Non-certification boundaries

Before sharing assurance output

Use this page before an assurance pack, procurement pack, diagnostic summary, SOC 2/ISO checklist, public report, PDF export or buyer-facing summary leaves the private workspace. WebRiskOps output should stay tied to observed evidence, customer review and explicit external decision boundaries.

• Use evidence packs as supporting material
• Check boundary status before sharing any assurance output with buyers, auditors, attorneys, regulators or procurement reviewers.
• Keep claims tied to evidence pack rows, checklist rows, report artifacts, diagnostics, dates and supported next actions.
• Stop when `ASSURANCE_NON_CERTIFICATION_BOUNDARY`, `ASSURANCE_LEGAL_BOUNDARY_REQUIRED`, `REVIEWER_DECISION_REQUIRED`, `ASSURANCE_BOUNDARY_REQUIRED`, `UNSAFE_CLAIM_WORDING` or `REPORT_PUBLICATION_BLOCKED` applies.

Confirm assurance boundary wording

Follow the path `Assurance pack → Evidence or checklist output → Boundary wording → Customer review → External share or stop`.

1. Open `/saas-procurement-pack` or the related evidence pack from `/reports/{report}` before sharing assurance output. Result: the customer sees the pack, checklist, report evidence and sharing controls before external wording is used.
2. Check `non_certification_boundary_status`, `assurance_boundary_acknowledged_at` and `external_reviewer_status`. Result: the product shows whether the customer acknowledged the assurance boundary and whether an outside reviewer decision is still pending.
3. Read `disclaimer_text` and confirm it appears with the evidence pack, checklist export, public report or PDF output. Result: shared output is framed as observed technical evidence and customer-owned support material.
4. Confirm each `evidence_pack_id` and `evidence_checklist_status` row links to an artifact, date, scan, diagnostic, retest or customer-supplied document. Result: recipients can trace what WebRiskOps actually observed.
5. Remove wording that says certified, guaranteed compliant, audit-approved, attested, buyer-approved, vulnerability-free or complete coverage. Result: unsupported wording is blocked before publication.
6. If a buyer, auditor, attorney, regulator or customer decision owner must decide, keep `REVIEWER_DECISION_REQUIRED` visible. Result: WebRiskOps evidence does not become the external decision itself.
7. If the customer asks for a formal opinion, certification, attestation or regulatory interpretation, stop the product handoff and route that need outside WebRiskOps. Result: `ASSURANCE_LEGAL_BOUNDARY_REQUIRED` protects the product boundary.
8. Before public report, PDF, print, ticket export or procurement handoff, verify `publication_status` and `customer_review_required`. Result: private, stale or unapproved assurance output cannot leave the workspace.
9. If unsafe wording remains, keep `ASSURANCE_NON_CERTIFICATION_BOUNDARY`, `ASSURANCE_BOUNDARY_REQUIRED` or `UNSAFE_CLAIM_WORDING` visible. Result: `REPORT_PUBLICATION_BLOCKED` prevents sharing until wording is corrected.
10. Continue to Assurance and procurement packs, SOC 2 and ISO evidence checklists or Non-certification and legal boundaries after the boundary is ready. Result: assurance output and report output use consistent evidence-based wording.

Claims assurance output can support

Use statements that describe current evidence and workflow state.

• A report, diagnostic, checklist row or evidence pack was generated from a specific account, project, report, scan, handoff or customer-supplied document.
• An issue, diagnostic signal, artifact, checklist gap or remediation status exists as of a specific date.
• A finding has supporting screenshots, HTML artifacts, issue fingerprints, severity, confidence, scope notes or provider state where available.
• A customer-reviewed questionnaire answer cites WebRiskOps evidence or identifies a missing customer-owned artifact.
• A supported next action is available, blocked, retrying, complete or outside WebRiskOps scope.

Claims assurance output must not make

Do not turn supporting material into external assurance decisions.

• Do not claim formal certification, attestation, audit opinion, regulator approval, buyer approval or contractual acceptance.
• Do not claim complete coverage of every page, control, asset, dependency, vulnerability, law, standard, buyer requirement or system.
• Do not claim an organization, store, app, integration, supplier or product is guaranteed safe, compliant or risk-free.
• Do not hide missing evidence, unsupported scope, stale diagnostics, redaction, expired artifacts or customer-owned decision gaps.
• Do not remove boundary wording from exports, public links, checklist drafts, evidence packs or buyer-facing summaries.

Ready and blocked assurance boundary states

Use these states before assurance output leaves the product.

• Assurance boundary ready means `non_certification_boundary_status`, `assurance_boundary_acknowledged_at`, `customer_review_required` and `publication_status` show the customer has reviewed the boundary.
• Reviewer decision required means `REVIEWER_DECISION_REQUIRED` keeps buyer, auditor, attorney, regulator or customer decision work outside WebRiskOps.
• Legal boundary required means `ASSURANCE_LEGAL_BOUNDARY_REQUIRED` blocks formal opinion, certification, attestation or regulatory interpretation requests.
• Unsafe wording means `UNSAFE_CLAIM_WORDING` or `ASSURANCE_BOUNDARY_REQUIRED` found unsupported approval, guarantee, complete-coverage or assurance language.
• Publication blocked means `REPORT_PUBLICATION_BLOCKED` or `ASSURANCE_NON_CERTIFICATION_BOUNDARY` stops sharing until the wording, status or customer approval is corrected.

Continue after assurance boundary review

When the boundary is ready, continue to Assurance and procurement packs or SOC 2 and ISO evidence checklists for pack-specific work. Use Non-certification and legal boundaries, Legal boundary wording or Publication gates when report output is being published or exported, and use Customer responsibilities when the customer must confirm authorization, scope and external decision ownership.