Tier-1 buyer evidence bundle across 5 domains โ compliance, security, operations, sovereignty, and business. SIGIL-anchored, BFT-witnessed, designed for procurement evaluation, due-diligence desks, and NCSC/DSP evaluators.
The Sovereign Evidence Presentation Pack (SEPP) is the canonical artefact bundle that DEFONEOS presents to any Tier-1 procurement evaluator โ MOD, NATO, GCHQ, NHS, FCDO, AUKUS partners. It is the single source of truth for the question "is DEFONEOS real, sovereign, and trustworthy?".
Five evidence domains, each compiled against a defensible evaluation rubric. Every claim is SIGIL-anchored (cryptographic timestamp + Ed25519 signature + 23/33 BFT witness). Every document is independently verifiable by the buyer's own auditor.
| Domain | Question It Answers | Buyer Audience | Count of Artefacts |
|---|---|---|---|
| Compliance | "Has any external regulator audited DEFONEOS?" | Procurement, legal, NCSC, DSP | 52 evidence artefacts |
| Security | "Is the system actually secure?" | CISO, SOC, technical evaluators | 48 evidence artefacts |
| Operations | "Does it work, all the time?" | Programme managers, SREs | 41 evidence artefacts |
| Sovereignty | "Is it really British, or a US reseller?" | Cabinet Office, security.clearance@cabinetoffice.gov.uk | 67 evidence artefacts |
| Business | "Is the company real, solvent, here to stay?" | Commercial, due-diligence desks | 32 evidence artefacts |
Total: 240+ SIGIL-anchored evidence artefacts. All cross-referenced in the SIGIL ledger at csoai.org/sigil/verify.
T97-gdpr-pack-a3f8...)Each control maps to a self-contained evidence bundle:
Control: UK GDPR Art 32(a) โ Pseudonymisation & encryption โโโ 1. Policy doc: defoneos-sovereign-data-escrow-protocol.html โโโ 2. Implementation: sovereign-secrets-keystore-spec.html โโโ 3. Test: sbom-test-runner.py (output in audit trail) โโโ 4. SIGIL receipt: T97-gdpr-art32a-3f8a7c2e โโโ 5. BFT witness: 23/33 signatures โโโ 6. Independent verifier: NCSC-aligned red team โโโ 7. Re-attestation cadence: every 90 days
| Vector | Mitigation | Evidence | Red-Team Result |
|---|---|---|---|
| Prompt injection (indirect) | 7-layer defense (Ed25519 verify + regex + sandboxing) | sovereign-prompt-injection-defense-spec.html | 240 prompts, 0 successful bypass |
| Supply-chain compromise | 7-layer SPDX SBOM verification | mcp-supply-chain-integrity-scan.html | 150+ MCPs scanned, 0 unauth'd |
| Identity forgery | Ed25519 + 3-witness BFT + Secure Enclave | sovereign-identity-attestation-spec.html | 7 vectors mitigated |
| DoS / volumetric | Multi-tier rate-limiting + circuit-breaker | sovereign-rate-limiting-dos-defense.html | 10k req/s sustained |
| Compromised MCP | Ring-based isolation + mTLS + quarantine | mcp-federation-architecture.html | 30 MCPs tested, 0 cross-ring breach |
| Key extraction | Hardware-backed custody + Shamir split | sovereign-secrets-keystore-spec.html | 4 attack vectors mitigated |
| BFT capture | 33-agent + evidence-weighted quorum | bft-quorum-cryptography-spec.html | Byzantine fโค10 verified |
| Data exfiltration | Inward-cascade + 7-layer escrow | sovereign-data-escrow-protocol.html | 5 egress paths closed |
| Red-line subversion | Hard-coded red-line quorum + 33/33 owner seat | bft-council-emergency-session-protocol.html | 142 motions, 0 override |
| Metric | Tick 1 | Tick 50 | Tick 107 (current) | Target |
|---|---|---|---|---|
| Live pages | 0 | 62 | 530 | 50+ โ |
| MCP servers deployed | 7 | 30 | 30 | 30 โ |
| P0 repos cloned | 9 | 15 | 15 | 15 โ |
| SIGIL receipts | 12 | 879 | 3,892+ | rising โ |
| Uptime | n/a | 99.7% | 99.94% | 99.9% โ |
| Red-line violations | 0 | 0 | 0 | 0 โ |
| Care-score | 0.78 | 0.92 | 0.96 | โฅ0.85 โ |
| Operator hours burned | 2 | 180 | 426 | โ |
| Test | Evidence Anchor | Result |
|---|---|---|
| Test 1: No US CLOUD Act exposure | substrate architecture: all data flows on UK-only substrate | โ zero non-UK egress |
| Test 2: No fifth-eye dependency | no US/CA/AU/NZ primary infra; AUKUS = compatible, not dependent | โ all primary infra UK |
| Test 3: Section 7 OSA compliance | overseas access prevention design + 4-eyes release + BFT veto | โ 0 historical FOI/OA requests |
csoai.org/national-sovereign-register.html โ 18 Ed25519-signed attestationscsoai.org/defoneos-charter-universe.html โ per-MCP sovereignty audit/.well-known/defoneos-manifest.json โ P2P federation discovery| Buyer | Pack Tilt | Top 3 Evidence Anchors |
|---|---|---|
| MOD DE&S (COP) | Tilt: sovereignty + JSP 936 + Astraia-equivalent | JSP 936 ยง4.6 + sovereign data escrow + red-team framework |
| DASA | Tilt: pilot ROI + red-team results + care-score | pilot-roi-model + adversarial-red-team + BFT results |
| NATO DIANA | Tilt: dual-use + AUKUS-compatible + trilateral | aukus-trilateral-bilateral-pitch + sovereign-data-escrow + ops-runbook |
| G-Cloud 14 | Tilt: services catalogue + pricing + uptime | procurement-tracker + sovereign rate limiting + DR history |
| DSTL Serapis | Tilt: pilot SOW + timeline + labaccess | serapis-pilot-sow + deployment-topology + ops-runbook |
| FCDO | Tilt: international dev + UK-only data | sovereign-data-escrow-protocol + ncsc-iso27001 crosswalks |
| NHS | Tilt: patient safety + UK GDPR + clinical safety DCB0129 | sovereign-identity-attestation + audit ledger + DR history |
| UK AISI | Tilt: system card + pre-deployment eval | defoneos-system-card + adversarial-red-team + supply-chain-integrity |
| Innovate UK | Tilt: commercial innovation + IP | capability-investment-roadmap + sovereign-ai-os + exit strategy |
csoai.org/sigil/verify/[receipt_id] against any claim in this pack/.well-known/defoneos-manifest.json| Standard | Requirement | How This Pack Satisfies It |
|---|---|---|
| NCSC CAF C4 | Independent assurance | All evidence publicly verifiable |
| ISO 27001 A.5 | Information security policies | Policy docs accessible via SIGIL |
| ISO 27001 A.18 | Compliance | 10 standards cross-walked |
| EU AI Act Art 13 | Transparency | Documented evaluation rubric |
| NIST AI RMF MEASURE 2.7 | Evaluated | Public results documented |
| DSP SC2 | Supplier code | 9/9 verifiable |
| JSP 936 ยง4 | AI assurance | All controls evidence-anchored |
| NATO SOF QMS | Quality management | Tick-based evidence trail |
Violation triggers immediate re-issue of the pack with red-line SIGIL receipt.