Open Trust Protocol

A self-auditing security framework, published in full. No NDA. No paywall. No badge — just proof.

Trust isn't a badge you buy. It's a standard you publish.

AdaptBooks Open Trust Score

A+  ·  STRONG

Exceeds SOC 2 Trust Service Criteria across all measured domains.

Why this document exists

The security certification industry has a transparency problem. SOC 2 Type II costs $50,000–$150,000 per audit cycle, takes 6–12 months, and produces a report that is confidential — your customers cannot read it. They see a badge and are expected to trust the authority behind it.

That model does not make sense for a company building transparent tools for small businesses. AdaptBooks customers are hardware store owners, salons, restaurants, storage operators, and freelancers. They deserve to know exactly how their data is protected — not because an auditor said so, but because they can read the evidence themselves.

The Open Trust Protocol is our answer. Every control is scored. Every score cites a current file path or commit. Every gap is disclosed. The document is published publicly. No NDA. No paywall.

The Eight Trust Domains

OTP evaluates AdaptBooks across eight security domains, each weighted by impact. The platform score is the weighted average. Domain-level evidence — file paths, commit SHAs, runbook references — is captured in the full audit document.

Domain 8 (Availability) is below 95% because multi-region database replication is a Q3 2026 enterprise-tier feature. Single-region with continuous backups + offline POS resilience is the current posture for SMB deployment.

The Clerk Principle: Delegation is Strength

AdaptBooks delegates authentication entirely to Clerk. A traditional SOC 2 auditor would treat this as a "subservice organization" carve-out and cap us below 100% on that basis alone. OTP takes the opposite position: delegating to a SOC 2 Type II certified specialist is the strongest possible control.

AdaptBooks has zero password-storage code. There is no password database to breach because it does not exist. Stripe handles payments so merchants never touch card numbers. Neon handles database security. SignalWire handles SMS. Sentry handles error monitoring. Specialists do their specialty; AdaptBooks does accounting.

The audit caught a critical CVE in our Clerk version. The G.5 audit (this version's audit run) found that @clerk/nextjs 6.37.3 had an active middleware route-protection bypass (GHSA-vqx2-fgx2-5wq9). G.5.5 patched it (6.37.3 → 6.39.3) before this document was published. We disclose it because the manifesto says we will.

What we're still working on

Honesty above optics. These are operator-pending items that cap specific domain scores below 100% until they land. None of them are hidden behind "Enterprise plan" tier-gating.

• Apple OAuth + Microsoft OAuth in Clerk Dashboard — June 2026.
• TOTP authenticator app + backup codes — June 2026.
• UptimeRobot 3-monitor configuration — pre-launch.
• Sentry → Slack click-path verification (procedure documented, exercise pending) — pre-launch.
• First DR drill execution + empirical RTO measurement — pre-launch.
• First tabletop exercise — pre-launch.
• Multi-region database replication — Q3 2026 (enterprise tier).

Read the full audit

The full v4.0 document — including every domain's control table, every cited file path and commit, and the SOC 2 Trust Service Criteria mapping — is published as a Markdown document in the repository.

Responsible disclosure

If you find a control we missed, a test we should run, or a gap we should close — tell us. We respond to every report and we do not pursue legal action against security researchers acting in good faith.

Email jamie@adaptensor.com. That is the point.

— Adaptensor, Inc.
Big companies build for big businesses. We build big tools for small ones.