Skip to main content

Startvest LLC · Trust Principles · v1.0

The principles every Startvest product is built and operated under.

Not a values statement. Operational rules with real teeth, enforced in code, in contracts, and in how we run the business. If we ever drift from this page, hold us accountable.

Version 1.0·Last updated 2026-04-25·Hosted interim at claritylift.ai while startvest.ai is built

Why this page exists

Compliance and trust-adjacent products are easy to fake. Recent industry events have made that obvious. Buyers reasonably ask: how do I know your product isn't selling certifications instead of actual security?

This page is our answer. It documents the principles every Startvest product is built and operated under. Not a values statement. Operational rules with real teeth, enforced in code, in contracts, and in how we run the business.

If we ever drift from this page, hold us accountable.

What we won't do

We won't sell certification artifacts as the product.

If a buyer pays us, what they're paying for is actual compliance, security, or audit-readiness. The artifact (report, badge, attestation) is evidence of that work, not the product itself. A product whose value collapses if you can't generate the artifact is not a product we'll build.

We won't certify our own customers.

The auditor and the audited cannot be the same entity, and the relationship cannot be financial. We sell tooling that helps customers prepare for verification by genuinely independent third parties. CPAs, accredited assessors, regulators. We do not issue the certifications ourselves. This is the structural conflict that destroyed multiple compliance categories. We won't enter it.

We won't accept customer attestation as proof of verification.

When our product says something is verified, it means we mechanically verified it through evidence we collected and timestamped. Not because the customer told us so. When customer attestation is the only available signal, we label it explicitly as customer-attested, not as verified.

We won't ship AI-generated compliance outputs without human review.

AI is a useful tool for compliance work. It is not a substitute for accountability. Every AI-generated output that becomes part of an attestation, report, or compliance claim passes through a documented human review gate first. We log who reviewed it and what they changed. If we can't review it, we don't ship it.

We won't price in ways that reward skipping work.

“Unlimited audits for $X/year” is the marketing claim that creates structural pressure to fake the work. Our pricing ties to actual work performed, with transparency on what the customer gets. Margins don't compress as customer count grows beyond our capacity to do the work properly.

What we will do

We document our methodology publicly.

Every Startvest product publishes the methodology by which it produces compliance outputs. Not the source code. The methodology. Customers, prospects, and competitors can read exactly what we do and how. Hidden methodologies are how shortcuts get hidden.

We refund when we're wrong.

Every customer contract includes a refund clause. If our verification turns out to be wrong because of our error or oversight, we refund. This isn't generosity. It's the structural mechanism that ties our revenue to the quality of our work.

We get audited ourselves, annually, by independent third parties.

Once per year, every Startvest compliance product is reviewed by a real third-party CPA firm or security firm. They review our methodology, sample our outputs, and publish findings. We pay for it. We publish the results. Whatever they find.

We require a compliance owner on the customer side before we sell.

Before we sell to a company, we identify who there is responsible for the compliance outcome. A CISO, a compliance officer, someone whose job depends on the outcome being real. We don't sell to companies where compliance is “operations' problem.” That's how customers end up with worthless certifications.

We make verification states distinct.

Compliance products tend to silently default to “verified” when verification fails. Ours don't. Every compliance status in our products distinguishes between verified, unverified, failed verification, and customer-attested-only. The UI shows all four states. Reports label them. We never collapse them into a single “compliant” stamp.

We give the communities we work with free access.

Free tiers for high-trust communities (veteran-owned businesses, disability-rights advocates, public-sector organizations) aren't marketing. They're accountability. Communities watching our work catch fakery faster than auditors do. We invite that scrutiny.

We publish our kill criteria.

For every product we operate, we publish the criteria under which we'd shut it down. Error rate thresholds. Customer satisfaction floors. Regulatory response windows. We tell you in advance what would make us walk away from a product, so you know we'd rather sunset it than damage your compliance posture.

We document our integrity status per product.

Every Startvest product has an INTEGRITY.md file in its public repository. It states which of our principles are implemented, where, and how. If a principle isn't implemented, it says so. The file is part of every release.

How we enforce this

In code, where possible

CI rules in our build pipelines block patterns that would violate these principles. Evidence chain integrity, AI output review gates, verification state completeness, default-to-verified prevention. A developer who tries to skip these in a PR gets blocked at build time, not after deploy.

In contracts

Refund-on-failure, methodology version commitment, annual audit clauses, customer compliance-owner identification. All in our standard MSA. Not optional terms. Default terms.

In operations

Anonymous whistleblower channel handled by external counsel. Quarterly board-level review of any reports. Annual public audit results. Public methodology pages with version history.

In hiring

We don't hire roles whose incentives conflict with these principles. Sales doesn't get bonused on bookings that lack a compliance owner. Engineering doesn't get bonused on shipping that skips review gates.

What we'd want a buyer to ask us

If you're evaluating a Startvest product against the principles above, here are the questions that would tell you whether we mean it:

  1. Show me your methodology page.Every product has one. If we can't produce it, that's the answer.
  2. Show me your refund clause. It's in our standard MSA. We'll send you the relevant section.
  3. Show me your last independent audit. Annual. Public. We'll share the most recent one for the product you're evaluating.
  4. Show me your INTEGRITY.md.Public on the product's repository. Direct link on request.
  5. Walk me through how AI output reaches a customer-facing claim. We can show you the review gate, the database fields that enforce it, and the CI rule that blocks bypassing it.
  6. What would make you sunset this product? Specific criteria. Public. Written down.

If you're evaluating any compliance / trust-adjacent vendor and they can't answer these questions concretely, that's information.

What's not on this page

Marketing copy. Soft commitments. “We take security seriously” language. Stock photos of locks.

Trust isn't built by saying you're trustworthy. It's built by structural commitments that make untrustworthy behavior expensive or impossible, and then exposing those commitments to scrutiny.

If we ever start sounding like a typical vendor pitch on this page, we've drifted. Tell us.

Updates

This page changes when we learn something. We version it. Recent updates:

  • 2026-04-25 (v1.0). Initial publication. Hosted at claritylift.ai/trust-principles while the standalone Startvest marketing site is built.

Contact

Questions about these principles, or evidence we're not living up to them: integrity@startvest.ai

The address is monitored quarterly by independent counsel, not just by us.

Startvest LLC. SDVOSB-certified, veteran-owned. We build compliance products because the category needs operators who treat it like the trust business it is, not the volume business it became.

Per-product integrity status

Every Startvest product publishes an INTEGRITY.md with implementation status against these principles.