Trustgent
The Trustgent Attestation Protocol

The Trustgent Attestation Protocol

v1.0, published 2026-07-05. Every substantive change is logged in the quarterly notice-and-action report.

# The Trustgent Attestation Protocol v1.0

The Trustgent Attestation Protocol is a versioned, publicly published, third-party-attestable specification for verifying AI implementation partners. It guarantees three properties: plan-blind ranking, earned-not-sold verification, and radical methodological transparency. It is named so it can be cited, versioned so it can be challenged, and published so its behaviour can be reproduced by parties outside our company. Every editorial, ranking, and audit surface on Trustgent operates under it.

This page is the specification. For operational procedure see how we verify. For the underlying platform mechanics see the methodology. For editorial voice see the editorial standards. For corrections and appeals see the corrections policy.

The three invariants

The protocol rests on three invariants. Every clause of the specification, every technical control, and every audit artifact is in service of one of these three. If any of them is violated on any page of the directory, the protocol is considered breached and the affected records are re-audited.

Invariant 1: Plan-blind ranking

Definition. A provider's position in any ranked list on Trustgent is determined only by evidence of their work. Payment to Trustgent for any product feature must not change position.

Formal statement. For any two providers p1 and p2 and any ranked list L emitted by Trustgent, the ordering of p1 and p2 in L is a function only of the ranking allowlist. The ranking allowlist is:

1. `verificationLevel` (L0 through L5, as defined below) 2. `recordCount` (count of independently verified engagement records) 3. `lastVerifiedAt` (recency of the most recent verified record)

No other signal, including subscription tier, contract value, promotional agreement, or account status, may appear in the ranking function.

How it is technically enforced. The ranking function is a single hardcoded allowlist in the platform codebase, referenced as `RANK_ALLOWLIST`. Any code path that assembles a ranked list of providers, whether for a category page, a search result, an API response, or a structured-data ItemList, passes through the same helper. That helper filters the input to the three allowlisted fields before sorting. The tier field is not in the argument shape the helper accepts. To add tier as a ranking input would require editing the constant, and that edit is guarded in code review and in the seo-lint pass that runs on every pull request.

How it is audited. Every quarter we publish the statistical correlation between subscription tier and position on the most-viewed category pages. Under the protocol this correlation is required to be indistinguishable from zero, controlling for verification level. The raw data behind the correlation, one row per provider per snapshot, is published at /transparency so an outside analyst can reproduce the calculation. Any deviation must be explained in the quarterly note or the protocol version is bumped and the anomaly is treated as a defect.

Invariant 2: Earned-not-sold verification

Definition. A provider's verification level rises only when independent evidence of their work is produced and audited. Payment to Trustgent does not raise the level. Marketing spend by the provider does not raise the level. Reputation does not raise the level.

Formal statement. For any provider p and any verification level L in {L0, L1, L2, L3, L4, L5}, `p.level = L` is true if and only if the evidence bundle attached to p satisfies the level-L acceptance criteria defined in the methodology. The evidence bundle is a set of documents, links, and interview records, each with a source, a timestamp, and a hash. The acceptance criteria are the same for every provider at that level.

The six levels are:

  • L0, claimed. The provider has a listing. No verification has taken place. L0 is a placeholder. It carries no signal.
  • L1, self-attested. The provider has filled a structured profile: services, sectors, geography, team, references. Trustgent has confirmed the profile is internally consistent and matches public records for the legal entity. No third-party corroboration yet.
  • L2, cross-referenced. Independent third-party signals corroborate the profile. LinkedIn or Crunchbase records for named team members match the profile. The provider's client-facing website matches the profile. Capability attestations from vendor partner programs, where relevant, match the claimed capability set.
  • L3, recorded proof. Client-authorized case-study evidence exists in the record: contract, deliverable summary, or written testimonial. The evidence is stored under the provider's record with the client's written authorization to use it for verification purposes.
  • L4, audited. Trustgent has conducted at least one structured interview with a named client reference and reviewed at least one documented work output. The interview follows a fixed protocol so different auditors produce comparable transcripts. The work output is examined for consistency with the claim.
  • L5, continuously monitored. L4 plus rolling audit and a freshness gate. Records that pass a validity horizon without renewal automatically drop back to L4 or lower. L5 is not a permanent award. It is a maintained state.

How it is technically enforced. The verification level on a provider record is not writable by product staff, sales staff, or the provider themselves. It is set by the outcome of the audit workflow. The audit workflow reads the evidence bundle, checks each item against the acceptance criteria, and writes the resulting level. Levels are timestamped and the transition history is retained. Any manual override requires a signed decision from the editorial function, is written to the append-only audit log, and appears in the quarterly transparency note.

How it is audited. The evidence bundle for every provider at L3 or above is reviewable on request by an auditor bound by a non-disclosure agreement. The acceptance criteria applied at each level are published in the methodology at the version in force when the audit was conducted. A methodology version diff is published every time the criteria change.

Invariant 3: Radical methodological transparency

Definition. The rules Trustgent uses to rank, verify, and describe providers are public. The rules are versioned. Changes to the rules are documented and dated. Editorial voice is subject to the same rules whether a provider is a customer or not.

Formal statement. For any editorial or ranking decision emitted on Trustgent, the version of the methodology in force at the time of that decision is retrievable, and the decision is reproducible from the public methodology given the same evidence bundle.

How it is technically enforced. Every provider page and every ranked list is tagged with the methodology version that produced it. Provider records carry a `methodologyVersion` field. When the methodology is upgraded, records are either re-audited under the new version or explicitly grandfathered with a visible note. The editorial voice constraint is enforced by the seo-lint check that runs in continuous integration. Pages carrying `neutral: true` are scanned for superlatives ("best", "top", "leading", "premium"), and pull requests fail if the check trips.

How it is audited. The full methodology history is retained in git under a public repository reference. The version-in-force at any historical date is a query, not a claim.

The specification

Versioning scheme

The protocol uses semantic versioning adapted to a specification rather than a software library.

  • Major version (v1.0 to v2.0). A change in one of the three invariants. Redefining what plan-blind means, redefining what earned-not-sold means, redefining the scope of the transparency obligation. A major version bump requires all provider records to be re-audited.
  • Minor version (v1.0 to v1.1). A change in the level acceptance criteria or the evidence taxonomy that does not violate the invariants. For example, adding a new type of admissible corroborating signal at L2, or tightening the freshness horizon at L5. A minor version bump requires re-audit of affected records only.
  • Patch version (v1.0 to v1.0.1). A clarification, a wording fix, a typographical correction. No re-audit required.

What triggers a version bump

A version bump is triggered by one of: a change to the level definitions, a change to the rank allowlist, a change to the editorial voice constraint, or a substantive change to the appeals process. A version bump is not triggered by a change to the product surface that does not affect verification, ranking, or editorial voice.

Publication cadence

The protocol is reviewed on a fixed schedule at the end of each calendar quarter. Between reviews, patch-level updates may be issued as needed. Minor and major changes are batched to the quarterly review unless a defect makes an interim release necessary.

Backward-compatibility guarantees

A provider's verification level does not silently degrade because the methodology changed. When a minor version bump tightens criteria, affected records are flagged for re-audit, and the current level remains in force until the re-audit completes or the freshness horizon is reached. When a record cannot be brought up to the new criteria within the horizon, the level is adjusted down and the adjustment is timestamped and explained in the record.

The evidence taxonomy

The protocol recognizes a finite set of evidence types. This enumeration is the entire admissible surface for verification.

  • Entity evidence. Chamber of commerce registration, registered address, VAT identifier, legal representative. Establishes that the provider is a real legal entity.
  • Team evidence. Named individuals with public professional profiles that match the provider's claimed team. Establishes that the people exist.
  • Capability evidence. Vendor partner status, platform certifications, published case work, technical blog output. Establishes claimed technical scope. Not a substitute for outcome evidence.
  • Engagement evidence. Contract, statement of work, or engagement letter from a named client. Establishes that a specific engagement took place.
  • Outcome evidence. Deliverable summary, written client testimonial, or interview transcript with a named client reference. Establishes what the engagement produced.
  • Corroboration evidence. Independent third-party mention, press coverage, published customer list appearance. Not sufficient on its own but strengthens a bundle.

Each evidence item in a bundle is tagged with its type, its source, its date, and a hash. The audit workflow requires the type-mix appropriate to the target verification level. The type-mix is defined in the methodology.

Third-party attestability

An external auditor should be able to test the protocol without access to Trustgent's internal systems.

For plan-blind ranking, the auditor can pull the quarterly transparency dataset from /transparency, which contains, per snapshot, a row for each provider with position, verification level, record count, last-verified timestamp, and subscription tier. They can compute the tier-position correlation controlling for the ranking allowlist. Under the protocol this correlation is required to be statistically indistinguishable from zero. The auditor is invited to publish their own computation.

For earned-not-sold verification, the auditor can request the evidence bundle for any provider at L3 or above. The request is granted under a non-disclosure agreement covering the client's confidential material. The auditor can then check the bundle against the acceptance criteria in the methodology version tagged on the provider record.

For radical methodological transparency, the auditor can retrieve the methodology at any historical date from the public repository and reproduce any editorial or ranking decision on that date given the same evidence bundle.

The protocol is designed so that our integrity claims are not something a reader has to take on faith. They are queries an outside party can run.

The audit log

Every quarter Trustgent publishes an audit note at /transparency. The note contains:

  • Tier-rank statistical correlation. The correlation between subscription tier and rank position on the most-viewed category pages, computed as specified above. Required to be indistinguishable from zero.
  • Methodology version diff. Any change to the methodology since the previous quarter, with the reason for the change and the affected record count.
  • Dispute log. A count of disputes raised and their disposition, by type. Detail level respects the confidentiality of both the disputing provider and any named client.
  • Appeals resolutions. A summary of appeals to level changes, with the reasoning for the outcome, redacted only where required by confidentiality.
  • Corrections log. A list of factual corrections issued in the quarter, in accordance with the corrections policy.

The audit note is a public record. Prior quarters remain available.

What competitors cannot credibly claim

The specific claims below distinguish the protocol from the marketing pages of comparable directory services. Competitors are welcome to adopt these commitments. Adopting them requires code changes and an ongoing publication obligation, not a page change.

1. Publishing statistical proof of rank-blindness. A directory can assert that rankings are unbiased. The protocol publishes the quarterly correlation between paid tier and rank position, computed from the actual dataset, in a form an outside analyst can reproduce. A directory that has not published this dataset for a prior quarter cannot credibly claim the invariant. A directory that publishes the dataset and shows a non-zero correlation has not achieved the invariant.

2. Publishing a versioned methodology open to challenge. A directory can assert that its ranking is fair. The protocol publishes the methodology at every version, retains the history, and produces every ranking decision reproducibly from the version in force. Reasoned challenge to a specific clause of the methodology is invited and, if the challenge holds, produces a versioned change. A directory without a public methodology history cannot substantiate the reproducibility claim.

3. Publishing every appeal disposition with reasoning. A directory can assert that it takes complaints seriously. The protocol commits to publishing the disposition of every appeal to a level change or an editorial claim, with the reasoning, in the quarterly audit note. A directory that resolves appeals in private cannot demonstrate this commitment.

These three commitments are the operational surface of the invariants. They are what an outside party can check.

Related pages


The Trustgent Attestation Protocol v1.0, published 2026-07-05. Trustgent is operated by Rustenhoven Management B.V., KvK 92219500, Prinsengracht 234B, Amsterdam.