Skip to content
HoldField

TrustEvidence

Customer-reviewable security proof, not certification

HoldField maps controls, data flows, trust boundaries, threats, compliance categories, risks, and responsibility into redacted, hash-backed review packets — evidence a customer security team can review, never an unsupported certification claim and never a path that commands the cell.

Step 01

Control catalog

Track security controls across identity, tenant isolation, artifact trust, audit, AI governance, the PLC/OT boundary, and support — each control is review evidence, never a certification.

Inputs

  • Identity and access controls
  • Tenant isolation controls
  • Artifact trust controls
  • Audit-trail controls
  • Data retention controls
  • Support redaction controls
  • AI governance controls
  • PLC/OT boundary controls
  • Evidence integrity controls

Proof generated

  • Control record receipt
  • Control status
  • Evidence references
  • Owner role
  • Gap state
  • Control hash

Where it appears in the app

  • TrustEvidence
  • EnterpriseGuard
  • CustomerTrust
  • Governance
  • Audit

AI Sense support

  • Finds missing control evidence
  • Flags stale controls
  • Flags an unsupported certification claim

Safety boundary

  • A control catalog is review evidence; it is never a certification.

Step 02

Data flow map

Every flow between EdgePod, the PWA, SignalOps, CustomerTrust, fleet summaries, and support bundles is labelled by its data class — raw station evidence stays local and no flow commands hardware.

Inputs

  • Raw station evidence (local only)
  • Redacted summaries
  • Evidence references
  • Receipt references
  • Support exports
  • Customer exports
  • Counts-only ops metrics
  • AI Sense findings

Proof generated

  • Data-flow record receipt
  • Data class label
  • Redaction state
  • Raw-evidence-included: false
  • Can-command-hardware: false
  • Flow hash

Where it appears in the app

  • TrustEvidence
  • EvidenceWorks
  • FleetWorks
  • CustomerTrust
  • SignalOps

AI Sense support

  • Flags unexpected data movement
  • Flags raw-evidence leakage risk
  • Flags a missing redaction proof

Safety boundary

  • Data flows publish and export only; a flow never commands hardware and raw evidence never leaves the station.

Step 03

Trust boundary map

The map shows the authority ladder — PLC and safety are highest, EdgePod is local inspection authority, the PWA records and reviews, the customer portal is read-only, and AI Sense guides only.

Inputs

  • PLC / safety ring
  • Machine controller ring
  • EdgePod local authority ring
  • HoldField policy ring
  • PWA human-interface ring
  • Customer portal ring
  • AI Sense guidance ring
  • Support bundle ring

Proof generated

  • Trust-boundary record receipt
  • Authority level
  • Allowed data
  • Forbidden actions
  • Evidence generated
  • Boundary hash

Where it appears in the app

  • TrustEvidence
  • EnterpriseGuard
  • Stations
  • Governance

AI Sense support

  • Warns when a request crosses a physical-authority boundary
  • Explains the authority ladder
  • Flags a boundary that lacks evidence

Safety boundary

  • A trust boundary map describes authority; it can never grant control authority.

Step 04

Threat model

Threats are mapped to mitigations, evidence, and residual risk — and a safety-source threat is never accepted or waived automatically.

Inputs

  • Cross-tenant exposure
  • Artifact tampering
  • Secret leakage
  • Support bundle leak
  • AI prompt injection
  • Unsupported claim
  • Force-PASS attempt
  • PLC-write attempt
  • Evidence tamper
  • Audit-chain break

Proof generated

  • Threat record receipt
  • Attack path
  • Affected boundary references
  • Mitigation references
  • Residual risk
  • Threat hash

Where it appears in the app

  • TrustEvidence
  • EnterpriseGuard
  • Governance
  • CustomerTrust

AI Sense support

  • Groups related threats
  • Identifies a missing mitigation
  • Highlights a residual-risk gap

Safety boundary

  • Threat-model review can never accept or waive a safety-source risk automatically.

Step 05

Compliance mapping

Map evidence to common review categories — SOC 2-like, ISO 27001-like, NIST CSF-like, IEC 62443-style, and AI governance — as review support only, never as a certification claim.

Inputs

  • SOC 2-like security controls
  • ISO 27001-like security controls
  • NIST CSF-like controls
  • IEC 62443-style OT boundary concepts
  • AI governance controls
  • Data retention controls
  • Auditability controls
  • Shared responsibility controls

Proof generated

  • Compliance-mapping record receipt
  • Framework category
  • Mapped control references
  • Evidence references
  • Gap state
  • Not-certification marker
  • Mapping hash

Where it appears in the app

  • TrustEvidence
  • CustomerTrust
  • EnterpriseGuard

AI Sense support

  • Detects unsupported certification wording
  • Flags missing evidence for a mapped control
  • Explains a mapping gap

Safety boundary

  • Compliance mapping is customer-review support; it is never a certification claim.

Step 06

Risk & exception register

Security and safety-critical exceptions stay visible until resolved or formally reviewed — a safety-critical exception can never be accepted away by software-only approval.

Inputs

  • Tenant scope gaps
  • Redaction gaps
  • Artifact trust gaps
  • Backup gaps
  • Stale restore drills
  • Audit-chain gaps
  • Support export gaps
  • AI governance gaps
  • PLC/OT boundary gaps
  • Customer portal scope gaps

Proof generated

  • Risk record receipt
  • Severity
  • Owner role
  • Evidence references
  • Exception state
  • Cannot-accept-away marker
  • Risk hash

Where it appears in the app

  • TrustEvidence
  • Governance
  • EnterpriseGuard
  • CustomerTrust

AI Sense support

  • Finds stale exceptions
  • Detects repeated gaps
  • Flags unsupported risk acceptance

Safety boundary

  • A safety-critical exception can never be accepted away by software-only approval.

Step 07

Customer responsibility matrix

Show exactly who owns which controls and decisions — physical safety and PLC logic stay customer-owned, and mapping responsibility never transfers physical safety authority to HoldField.

Inputs

  • Physical safety
  • PLC logic
  • Station commissioning
  • Customer network access
  • Evidence retention
  • Portal user management
  • Support escalation
  • Signed pack review
  • Customer acknowledgement
  • Audit export review

Proof generated

  • Responsibility record receipt
  • HoldField-owned split
  • Customer-owned split
  • Shared split
  • Evidence references
  • Boundary note
  • Item hash

Where it appears in the app

  • TrustEvidence
  • CustomerTrust
  • EnterpriseGuard

AI Sense support

  • Flags unclear ownership
  • Flags a missing acknowledgement
  • Flags an unsupported responsibility assumption

Safety boundary

  • Responsibility mapping never transfers PLC or physical-safety authority to HoldField.

Step 08

Evidence packet

Generate a deterministic, redacted security packet a customer can review — it omits raw evidence, secrets, keys, coils, paths, and identity by design, and it is evidence review, never certification or production approval.

Inputs

  • Control catalog snapshot
  • Data flow map
  • Trust boundary map
  • Threat model summary
  • Compliance mapping
  • Risk & exception register
  • Responsibility matrix
  • AI Sense security insights

Proof generated

  • Evidence packet receipt
  • Packet status
  • Included sections
  • Omissions list
  • Redacted: true
  • Certification-claimed: false
  • Packet hash

Where it appears in the app

  • TrustEvidence
  • CustomerTrust
  • SignalOps
  • EnterpriseGuard

AI Sense support

  • Checks for missing proof before export
  • Flags an unsupported claim in the packet
  • Flags a redaction gap or stale evidence

Safety boundary

  • A security packet is evidence review; it is never certification or production approval.

AI Sense flags missing proof, never certifies

AI Sense

One reading layer across every TrustEvidence step

Observes evidence, finds missing proof, explains uncertainty, ranks human checks, and prepares handoffs — it never commands hardware.

Reads

  • Evidence bundles
  • Review events
  • QA decisions
  • Vision Twin drift
  • Commissioning blockers
  • Governance decisions
  • Station registry
  • Ops metrics

Produces

  • Findings
  • Evidence-gap warnings
  • Work-package hints
  • Commissioning questions
  • Support summaries

Never

  • No PLC writes
  • No force PASS
  • No recovery clear
  • No robot commands
  • No camera/light commands
  • No production approval
  • No evidence mutation
  • No QA decision mutation

AI Sense observes evidence and guides humans — it records nothing and changes nothing. It does not command a station, write a PLC, clear recovery, reset safety, force a pass, approve production, sign off, or mutate any review, QA decision, commissioning, governance, evidence, or runtime state. Every recommendation is a suggestion for a human to carry out; the PLC and safety circuit remain authoritative.

Customer responsibility matrix

Who owns which control, decision, and responsibility

The split is explicit. The customer owns physical safety, PLC logic, and network segmentation; HoldField owns application controls and support redaction; commissioning, access review, and retention are shared. Mapping responsibility never transfers physical safety or PLC authority to HoldField.

Control areaHoldFieldCustomerShared
Physical safety
owned
evidence by reference
PLC logic
owned
boundary attested
Station commissioning
records evidence
owned
FAT/SAT signoff
Application access
owned
user list
role review
Portal user provisioning
enforces scope
approves users
shared
Evidence retention
configurable
policy
shared
Support redaction
owned
export review
Network segmentation
guidance
owned
shared

Evidence packet

A deterministic, redacted packet a customer can review

The evidence packet carries a control-catalog snapshot, the data-flow and trust-boundary maps, a threat-model summary, the compliance mapping, the risk & exception register, the responsibility matrix, AI Sense insights, and an explicit omissions list — so a customer security team can review the posture without any station ever handing over raw internals, secrets, or a command surface.

control_catalog_snapshot
control status + evidence references, never raw config
data_flow_map
labelled flows; raw_evidence_included = false, can_command_hardware = false
trust_boundary_map
authority levels and forbidden actions by reference
threat_model_summary
threats, mitigations, residual risk — no exploit detail
compliance_mapping
framework-style categories, each marked not-certification
risk_exception_register
open risks + cannot-accept-away markers
responsibility_matrix
HoldField / customer / shared split, by reference
ai_sense_insights
ranked findings + recommended human checks
omissions
explicit list of what was withheld
packet_hash
integrity fingerprint of the redacted packet

The packet never contains raw station evidence or images, raw PLC coils or registers, secrets, tokens, or private keys, local file system paths, operator personal identity, camera, lighting, or robot command payloads, internal model details.

This is customer-reviewable security evidence. It is not a SOC 2, ISO 27001, NIST CSF, IEC 62443, or third-party certification.

Signed-in teams build these packets operationally in the HoldField app, under TrustEvidence — where the control catalog, data-flow map, trust-boundary map, threat model, compliance mapping, risk & exception register, responsibility matrix, and redacted evidence packets are recorded as administrative proof, and where nothing here certifies, approves production, accepts a risk away, grants access, or commands a station. Open the workspace →