Procurement-safe request template

Minimum Evidence Required for Institutional Reliance

A procurement-safe evidence request for ministries, sovereign programmes, MDBs/DFIs, procurement, vendor risk, IT/security and auditors before approving Terra Vita Hub for programme deployment, portfolio inclusion or institutional reliance.

Download PDF request Download Institutional Pack Control Evidence Boundary Request protected evidence

Subject and purpose

Subject: Minimum Evidence Required for Institutional Reliance on Terra Vita Hub.

Purpose: To request the protected, diligence-complete artefacts required before approving Terra Vita Hub for programme deployment, portfolio inclusion, or institutional reliance.

How to use this template

Copy this request into your standard vendor-risk, IT-security, procurement or RFP questionnaire, or attach it as an annex to contract review.

Formal approval should not proceed until the evidence below has been reviewed and validated by the responsible procurement, IT/security, fiduciary and programme oversight teams.

1. Governance & Reviewer Controls

Reviewer role model and identity-preservation logic.
Escalation pathways and override visibility.
Decision-chain attribution: how reviewer actions are recorded and linked.
Audit-event samples, including timestamps, reviewer identity and evidence linkage.
Evidence lineage demonstration: versioning, attribution and export posture.

2. Security, Reliability & Operational Assurance

Encryption posture at rest and in transit.
Key management model.
Tenancy model: single-tenant, sovereign or managed.
Uptime bands and incident-response posture.
RPO/RTO expectations and disaster-recovery model.
Access-control model: roles, permissions and enforcement logic.

3. Data Lifecycle & Residency

Data residency statement: jurisdiction, storage location and residency guarantees.
Data retention and deletion logic.
Evidence versioning and immutability posture.
Export posture: formats, completeness and institution-controlled access.

4. Integration & Interoperability Controls

Integration governance: approval, monitoring and change-control.
API boundaries and data-ingestion controls.
Spatial/MRV evidence handling: ingestion, validation and linkage.
Programme-specific integration configuration, where applicable.

5. Programme-Specific Configuration

Reviewer groups and assignment logic.
Escalation configuration.
Evidence classes used.
Export and reporting configuration.
Programme-specific constraints or custom governance rules.

6. Contractual Commitments

SLA: availability, response times and support model.
Support and incident-response commitments.
Data export and termination guarantees.
Deployment-specific obligations such as residency, segregation or audit access.

7. Additional Evidence, if applicable

Independent auditability posture.
Reviewer performance and consistency metrics: RPI/RCS.
Bias and divergence detection posture: BDD.
Programme calibration logic: PCL.
Institutional oversight dashboard configuration: IOD.

Institutional position

This request reflects the minimum evidence required for institutional reliance. Public governance narrative is not a substitute for protected, verifiable, deployment-specific artefacts. Formal approval should not proceed until the evidence above has been reviewed and validated by procurement, IT/security, fiduciary teams and programme oversight.

Current attestation posture

What is public, what is status-based, and what remains protected.

Evidence domain	Current public posture	Protected diligence treatment
SOC 2	Not represented as completed in public materials.	Status, roadmap, control mapping, or third-party evidence can be provided under NDA when applicable.
ISO 27001	Alignment pages describe control intent; certification is not claimed unless separately evidenced.	Policies, control matrices, or certification artefacts are purpose-bound.
Pen-testing	Public pages identify the evidence category without publishing sensitive findings.	Frequency, scope, remediation posture, and summaries are provided only to authorised reviewers.
Deployment isolation	Single-tenant or logically separated deployment models are reviewed as configuration choices.	Architecture, hosting, residency, logging, and access proof are validated per deployment.

Reliance boundary: deployment-specific evidence, test reports, security artefacts, data residency proof, audit samples, reviewer records, and live programme proof are provided through protected diligence or under NDA, not on the public homepage.