A Trust Center without evidence is marketing. A Trust Center with evidence is assurance.
Every claim made across the 41 pages of this Trust Center — every security control described, every compliance framework cited, every governance principle articulated, every certification target stated — exists in a document, a configuration, a log, a policy, a contract, or a record that can be independently verified. The Evidence Index is the master catalog that maps each claim to its supporting evidence.
This page does not contain the evidence itself — many evidence artifacts are confidential, client-specific, or access-restricted. Instead, it identifies what evidence exists, where it is maintained, how it is classified, and how authorized parties can access it. The Evidence Index is the table of contents for Ariana Nexus’s compliance evidence repository.
All evidence artifacts are classified into four access tiers:
Public — Available on the Trust Center website. Anyone Trust Center pages, public policies, accessibility statement
Client — Available to clients under executed Engagement Agreement. Clients and prospects under NDA SOC 2 reports, penetration test summaries, DPA templates, BAA templates
Restricted — Available to auditors and regulators under formal request. Accredited auditors, regulators, government contracting officers Configuration screenshots, access control logs, incident response records, personnel vetting records
Internal — Available only to Ariana Nexus personnel with need-to-know. CEO, Compliance Team, engagement leads (per authorization) Internal policies, HR records, financial records, vendor contracts
Privacy Policy published and current — Privacy Policy (AN-LEGAL-PP-001). Published document Public ariananexus.com/nexus-assurance-pages/privacy-policy
Cookie Policy with Finsweet consent management — Cookie Policy (AN-LEGAL-CP-002); Finsweet Consent Pro configuration. Published document; system configuration Public / Restricted Website; Webflow admin
Terms of Use with liability protections — Terms of Use (AN-LEGAL-TOU-003). Published document Public ariananexus.com/nexus-assurance-pages/terms-of-use
Accessibility commitment (WCAG 2.2 Level AA) — Accessibility Statement (AN-LEGAL-ACC-004); WAVE scan results. Published document; test report Public / Client Website; compliance files
Do Not Sell / Your Privacy Choices — DNS/YPC pages (AN-LEGAL-DNS-005, AN-LEGAL-YPC-006). Published documents Public Website
MFA enforced for all users — Entra ID Conditional Access policy configuration; MFA registration report. System configuration; admin report Restricted Microsoft 365 Admin Center
Conditional Access active — Conditional Access policy set (named policies with conditions). System configuration Restricted Entra ID portal
Intune device management — Intune enrollment report; compliance policy configuration; BitLocker status. System configuration; compliance report Restricted Intune admin center
Purview DLP policies active — DLP policy configuration; DLP incident reports. System configuration; incident logs Restricted Purview compliance portal
Sensitivity Labels (4-tier classification) — Sensitivity Label configuration; label usage analytics. System configuration; analytics Restricted Purview compliance portal
AES-256 encryption at rest — Microsoft 365 encryption documentation; BitLocker recovery key management. Platform documentation; configuration Restricted Microsoft documentation; Intune
TLS 1.2+ in transit — Transport rule configuration; email header analysis. System configuration; test evidence Restricted Exchange admin; test records
Defender for Office 365 — Defender policy configuration; threat detection reports. System configuration; security reports Restricted Microsoft 365 Security Center
Unified Audit Logging — Audit log search capability; log retention configuration. System configuration Restricted Purview compliance portal
Incident Response Plan (NIST 800-61) — IRP document; tabletop exercise records; incident log. Policy document; exercise records Client / Restricted Compliance files
Vulnerability Disclosure Program — VDP page (AN-TRUST-SA-VDP-007). Published document Public Trust Center
Cyber insurance active — Insurance certificate of coverage. Insurance document Client Compliance files
Third-party backup — Backup configuration; recovery test records. Configuration; test evidence Restricted Backup admin console
Microsoft BAA executed — Executed BAA (Microsoft Online Services DPA with BAA addendum). Executed agreement Client Compliance files
DPA template with SCCs and UK IDTA — DPA template document; SCC annex; UK IDTA addendum. Legal templates Client Legal files
HIPAA controls operational — HIPAA risk assessment; Purview PHI policies; BAA; training records. Assessment; configuration; agreement; records Client / Restricted Compliance files; Purview
OFAC screening program — OFAC screening records; SDN check documentation; screening policy. Screening records; policy Restricted Compliance files
NIST SP 800-171 Rev. 2 controls mapped (with Rev. 3 transition notes) — Control mapping document; evidence per control family. Mapping document; evidence artifacts Client Compliance files
Vendor due diligence — Vendor assessment records; vendor risk ratings. Assessment records Restricted Compliance files
ROPA maintained — Record of Processing Activities. Compliance document Restricted Purview / compliance files
Retention labels active — Purview retention label configuration; retention policy. System configuration Restricted Purview compliance portal
SAM.gov registration — SAM.gov registration confirmation. Government registration Public SAM.gov
8(a) application — 8(a) application documentation. Application records Internal SBA files
Privacy-by-Design implemented — Privacy impact assessments; design documentation. Assessment documents Client / Restricted Compliance files
Data Lifecycle Governance — Data retention schedule; disposition records; destruction certifications. Policy; records; certificates Client / Restricted Compliance files
U.S. data residency (M365) — Microsoft tenant configuration; data residency documentation. Configuration; platform documentation Restricted M365 admin; Microsoft docs
SCCs in DPA — Executed DPA with SCC annexes. Legal agreement Client Legal files
Transfer Impact Assessments — TIA documents per transfer. Assessment documents Client Compliance files
Sensitive population protocols — Eight protocol documents; training records; vetting records. Policy; records Restricted Compliance files
No-training rule — AI tool agreements; Microsoft DPA; engagement-specific terms. Agreements; policies Client Legal files
HITL mandatory — Engagement QA records; review layer documentation; accountability chains. Process records Client Engagement files
Content authenticity labeling — Labeled deliverables; labeling framework documentation. Deliverables; policy Client Engagement files
AI Governance Policy documented — AI Governance Policy document (six principles, prohibited practices). Policy document Client Compliance files
Pre-engagement AI Risk Assessment — Completed risk assessment records per engagement. Assessment records Restricted Engagement files
Ethical engagement decline — Decline records with documented rationale. Decision records Internal Governance log
Cultural Hallucination Assessment (SCHA) — SCHA methodology document; completed assessments; CHS severity records. Methodology; records Client / Restricted Engagement files
Cultural Knowledge Base maintained — CKB contents (Dialect Reference, Religious Practices, Historical, Terminology databases). Reference databases Internal (Confidential) CCB files
AI incident response procedures — AI IRP procedures; incident records; post-incident reviews. Procedures; records Client / Restricted Compliance files
Synthetic media governance — Synthetic media policy; authorization records; labeling documentation. Policy; records Client Compliance files
AI autonomy boundaries (Tier A–D) — Autonomy framework documentation; Tier D prohibition. Policy document Public / Client Trust Center; compliance files
Cultural Compliance Standard (AN-CCS-1.0) — CCS document with ten principles. Standard document Client CCB files
Cultural Compliance Scorecard — Completed Scorecards per engagement; aggregate score reports. Assessment records; analytics Client / Restricted Engagement files
CCB independent authority — CCB charter; override records; organizational chart showing CCB reporting to CEO. Charter; records; org chart Client Governance files
Three-layer validation — Validation records per engagement; gate clearance documentation; metrics. Process records; metrics Client Engagement files
Quality gate documentation — Gate 1, 2, 3 clearance records per deliverable. Process records Client Engagement files
Validation metrics tracked — Metrics dashboards; monthly/quarterly reports. Analytics; reports Client Engagement files
Cultural risk monitoring — Cultural Risk Register; advisory records; OSINT monitoring logs. Register; records Restricted CCB files
Scholar safety protocols — Scholar safety assessment records; enhanced vetting documentation; compartmentalization evidence. Assessment; records Restricted CCB files (Restricted access)
Language integrity standards — Seven principles documentation; red line policy; dialect coverage matrix. Policy documents Client CCB files
Endangered language commitment — Partnership documentation; community engagement records. Records Client CCB files
Certification roadmap documented — Audit Roadmap & Certifications page; internal milestone tracker. Published document; project plan Public / Internal Trust Center; project files
ISO 27001 advisory firm engaged — Engagement correspondence; advisory agreement. Correspondence; agreement Internal Compliance files
Government procurement registrations — SAM.gov confirmation; 8(a) application; GSA MAS application. Registrations; applications Public / Internal Government portals; files
Annual assurance calendar — Calendar document; completed activity records. Calendar; records Client Compliance files
Evidence Index maintained — This document; evidence repository inventory. Published document; inventory Public / Restricted Trust Center; compliance files
All evidence artifacts are stored within the Ariana Nexus Microsoft 365 environment, protected by the same security controls documented across this Trust Center:
SharePoint Online (Compliance Site): - Primary repository for policy documents, assessment records, audit evidence, and compliance files. - Access controlled by Security Groups with named-individual authorization for Restricted content. - Sensitivity Labels applied to all evidence artifacts (Confidential or Restricted). - Versioning enabled — all document versions retained for audit trail. - DLP policies prevent unauthorized sharing of Restricted evidence.
Purview Compliance Portal: - System configuration evidence (DLP policies, Sensitivity Labels, retention labels, audit logs) is accessible through the compliance portal. - Audit log evidence is searchable and exportable for auditor review. - eDiscovery capability available for regulatory or legal evidence collection.
Microsoft Teams (Engagement Channels): - Engagement-specific evidence (QA records, gate clearance, Scorecard results) stored in engagement Teams channels. - Channel access restricted to engagement team members.
Azure (Planned — 2027+): - As the evidence repository grows, Azure-based compliance evidence management is planned for scaled storage, automated evidence collection, and compliance dashboard integration.
Evidence artifacts are retained per the following schedule:
Published Trust Center pages — Indefinite (versioned). Organizational record
Executed agreements (BAA, DPA, NDA, MSA) — Duration of agreement + 7 years. Legal; FAR 4.703
Audit reports and certifications — Duration of validity + 7 years. Audit standards; legal
Incident response records — 7 years. NIST 800-61; legal
Engagement quality records — Duration of engagement + 5 years. Quality management; legal
Personnel vetting records — Duration of employment/engagement + 3 years. HR; compliance
System configuration evidence — Current + 2 prior versions. Change management
Training records — Duration of employment/engagement + 3 years. Compliance; HR
Cultural Compliance Scorecards — Duration of engagement + 5 years. CCB governance
Financial and insurance records — 7 years. Tax; legal; insurance
Clients under an executed Engagement Agreement may request evidence through:
Method 1: Direct request. Email trust@ariananexus.com with the specific evidence needed. Requests are fulfilled within five (5) business days.
Method 2: Security questionnaire. Submit your organization’s security questionnaire (SIG, CAIQ, VSAQ, or custom). Ariana Nexus responds with evidence references for each control.
Method 3: Trust Portal (Planned Q2 2027). Self-service access to Client-tier evidence through the Ariana Nexus Trust Portal under NDA.
Method 4: On-site or virtual assessment. Schedule a security assessment session where Ariana Nexus demonstrates controls in the live environment. Available for enterprise clients and government contracting officers.
Accredited third-party auditors engaged for Ariana Nexus certification audits receive access to Restricted-tier evidence through a dedicated auditor access process:
Government regulators and contracting officers may request evidence in accordance with applicable regulatory authority:
SOC 2 (CC1–CC9) — Evidence of control design and operating effectiveness. Aligned — evidence mapped per Trust Services Criteria
ISO 27001:2022 (Clause 7.5) — Documented information management. Aligned — evidence repository with access control, versioning, retention
ISO 27001:2022 (Annex A) — Evidence per control objective. Aligned — evidence mapped per Annex A controls
NIST SP 800-171 Rev. 2 / Rev. 3 — Evidence per security requirement. Aligned — evidence mapped per Rev. 2 control families; Rev. 3 transition planned
CMMC Level 2 — Assessment evidence per practice. Aligned — evidence prepared for CMMC assessment
HIPAA (45 CFR § 164.316) — Documentation and record retention. Compliant — 7-year retention; evidence per HIPAA requirement
GDPR (Article 5(2)) — Accountability principle — demonstrate compliance. Aligned — evidence demonstrates all GDPR compliance claims
EU AI Act (Article 11) — Technical documentation for AI systems. Aligned — AI governance evidence documented
FedRAMP — System Security Plan evidence packages. Roadmap (2029–2030) — evidence collection designed for FedRAMP
ISO/IEC 42001:2023 — AI Management System documentation. Roadmap (2028) — evidence prepared for ISO 42001
NIST Cybersecurity Framework 2.0 (ID.GV, PR.DS, DE.CM) — Governance, data security, continuous monitoring evidence. Aligned — evidence supports CSF 2.0 core functions
EU AI Act (Article 12) — Record-keeping for high-risk AI systems. Aligned — AI governance records with tamper-evident logging
NIS2 Directive (Article 21) — Risk management and incident evidence. Monitoring — applicable as European operations expand
For procurement officers: Every claim in this Trust Center has a corresponding evidence artifact. When you ask “Can you prove this?”, the answer is in this index. You can request specific evidence through the methods documented above, and we will provide it within five business days.
For CISOs: This index maps every security control claim to its evidence source — system configurations, admin reports, policy documents, and incident records. You can verify our controls through a security questionnaire, a virtual assessment, or direct evidence review under NDA.
For auditors: The evidence repository is organized for efficient audit access. Temporary access is provisioned with identity verification, NDA, logging, and post-audit revocation. Evidence is versioned, tamper-protected, and retained per documented schedules.
For government contracting officers: Evidence is organized to support DFARS, CMMC, and FedRAMP assessment requirements. SAM.gov registration, NAICS codes, and 8(a) application documentation are available for procurement verification.
For all clients: This Evidence Index exists because trust requires proof. We document our evidence not because a regulation requires it — although many do — but because an organization that claims to be trustworthy must be able to demonstrate that trustworthiness on demand.
If your organization requires specific evidence, a security questionnaire response, or an evidence access arrangement, contact trust@ariananexus.com or +1 (202) 771-0224.
Evidence Availability. Not all evidence artifacts are available to all parties. Access is governed by the evidence classification tiers documented on this page. Some evidence (Internal-tier) is not available to external parties under any circumstances.
Evidence Currency. Evidence artifacts reflect the state of Ariana Nexus’s systems and controls at the time the evidence was collected. System configurations, policies, and controls evolve over time.
Third-Party Evidence. Some evidence artifacts (Microsoft platform documentation, insurance certificates, vendor certifications) are produced by third parties. Ariana Nexus does not control the accuracy or currency of third-party evidence.
Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ARIANA NEXUS’S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATED TO EVIDENCE ACCURACY, EVIDENCE ACCESS, OR COMPLIANCE DOCUMENTATION SHALL NOT EXCEED THE AMOUNTS SET FORTH IN THE APPLICABLE ENGAGEMENT AGREEMENT, OR, WHERE NO ENGAGEMENT AGREEMENT EXISTS, ONE HUNDRED DOLLARS ($100). ARIANA NEXUS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING FROM OR RELATED TO EVIDENCE, DOCUMENTATION, OR COMPLIANCE REPRESENTATIONS. NOTHING IN THIS SECTION SHALL LIMIT OR EXCLUDE ARIANA NEXUS’S LIABILITY FOR: (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE; OR (C) ANY OTHER LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW, INCLUDING BUT NOT LIMITED TO LIABILITY UNDER THE UK UNFAIR CONTRACT TERMS ACT 1977, THE UK CONSUMER RIGHTS ACT 2015, OR GDPR.
Dispute Resolution. Any dispute arising out of or relating to this page shall be subject to the dispute resolution provisions in the Terms of Use, Section 18.
This page is provided for informational purposes and does not constitute a warranty, guarantee, or binding commitment regarding the completeness or accuracy of Ariana Nexus’s evidence repository. Evidence artifacts are maintained in good faith. Nothing in this page shall be construed as a waiver of any right, defense, or immunity available to Ariana Nexus under applicable law.
