# RFP — Independent attestation engagement Withheld is soliciting a third-party attestation against the published claims on https://withheld.io/audit. This document is the canonical RFP we send to candidate firms and is reproduced here for transparency. ## Engagement type ISAE 3000 (Type 2) attestation or AICPA SOC for Privacy. We prefer reporting under a framework auditors and enterprise procurement teams already recognise. Bespoke "marketing audits" are out of scope. ## Scope In scope: - Each numbered claim in `/audit-kit/claims-list.md`, measured against production data for the attestation period. - Independent reproduction of the metric SQL on a frozen database snapshot (we provide read-only access; the snapshot lives in the auditor's environment for the duration of the engagement). - Sample-based testing of evidence retention: 30 randomly drawn request_ids; for each, the auditor should be able to retrieve the full event log, broker reply (if any), and screenshot. Out of scope: - Subjective UX claims ("easy to use", "trusted by experts"). - Security posture beyond what we attest to (SOC-2 if requested is a separate engagement). ## Period A first attestation covering one full calendar quarter, with re-attestation annually. The exact period start date is negotiated at engagement signing. ## Deliverables 1. A signed attestation report (PDF) covering each claim with a clear pass / qualified / fail disposition. 2. A short non-confidential summary suitable for publication on `/audit` next to the PDF download link. 3. The firm's methodology document (how it reproduced each metric). ## Access we will provide - Read-only production database snapshot (frozen at the period end). - A walk-through of the codebase paths that compute each metric (`packages/core`, `apps/worker`, `supabase/migrations`). - Slack / email access to two engineers for the duration of the engagement. ## What we will NOT do - Edit production data to favour a metric mid-attestation. - Suppress a failed claim from the published report. If a claim fails, the published report says so verbatim and we commit publicly to a remediation timeline. ## Selection criteria - Prior ISAE 3000 / SOC engagement experience (provide three redacted reference engagements). - At least one staff member with direct GDPR / CCPA enforcement exposure (not just "we read the regulations"). - Quoted fixed price, not time-and-materials. We are a startup; an open-ended bill is a non-starter. ## Submission Email proposals to `audit@withheld.io` with subject line `RFP RESPONSE — `. Questions about scope welcome at the same address.