Procurement-Grade Compliance
and Zero-Trust Governance.
skill.ski Elite ($4,999/mo) ships with scoped token architecture, an immutable forensic audit ledger, runtime anomaly detection, a 72-hour incident reporting commitment, and SOC 2 + GSAR 552.239-7001 alignment posture โ designed for regulated environments and federal procurement workflows.
Dynamic, Time-Limited Scoped Tokens
Every skill execution on Elite is gated by a cryptographically scoped bearer token issued per-request. Tokens are keyed to a specific skill slug and action, expire in 90 seconds, and are single-use โ consuming a token atomically marks it consumed in the forensic ledger. Replay attacks and token reuse are structurally impossible.
- Per-request token issued before write-action skills execute
- SHA-256 hash stored at rest โ plaintext never persists
- Expiry: 90 seconds (configurable per deployment)
- Single-use: consumed_at set atomically on first use
- Parent token hash logged for full chain-of-custody
Immutable Cryptographic Audit Ledger
Every MCP call, token issuance, permission denial, and anomaly event for Elite accounts is written to an append-only ledger. Each row is hash-chained to the previous row โ producing a tamper-evident sequence that can be independently verified. UPDATE and DELETE are revoked at the database role level, not just enforced by application logic.
- Hash-chained rows: SHA-256(prev_hash || payload || event_type)
- INSERT-only: UPDATE + DELETE revoked for all roles including service_role
- Row-level security: you read your own ledger; operator reads all
- Events logged: mcp_call, token_scoped, token_consumed, dispute_filed, admin_action, permission_denied, anomaly_detected
- Ledger export available on request for dispute resolution
Gateway-Layer Anomaly Detection
Invocation counts are checked at the gateway on every tools/call. If a user exceeds the 95th-percentile baseline (default: 20 calls per skill per 5-minute window) an anomaly_detected event is written to the audit ledger and a server-side warning is emitted. V1 is alert-only; blocking thresholds are configurable per Enterprise agreement.
- Rolling 5-minute window per user per skill
- Threshold configurable via ANOMALY_THRESHOLD_PER_5MIN env var
- Anomaly events written to immutable audit ledger
- Alert-only in v1; blocking mode available under Enterprise SLA
72-Hour Incident Reporting Commitment
skill.ski commits to notifying Elite subscribers of any confirmed security incident affecting their account data within 72 hours of discovery โ consistent with SOC 2 CC7.4 (incident response) and GDPR Article 33 notification obligations. Notification is delivered to the account email on file and, where an MSA is in place, to the designated security contact.
- 72-hour notification SLA from incident discovery to subscriber notice
- Notification channel: account email + MSA security contact
- Incident scope: unauthorized access, data exposure, service integrity events
- Post-incident report provided within 14 days
- SOC 2 CC7.4 (Incident Response) alignment
SOC 2 Type II In-Progress
skill.ski is actively pursuing SOC 2 Type II certification. Current controls cover access management, logging, encryption at rest and in transit, and incident response. Audit fieldwork is scheduled for Q3 2026. Elite subscribers may request a current controls summary under NDA.
- SOC 2 Trust Services Criteria: Security (CC), Availability (A)
- Encryption: TLS 1.3 in transit, AES-256 at rest (Supabase-managed)
- Access: MFA enforced for operator accounts, service-role keys rotated quarterly
- Logging: MCP invocation log + forensic audit ledger retained 90+ days
- Audit firm engagement: in progress โ Type II report target Q3 2026
GSAR 552.239-7001 Alignment Posture
For federal and GSA-adjacent procurement, skill.ski's Elite tier is designed to align with GSAR 552.239-7001 (Information Technology Security Requirements). This includes documented access controls, incident reporting timelines consistent with the clause's 72-hour notification requirement, audit log retention, and a system security plan (SSP) available under a signed government-terms addendum.
- GSAR 552.239-7001 ยง(d): 72-hour incident notification โ committed
- Access control documentation available for procurement review
- Audit log retention: minimum 90 days, configurable up to 3 years under Enterprise addendum
- System Security Plan (SSP) available under signed government-terms addendum
- No FedRAMP authorization at this time โ SSP documents compensating controls
Monthly Compliance Report PDF
Elite subscribers receive a monthly compliance summary PDF delivered to the account email. The report includes: invocation volume, anomaly events, token issuance count, audit ledger row count, and any incident or security advisory for the period. Reports are generated on the first business day of each month.
- Delivery: first business day of each month
- Contents: invocation volume, anomaly count, token count, ledger integrity check
- Format: signed PDF + JSON ledger export
- Retention: 24 months of historical reports available in-portal
- Custom reporting cadence available under Enterprise MSA
Questions about our compliance posture, government addendums, or custom SLAs? Contact security@skill.ski.
This page documents current posture, not a guarantee of certification. SOC 2 Type II audit is in progress. GSAR alignment is self-assessed.