Stripe-Delegated Sanctions Compliance with supplementary platform controls, immutable audit logging, and GDPR/CCPA-compliant data handling.
ISO 42001 Statement of Applicability + audit evidence for certification bodies
Includes: Statement of Applicability (38 ISO 42001 controls), Conformity File, Incident History, Trace Summary, Runtime Monitoring evidence, and auditor README.
exact.works delegates primary sanctions screening to Stripe, our payment processor. Stripe maintains comprehensive OFAC compliance programs and performs identity verification on all connected accounts. exact.works supplements this with additional platform-level controls to catch obvious bad actors before they reach Stripe onboarding.
Full compliance details are documented in our Platform Terms of Service, Section 1.8:
Defense-in-depth compliance controls
exact.works implements a multi-layered compliance architecture where Stripe serves as the primary screening authority, supplemented by platform-level controls at each stage of the seller onboarding and transaction lifecycle.
Stripe is documented as the primary sanctions screening provider in our Terms of Service.
Lightweight OFAC SDN check at account creation to catch obvious bad actors before Stripe.
Stripe account status verified at execution time for every transaction.
Every screening event logged permanently in the SanctionsScreening table.
Specially Designated Nationals List
Our Tier 2 screening checks names against the U.S. Treasury's OFAC Specially Designated Nationals (SDN) list. This is a supplementary check designed to catch obvious matches before they reach Stripe's more comprehensive screening.
Official OFAC SDN list downloaded directly from the U.S. Department of the Treasury website.
Automated cron job refreshes the SDN data daily with atomic pointer swap for zero-downtime updates.
SDN data stored in Vercel KV for low-latency serverless access with version control.
GDPR/CCPA Compliance
exact.works balances regulatory evidence requirements with data minimization principles. SanctionsScreening records are retained permanently for compliance, but personally identifiable information is minimized according to GDPR/CCPA.
IP addresses in SanctionsScreening records are automatically nullified after 90 days. A daily cron job at 3:00 AM UTC handles this cleanup.
Screening records themselves are NEVER deleted. They serve as regulatory evidence that compliance checks were performed.
While screening records cannot be deleted due to regulatory requirements, users may request access to their screening history and the personal data we hold. Contact [email protected] for data access requests.
SanctionsScreening Record Fields
Every screening event creates an immutable record in the SanctionsScreening table. These records support regulatory audits and demonstrate due diligence.
| Field | Type | Description |
|---|---|---|
| id | String | Unique screening event ID |
| userId | String | User being screened |
| screenedName | String | Name that was screened |
| screenedEntity | String? | Entity name (if applicable) |
| screenType | Enum | ACCOUNT_CREATION, TRANSACTION, MANUAL |
| screenMethod | String | OFAC_KV_CHECK, STRIPE_STATUS, etc. |
| result | Enum | CLEAR, POTENTIAL_MATCH, ERROR |
| matchDetails | JSON? | Match information if flagged |
| ipAddress | String? | IP address (nullified after 90 days) |
| screenedAt | DateTime | Timestamp of screening |
F500-grade security infrastructure
exact.works implements defense-in-depth security controls designed to meet the requirements of Fortune 500 procurement teams and enterprise security reviews.
All data stored in exact.works is encrypted at rest using AES-256. Database encryption is provided by Supabase infrastructure with customer-managed encryption keys available for enterprise plans.
All responses include security headers protecting against common web vulnerabilities.
All state-mutating operations are logged to an immutable audit trail with user context, timestamps, and action details.
HIPAA-pattern access logging tracks all data access during agent execution. Buyers can review exactly what data was accessed.
OIDC single sign-on is available now for enterprise customers using Okta, Azure AD, Google Workspace, or any OIDC-compliant identity provider. SAML 2.0 and SCIM provisioning are on our roadmap.
Contact [email protected] to configure OIDC for your organization.
Multi-framework governance infrastructure
exact.works implements governance infrastructure aligned with major AI regulatory frameworks. We observe and record — we do not adjudicate compliance. The Trace provides evidence; accredited certification bodies make determinations.
All required logging fields are present in the Trace. The platform records what the regulation requires — who provided oversight, operation period, legal effect flags, incident classification. Jurisdiction-aware routing directs evidence to the appropriate national competent authority.
exact.works addresses agentic AI security risks through exacting-time gates, typed declarations, and immutable Trace records. One risk (Model DoS) has partial coverage via Budget Ceiling — blast radius containment, not prevention.
| # | Risk | Mechanism | Status |
|---|---|---|---|
| 1 | Prompt Injection | SAISA Section 3.7 Content Environment Warranty | COVERED |
| 2 | Insecure Tool Use | ToolManifestEntry typed schema | COVERED |
| 3 | Excessive Agency | Execution Manifest scope enforcement | COVERED |
| 4 | Insufficient Human Oversight | S4.13 HITL gate — persist-scope blocks | COVERED |
| 5 | Supply Chain Vulnerabilities | Sub-SAISA + SHA-256 fingerprinting | COVERED |
| 6 | Insecure Output Handling | Trace records + ROSA independent review | COVERED |
| 7 | Sensitive Data Leakage | Permanent methodology seal + Sealed Record | COVERED |
| 8 | Overreliance on Agents | Recorder-not-judge positioning | COVERED |
| 9 | Data Poisoning | Section 3.8 Knowledge Base Integrity Warranty | COVERED |
| 10 | Model DoS | Budget Ceiling (caps blast radius) | PARTIAL |
The ComplianceAttestation model provides the evidence infrastructure for ISO 42001 certification. Seven platform-native evidence controls are auto-surfaced in conformity files for accredited certification bodies.
exact.works is trust infrastructure for AI agent transactions, not an AI system itself. The platform provides evidence, tooling, and enforcement that enables Buyers and AI Providers to satisfy NIST AI RMF requirements for their own deployments.
26 subcategories have PARTIAL coverage (require buyer-side configuration). 7 subcategories are NOT_COVERED (organizational processes outside platform scope).
One download. EU AI Act + ISO 42001 + NIST AI RMF + OWASP Agentic AI coverage. Jurisdiction-accurate: EU providers receive EU AI Act mapping; US providers receive NIST RMF mapping. Built for GRC teams and auditors.
For questions about our compliance framework or to report a concern: