Contract Clause Pack

“Supplier SHALL ensure that all [ACTION CLASS] decisions are issued with a Good Proof Stamp and corresponding Status Link. Buyer SHALL verify status at decision time for covered [ACTION CLASS] before reliance via the Official Verifier (verify.goodproof.mindchill.ai). Supplier acknowledges that Buyer’s reliance on the Stamp is conditioned upon successful verification.”

“If a Status Link returns NOT_VERIFIED, NEEDS_REFRESH, WITHDRAWN, or EXPIRED, or if verification cannot be performed due to network failure, timeout, TLS/certificate failure, domain mismatch, or malformed response, Buyer SHALL treat the decision as unverified and SHALL block downstream processing or escalate per [ESCALATION PATH]. Supplier acknowledges that fail-closed enforcement may result in action denial and accepts this as an intended security control.”

“Supplier agrees that material changes to [MODEL VERSION / POLICY VERSION / TOOL INVENTORY / SCOPE BOUNDARIES / VERIFIER DOMAIN / SIGNING KEYS] SHALL trigger a NEEDS_REFRESH status until re-verification is complete. Supplier SHALL notify Buyer of material changes via the method specified in [NOTIFICATION SCHEDULE].”

“Supplier may withdraw a Stamp at any time for documented security, safety, compliance, legal, fraud, or material risk events, with reason_code recorded and notice obligations per [SLA SCHEDULE]. Withdrawal is immediate at source and changes current validity; status changes are recorded and traceable via audit evidence. Supplier SHALL include a reason_code in audit evidence for each withdrawal. If webhook notifications are enabled, Supplier SHALL deliver withdrawal events to Buyer’s registered endpoint(s) per the delivery targets defined in [SLA SCHEDULE / ORDER FORM]. The live verification check (polling) remains the source of truth if webhook delivery fails or is delayed. Buyer MAY route WITHDRAWN status to [ESCALATION PATH]; Supplier acknowledges this is intended behavior.”

“For purposes of this Agreement: ‘Stamp’ means a Good Proof Stamp issued for [ACTION CLASS]; ‘Status Link’ means the machine-checkable verification endpoint; ‘Gate’ means Buyer’s enforcement point that queries the Status Link; ‘Official Verifier’ means verify.goodproof.mindchill.ai; ‘Gate Decision’ means ALLOW, BLOCK, or ESCALATE as determined by the Gate. This clause applies to all [ACTION CLASS] within scope of [COVERED SYSTEMS / ENVIRONMENTS].”

“Buyer’s Gate SHALL enforce: (a) verify_url host MUST exactly match Official Verifier or Buyer-approved verifier allowlist; (b) HTTPS only with mandatory TLS certificate validation (no insecure overrides); (c) no redirects or HTTP fallback permitted; (d) signer identity MUST match Buyer’s allowlist of permitted signers; (e) verified_at MUST be fresh within Buyer’s configured TTL (or verify-per-action); (f) response MUST correlate to the request via request_id or equivalent identifier. Any mismatch, TLS failure, redirect attempt, stale response, or missing correlation SHALL be treated as NOT_VERIFIED. Supplier SHALL not issue Stamps with verify_url pointing to domains other than the Official Verifier. Supplier SHALL provide [ADVANCE NOTICE PERIOD] notice for verifier domain or signing key changes; emergency rotation is permitted for security reasons with notice as soon as practicable. For signing key rotations, Supplier SHALL maintain an overlap window of [ROTATION OVERLAP WINDOW] to support Buyer allowlist updates.”

“Supplier SHALL ensure the Status Link response exposes fields sufficient for Buyer evidence: stamp_id, status, verified_at, expires_at, verifier_domain, signer, version, request_id, reason_code, and failure_mode (if any). Buyer SHOULD log each verification decision; minimum recommended fields: stamp_id, action_class, decision, status, verified_at, expires_at, verifier_domain, latency_ms, request_id, reason_code, failure_mode. Buyer MAY retain logs for [RETENTION PERIOD] and SHOULD protect logs against tampering (e.g., append-only storage, access controls, integrity monitoring). Upon request and subject to [NOTICE PERIOD], Supplier SHALL produce audit evidence of Stamp issuance, status changes, withdrawals, and signer/key rotations relevant to [ACTION CLASS].”

“Material changes include but are not limited to: model version, tool inventory, policy version, scope boundaries, verifier domain, and signing keys. Upon material change, Supplier SHALL transition affected Stamps to NEEDS_REFRESH status. Supplier SHALL provide [ADVANCE NOTICE PERIOD] written notice before changes to Official Verifier domain or signing keys, during which Buyer SHOULD update allowlists and configurations accordingly. For signing key rotations, Supplier SHALL maintain an overlap window of [ROTATION OVERLAP WINDOW] to support Buyer allowlist updates, unless emergency rotation is required for security reasons (in which case Supplier SHALL notify as soon as practicable).”

“Verification path excludes raw PII/PHI payloads by default; verification uses references, hashes, and scope identifiers. Buyer controls retention periods per [RETENTION SCHEDULE]. Logs SHALL be protected with access controls and integrity safeguards. Where a Data Processing Agreement (DPA) is executed, DPA terms take precedence over this clause for data handling obligations.”