Share with security
Encryption evidence is acceptable in this fixture, while pen-test coverage needs a fresh architecture-matched summary.
NRNetRisk.io
Search sample claims, evidence, gaps...
Sample fixtureSample data - not live analysisNo scan, sync, AI call, or background job
NA
Trust Exchange / Sample Trust Profile / SAMPLE-TP-042
Northstar Analytics Trust Profile
A presentation-ready sample of a scoped vendor trust profile: buyer-visible claims, evidence states, missing proof, quantification caveats, and publish gates in one controlled public demo.
Product
AI procurement intelligence workspace
Criticality
Tier 2 sample vendor
Data access
Customer prompts, supplier records, procurement workflow metadata
Last reviewed
Sample timestamp: 2026-05-28
Sample decision panel
Publish Readiness
Current sample decision
Blocked by evidence gates
Trust confidence
54
/100 sample score
Buyer-visible preview limited to claims with acceptable sample evidence
Confirmed scope
The fictional product, buyer use case, and evidence boundary are declared.
Required evidence state
Incident response evidence is missing and pen-test evidence is stale.
Unresolved contradiction check
AI training opt-out claim is contradicted by the sample FAQ.
Reviewer approval
Public sample pages cannot publish or approve a CTNE trust profile.
Evidence coverage
5 / 8 claims have usable evidence
Usable sample evidence, not a certified status
Open gaps
4
Missing, stale, contradicted, or rejected items
Reviewer queue
3
Human review required before sharing
Sample ALE
EUR 150k sample ALE
Fixture estimate with caveats
Shareability
Limited
Only buyer-visible sample claims are previewed
Publish gate
Blocked
This public sample cannot publish
Trust profile preview - sample data
Real trust-profile shape, safe public fixture
Static sample fixture. No workflow execution.
Readiness by domain
Profile Sections
Security controls
Pen-test coverage is stale for the current architecture.
Claims
3
Evidence
3
Confidence
62%
Limited preview
Privacy and DPA
AI training opt-out language is contradicted across sample sources.
Claims
2
Evidence
1
Confidence
38%
Do not share
Operational resilience
Incident response tabletop evidence has not been supplied.
Claims
2
Evidence
0
Confidence
29%
Gap only
Subprocessors
Inventory completeness is inferred and needs vendor confirmation.
Claims
1
Evidence
1
Confidence
46%
Needs confirmation
Sample profile summary
Buyer-visible Preview
Demo data only. This page is not connected to tenant data, vendor research, scans, CTNE validators, Smart Validation sends, email sends, or background jobs.
Share with GRC
Resilience and incident response remain evidence-thin; the profile should route those gaps to review before approval.
Share with procurement
The profile narrows the vendor follow-up to missing proof instead of restarting a full questionnaire.
Buyer questions this answers
Can security approve this vendor without a fresh pen-test summary?
Does the DPA clearly exclude customer prompts from model training?
Which missing proof should procurement request before delaying approval?
Fixture lineage
Activity Trail
Sample profile created from static fixture data
Reviewer marked API key evidence rejected because timestamp and owner were missing
Publish gate blocked by stale pen-test evidence and contradicted AI training language
Evidence and claims - sample data
Evidence requirements and claim register
Static sample fixture. No workflow execution.
Draft requests only
Evidence Requirements
Clarify AI training opt-out
Vendor security contact
Provide final DPA language and product FAQ language covering prompt use for model training.
Why it matters
Conflicting DPA and FAQ language blocks publish readiness.
Before buyer approval
Refresh pen-test coverage
Security reviewer
Upload a dated executive summary or attestation covering the current production architecture.
Why it matters
Existing sample report is stale and may not cover current architecture.
Before external profile share
Provide tabletop evidence
GRC reviewer
Attach a dated tabletop exercise summary, owner, scope, and remediation status.
Why it matters
The resilience claim cannot be relied on without dated evidence.
Before resilience claim can be relied on
Shared NET-45 evidence language
Claim Register
ID / ownerClaimStateShareability
EV-SAMPLE-001
Security
Encryption at rest is enabled for customer content
Sample SOC 2 control extract - Reviewed sample: 46 days old
The sample evidence directly supports the control claim.
verified
high confidence
Reviewer accepted for demo
buyer-visible
EV-SAMPLE-002
Procurement
SSO is available for enterprise workspaces
Sample trust center feature list - Published sample: 22 days old
Vendor-published claims are useful, but not treated as verified by default.
vendor-published
medium confidence
Needs customer-tenant confirmation
buyer-visible
EV-SAMPLE-003
Security
Admin session timeout is configured
Sample workspace configuration screenshot - Observed sample: 12 days old
Observed evidence supports review, but the sample does not prove policy coverage.
observed
medium confidence
Reviewer follow-up queued
internal-review
EV-SAMPLE-004
Legal / privacy
AI training opt-out applies to all customer prompts
Sample DPA clause and sample product FAQ - Compared sample: 8 days old
The DPA excludes training, while the FAQ says some telemetry may improve models.
contradicted
medium confidence
Blocked until clarified
blocked
EV-SAMPLE-005
GRC
Incident response tabletop completed in the last 12 months
No sample evidence supplied - Not available
NetRisk would ask only for this missing proof rather than resending a full questionnaire.
missing
none confidence
Evidence request drafted
blocked
EV-SAMPLE-006
Security
Penetration test report covers the current production architecture
Sample pen-test executive summary - Expired sample: 410 days old
Existing evidence is useful context but too old for the sample publish gate.
stale
low confidence
Refresh required
internal-review
EV-SAMPLE-007
Vendor trust
Subprocessor inventory is complete
Sample privacy page and DNS ownership hints - Inferred sample: 31 days old
Inferences help prioritize review, but do not become verified evidence.
inferred
low confidence
Needs vendor confirmation
internal-review
EV-SAMPLE-008
Security
Legacy API key rotation evidence is acceptable
Sample screenshot without timestamp or owner - Rejected sample: undated
The sample evidence lacks provenance, owner, and timestamp.
rejected
low confidence
Reviewer rejected
blocked
Risk Register quantification - sample data
Sample risk: AI data-retention ambiguity
Static sample fixture. No workflow execution.
Fixture assumptions
Quantification Summary
Probable loss range
EUR 90k-EUR 240k
Annualized loss exposure
EUR 150k sample ALE
Confidence
Medium confidence sample estimate
Evidence health
Reduced by contradicted and missing states
Not real financial analysis
Scenario and Caveat
If customer prompts are retained longer than contract language implies, regulated buyers may require contractual remediation before approval.
Illustrative Risk Register quantification only. Values are fixture assumptions, not financial advice, not a guarantee, and not an analysis of a real vendor.
Sample contract remediation effort
Sample procurement delay impact
Sample legal review cost range
Evidence confidence reduced by contradicted and missing states
Smart Validation - sample draft only
Sample Smart Validation gap
Static sample fixture. No workflow execution.
Not sent
Draft Evidence Request
To: fictional vendor security contact
Status: Draft only - not sent
Please provide the latest incident response tabletop evidence and clarify whether AI telemetry is excluded from model training for all customer prompts.
Public demo boundary
Workflow Safety
No vendor email is sent from this page.
No Smart Validation task or CTNE validator is created.
No tenant data, paid AI call, scan, or background worker is touched.
This demo does not send email, create tasks, call Smart Validation, or contact a vendor. It shows the narrowed evidence request a reviewer might approve in an authenticated workspace.
Run a real profile only inside an authenticated workspace.
Real vendor analysis belongs behind authorization, reviewer context, usage controls, and tenant boundaries. This public profile is a static presentation fixture.