agreement specifies a pre-approved template; (c) Clearly distinguish between their own products and services and the HATS standard itself; (d) Not represent themselves as the Issuing Authority, a certifying body, or an official representative of the HATS standard without written authorization.

5.2 Reseller Obligations

Resellers of HATS-related products or services shall:

(a) Use only materials provided or approved by the Issuing Authority or the primary vendor; (b) Not make claims about HATS capabilities that exceed those in the approved materials; (c) Direct technical inquiries about the HATS standard to the Issuing Authority.

6. Social Media and Digital Communications

6.1 General Guidelines

All parties subject to this policy shall observe the following guidelines for social media and digital communications:

(a) Apply the same accuracy standards to social media posts, blog entries, forum comments, and digital advertisements as to formal marketing materials; (b) Character-limited formats (e.g., social media posts) shall link to a full-form description that includes the required tier and scope information; (c) User-generated content (e.g., customer testimonials, case studies) that references HATS shall be reviewed for compliance with this policy before publication or amplification by any party subject to this policy.

6.2 Hashtags and Keywords

The use of hashtags and keywords related to HATS (e.g., #HATS, #HATScertified) is permitted provided the associated content complies with this policy. Hashtags do not substitute for the required tier and scope disclosures.

7. Press Releases

7.1 Pre-Publication Review

Any press release that references the HATS standard, HATS certification, or HATS conformance shall be submitted to the Issuing Authority for accuracy review at least ten (10) business days prior to intended publication.

7.2 Issuing Authority Review

The Issuing Authority shall review submitted press releases solely for factual accuracy regarding the HATS standard and certification claims. The Issuing Authority does not review or approve marketing strategy, competitive positioning, or claims unrelated to HATS.

7.3 Review Response

The Issuing Authority shall respond to press release submissions within seven (7) business days with one of the following:

(a) Approved -- The press release may be published as submitted; (b) Approved with modifications -- The press release may be published with the specified corrections, which shall be limited to factual accuracy regarding HATS; (c) Not approved -- The press release contains materially inaccurate claims about HATS that cannot be corrected through minor modifications. The Issuing Authority shall provide a written explanation.

7.4 Expedited Review

For time-sensitive announcements, the Issuing Authority shall make commercially reasonable efforts to provide review within three (3) business days upon request.

8. Internal H33 Marketing Guidance

8.1 Standard Description

When describing the HATS standard, H33.ai personnel shall use the following canonical description:

"HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls."

8.2 Positioning

HATS shall be positioned as:

(a) A technical conformance standard -- not a product, not a service, not a regulatory framework; (b) Complementary to existing compliance frameworks (SOC 2, PCI DSS, ISO 27001, FedRAMP) -- not a replacement; (c) Built on deterministic, independently verifiable governance -- not on trust in H33.ai or any vendor; (d) Applicable to any governance domain, with particular strength in AI governance, financial systems, and critical infrastructure.

8.3 Competitive Positioning

H33.ai personnel shall not:

(a) Disparage other standards or standards bodies in connection with HATS marketing; (b) Claim that HATS is the only standard addressing a particular governance need, unless factually accurate and independently verifiable; (c) Position HATS as competing with regulatory requirements (HATS helps meet requirements, not replace them).

9. Enforcement

9.1 Enforcement Levels

Violations of this Marketing Claims Policy are addressed through the following graduated enforcement process:

Level 1 -- Written Warning. Upon identification of a violation, the Issuing Authority shall issue a written warning to the violating party, identifying the specific violation, the required corrective action, and a cure period of no more than fifteen (15) business days.

Level 2 -- Mark Suspension. If the violation is not corrected within the cure period, or if the same party commits a second violation within twelve (12) months, the Issuing Authority may suspend the violating party's right to use the HATS Marks for a period of up to ninety (90) calendar days.

Level 3 -- Certification Revocation. For willful, repeated, or materially harmful violations, the Issuing Authority may revoke the violating party's HATS certification and permanently revoke the right to use the HATS Marks. Revocation decisions may be appealed under the dispute resolution process in the HATS Standards Governance Model (HATS-GOV-001).

9.2 Reporting Violations

Any party may report a suspected violation to the Issuing Authority at standard@h33.ai. Reports shall include the specific communication at issue, the provision of this policy believed to be violated, and any supporting evidence.

9.3 Public Record

Enforcement actions at Level 2 (Mark Suspension) and Level 3 (Certification Revocation) shall be published on the HATS Standards Registry. Level 1 warnings are confidential unless the violation is not cured within the specified period.

10. Amendments

This Marketing Claims Policy may be amended through the governance process defined in the HATS Standards Governance Model (HATS-GOV-001). Amendments affecting the list of prohibited terms (Section 3) or the enforcement process (Section 9) require a minimum sixty (60) day Public Comment Period.

11. Effective Date

This policy is effective as of the date of publication by the Issuing Authority and applies to all public communications made on or after that date. Existing materials published prior to the effective date shall be brought into compliance within ninety (90) calendar days.

HATS Marketing Claims Policy v1.0 -- H33.ai, Inc.