Trust Center · MEOK AI Labs

Trust, plainly stated.

We sell signed compliance attestations to companies that get audited. That means our own posture has to be auditable too. Every claim on this page is verifiable, dated, and accountable to a single named operator: Nicholas Templeman, founder, CSOAI LTD (UK Companies House 16939677).

Live signed attestations

MEOK signs its own compliance certificates with the same HMAC API customers buy. Every certificate has a verify_url any auditor can curl independently.

EU AI Act

Self-attested · auditor-verifiable

MEOK-EUAIAC-MAIN

Articles 4, 6, 9, 10, 14, 26(9), 43, 50, 72 — full crosswalk.

DORA (Reg 2022/2554)

Self-attested · auditor-verifiable

MEOK-DORA-MAIN

Operational resilience for financial entities + ICT third-party risk.

NIS2 / NIS2-UmsuCG

Self-attested · auditor-verifiable

MEOK-NIS2-MAIN

EU + Germany BSI register + Section 30 / 32 entity classification.

EU CRA (Reg 2024/2847)

Self-attested · auditor-verifiable

MEOK-CRA-MAIN

Annex IV technical documentation + 24h ENISA reporting (live 11 Sep 2026).

GDPR

Self-attested · DPIA template + Article 30 records

MEOK-GDPR-MAIN

EDPB harmonised DPIA template (14 Apr 2026) wired.

ISO/IEC 42001

Crosswalk shipped · external audit pending

MEOK-ISO42001-MAIN

AI management system controls cross-mapped to EU AI Act articles.

Security practices

All HMAC-signed attestations use SHA-256 with a server-side key never exposed to clients.
Stripe webhook signatures verified on every event — fail-loud if signature header missing.
API rate limiting: 120 req/min per IP, applied at middleware before any handler.
No PII stored beyond email + entity name in lead-capture flow; certs purge after 365 days.
All 26 PyPI packages signed at upload time; sigstore / SBOM roadmap Q3 2026.
Founder is sole technical operator; access to production is single-key + audit-logged.
Source code public on GitHub (CSOAI-ORG); third-party security review welcomed.
Open-source AGPLv3 / MIT licensing on MCP packages; commercial features licensed separately.

Sub-processors

The current vendors that process customer data on our behalf. We notify customers of material changes via email + this page.

VENDOR

PURPOSE

REGION

DPA

Vercel Inc.

Application hosting + edge CDN

EU + US (multi-region)

view →

Stripe Inc.

Payment processing

EU + US

view →

Anthropic PBC

LLM inference (when configured)

US (zero data retention on API)

view →

Cloudflare Inc.

DNS + DDoS protection (Cloudflare-fronted MCPs only)

Global

view →

Namecheap PrivateEmail

Business email (nicholas@meok.ai)

EU + US

view →

GitHub Inc. (Microsoft)

Source code hosting + CI

Global

view →

PyPI (Python Software Foundation)

Package distribution (26 MCPs)

Global

view →

Policies + verifiers

GDPR-aligned, EU + UK + Swiss data handling, retention, rights.

Commercial terms for paid tiers + free-tier signed attestations.

Security Statement →

Encryption, key handling, incident response, access controls.

Sub-processors →

Full list of vendors that may process personal data on our behalf.

Verifier →

Independent cryptographic verification of any signed MEOK certificate.

Catalogue →

All 26 published MCP packages + verify URLs.

Reporting a security issue

Found a vulnerability or compliance concern? Email security@csoai.org (mirrors to nicholas@meok.ai). 24-hour acknowledgement, 72-hour triage. We do not run a paid bug bounty yet but credit researchers in the next monthly trust update.

Last reviewed 27 April 2026. Material changes notified via email to active customers.
MEOK AI Labs is a trading name of CSOAI LTD · UK Companies House 16939677 · Registered England & Wales

CSOAI

Initializing...

Live signed attestations

MEOK signs its own compliance certificates with the same HMAC API customers buy. Every certificate has a verify_url any auditor can curl independently.

EU AI Act

Self-attested · auditor-verifiable

MEOK-EUAIAC-MAIN

Articles 4, 6, 9, 10, 14, 26(9), 43, 50, 72 — full crosswalk.

DORA (Reg 2022/2554)

Self-attested · auditor-verifiable

MEOK-DORA-MAIN

Operational resilience for financial entities + ICT third-party risk.

NIS2 / NIS2-UmsuCG

Self-attested · auditor-verifiable

MEOK-NIS2-MAIN

EU + Germany BSI register + Section 30 / 32 entity classification.

EU CRA (Reg 2024/2847)

Self-attested · auditor-verifiable

MEOK-CRA-MAIN

Annex IV technical documentation + 24h ENISA reporting (live 11 Sep 2026).

GDPR

Self-attested · DPIA template + Article 30 records

MEOK-GDPR-MAIN

EDPB harmonised DPIA template (14 Apr 2026) wired.

ISO/IEC 42001

Crosswalk shipped · external audit pending

MEOK-ISO42001-MAIN

AI management system controls cross-mapped to EU AI Act articles.

Security practices

All HMAC-signed attestations use SHA-256 with a server-side key never exposed to clients.
Stripe webhook signatures verified on every event — fail-loud if signature header missing.
API rate limiting: 120 req/min per IP, applied at middleware before any handler.
No PII stored beyond email + entity name in lead-capture flow; certs purge after 365 days.
All 26 PyPI packages signed at upload time; sigstore / SBOM roadmap Q3 2026.
Founder is sole technical operator; access to production is single-key + audit-logged.
Source code public on GitHub (CSOAI-ORG); third-party security review welcomed.
Open-source AGPLv3 / MIT licensing on MCP packages; commercial features licensed separately.

Sub-processors

The current vendors that process customer data on our behalf. We notify customers of material changes via email + this page.

VENDOR

PURPOSE

REGION

DPA

Vercel Inc.

Application hosting + edge CDN

EU + US (multi-region)

view →

Stripe Inc.

Payment processing