Trust is a working standard, not a marketing page.
Every document below is verifiable. Reports are signed, attestation letters are public, and our security posture is continuously audited. If you need something not listed here, write to trust@jilsovereign.com and we will send it.
Current certifications.
SOC 2 Type II
Current · expires Dec 2026Twelve-month operating-effectiveness audit. Security, Availability, Confidentiality, and Privacy trust service criteria.
Request report ↓ISO 27001:2022
Current · expires Jun 2027Information security management system certified by an accredited body. Scope covers all retail and enterprise systems.
Download certificate ↓PCI-DSS Level 1
Current · annualPayment card industry data security, Level 1 (highest). All checkout flows run through tokenised, PCI-scope-minimised paths.
Attestation of compliance ↓GDPR · Art. 27
CurrentEU representative appointed. Data-processing records maintained, standard contractual clauses in place, DPA available on request.
Download DPA ↓Six things we will never do.
Sell retail data.
We do not sell, lease, or syndicate retail data to any third party, under any commercial arrangement. Full stop. If we are acquired, this covenant transfers.
Surface natural-person attribution.
Retail products do not return real-world identity for wallet owners. Entity attribution refers to institutional counterparties only. Enforced in the query layer.
Retain payment PANs.
We tokenise at the browser. We do not retain unencrypted card numbers at any tier in our infrastructure, including backups. PCI-DSS L1 verified annually.
Accept scope creep.
If a government or commercial party asks for a retail capability outside the permissible-use policy, the answer is no — even when the economics are favourable.
Block export.
You may export a full archive of everything we hold under your retail account, including vault contents, at any time. There is no export embargo, no retention tax.
Quietly change policy.
Material changes to terms, permissible use, or privacy carry a 30-day notice to every active retail account. Breaking changes carry a 90-day window and a migration path.
Four ways to tell us.
Security disclosure.
Found a vulnerability? Responsible disclosure is welcomed. We publish advisories and credit reporters (with consent) within 90 days of fix.
Privacy & subject requests.
For access, deletion, portability, correction, and objection requests under GDPR, CCPA, and equivalent frameworks.
Law enforcement.
We respond to lawful process, subpoena, and court orders. We require specificity and we notify affected users unless legally prohibited.
Press & public.
For media enquiries, analyst briefings, and partnership questions. We answer factual questions; we do not publicise customer identities.