MEOK Attestations

HMAC + Ed25519 signed. Auditor-verifiable. No trust required.

MEOK signs its own compliance certificates with the same HMAC API customers buy. Every certificate has a verify_url any auditor can curl independently. We give you the public key. We give you the canonical message. We give you the signature. You decide whether to trust it.

Live signed attestations

All 8 frameworks below are signed and live. Click verify to audit the claim with curl. No login, no SDK, no API key.

EU AI Act

MEOK-EUAIAC-MAIN

Art 4, 6, 9, 10, 14, 26(9), 43, 50, 72

9 in-scope Articles, all signed, all auditor-verifiable.

verify →

DORA (Reg 2022/2554)

MEOK-DORA-MAIN

ICT risk mgt · 3rd-party register · incident reporting · threat-led pen-testing

Operational resilience for financial entities + ICT third-party risk.

verify →

NIS2 (Dir 2022/2555)

MEOK-NIS2-MAIN

10 governance domains · entity classification · supply-chain security

Aligned to 9 member-state transpositions (DE BSIG §8a, UK NIS Regs, NL Wbni, BE, FR, IE, IT, ES, DK).

verify →

GDPR

MEOK-GDPR-MAIN

Art 5 · Art 6 · Art 22 · Art 25 · Art 30 · Art 32 · Art 33 · Art 35 (DPIA)

DPIA-ready evidence pack with FRIA bridge for high-risk AI.

verify →

ISO 42001 (AIMS)

MEOK-ISO42001-MAIN

Cl 6 · 7 · 8 · 9 · 10

AI Management System controls mapped to EU AI Act + ISO 42005 impact assessment.

verify →

ISO 19650 (BIM)

MEOK-ISO19650-MAIN

CDE · EIR · BEP · information delivery

Construction information management with NRSWA + CHAS + CPCS bridges.

verify →

CRA (Reg 2024/2847)

MEOK-CRA-MAIN

Annex I · SBOM · Sept 2027 cliff

Cyber Resilience Act for products with digital elements.

verify →

SOC 2 (AI evidence)

MEOK-SOC2-MAIN

CC1-CC9 + AI overlay

Trust service criteria with AI-specific control additions.

verify →

How to verify (5 steps, 2 minutes)

1
Get the cert
Every attestation has a verify_url printed on it. Example: https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN
2
curl the endpoint
curl -sS 'https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN' — returns JSON with signature, issued_at, issuer, and Ed25519 public key fingerprint.
3
Verify Ed25519 offline
The response includes a base64 signature over the canonical JSON. Decode with any Ed25519 lib + the published public key at https://meok.ai/publickey.
4
Verify HMAC online
For a real-time check, POST the cert_id to https://meok.ai/api/verify and the API returns the HMAC-SHA256 over the canonical message, recomputed against the same key the customer uses to sign their own evidence.
5
Trust no one (including us)
If the signature is valid, the cert is valid. The signing keys are rotated quarterly; rotation events are signed by the previous key, so you can verify continuity. The full rotation history is at https://meok.ai/security#key-rotation.

Why both HMAC AND Ed25519?

HMAC-SHA256 is fast, online, and recoverable. It uses a shared secret (the customer's API key), so an auditor can recompute the signature in real time.

Ed25519 is asymmetric and offline-verifiable. The signing key never leaves MEOK; the verifying key is published at /publickey. An auditor can take the signed cert, the public key, and any offline Ed25519 lib (libsodium, age, tweetnacl) and verify the cert in 2 lines of Python — no MEOK infrastructure required.

Both signatures are over the same canonical JSON. If either fails, the cert is invalid. We do not ship signatures that depend on a single algorithm.

Frequently asked

How do I verify a MEOK attestation?

Every attestation carries a verify_url. curl it, e.g. curl -sS 'https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN', and you get JSON with the signature, issued_at, issuer, and the Ed25519 public-key fingerprint. No login, no SDK, no API key required.

Why does MEOK co-sign with both HMAC-SHA256 and Ed25519?

HMAC-SHA256 is fast, online, and recoverable — it uses the shared secret (the customer's API key) so an auditor can recompute it in real time. Ed25519 is asymmetric and offline-verifiable: the signing key never leaves MEOK and the verifying key is published at /publickey. Both signatures are over the same canonical JSON; if either fails, the cert is invalid.

Which frameworks have live signed attestations?

Eight frameworks are signed and live: EU AI Act (9 in-scope Articles), DORA, NIS2 (aligned to 9 member-state transpositions), GDPR (DPIA-ready with FRIA bridge), ISO 42001 (AIMS), ISO 19650 (BIM), CRA, and SOC 2 with an AI overlay.

Can I verify offline without contacting MEOK?

Yes. The response includes a base64 Ed25519 signature over the canonical JSON. Take the signed cert, the public key from /publickey, and any offline Ed25519 lib (libsodium, age, tweetnacl) and verify in two lines of Python — no MEOK infrastructure required. Signing keys rotate quarterly and rotation events are signed by the previous key, so you can verify continuity.

Open questions?

Read the full MEOK methodology (what we count, what we don't, our fail rules) or jump to the public key to start verifying offline.

CSOAI

Initializing...

Live signed attestations

All 8 frameworks below are signed and live. Click verify to audit the claim with curl. No login, no SDK, no API key.

EU AI Act

MEOK-EUAIAC-MAIN

Art 4, 6, 9, 10, 14, 26(9), 43, 50, 72

9 in-scope Articles, all signed, all auditor-verifiable.

verify →

DORA (Reg 2022/2554)

MEOK-DORA-MAIN

ICT risk mgt · 3rd-party register · incident reporting · threat-led pen-testing

Operational resilience for financial entities + ICT third-party risk.

verify →

NIS2 (Dir 2022/2555)

MEOK-NIS2-MAIN

10 governance domains · entity classification · supply-chain security

Aligned to 9 member-state transpositions (DE BSIG §8a, UK NIS Regs, NL Wbni, BE, FR, IE, IT, ES, DK).

verify →

GDPR

MEOK-GDPR-MAIN

Art 5 · Art 6 · Art 22 · Art 25 · Art 30 · Art 32 · Art 33 · Art 35 (DPIA)

DPIA-ready evidence pack with FRIA bridge for high-risk AI.

verify →

ISO 42001 (AIMS)

MEOK-ISO42001-MAIN

Cl 6 · 7 · 8 · 9 · 10

AI Management System controls mapped to EU AI Act + ISO 42005 impact assessment.

verify →

ISO 19650 (BIM)

MEOK-ISO19650-MAIN

CDE · EIR · BEP · information delivery

Construction information management with NRSWA + CHAS + CPCS bridges.

verify →

CRA (Reg 2024/2847)

MEOK-CRA-MAIN

Annex I · SBOM · Sept 2027 cliff

Cyber Resilience Act for products with digital elements.

verify →

SOC 2 (AI evidence)

MEOK-SOC2-MAIN

CC1-CC9 + AI overlay

Trust service criteria with AI-specific control additions.

verify →

How to verify (5 steps, 2 minutes)

Get the cert

Every attestation has a verify_url printed on it. Example: https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN

curl the endpoint

curl -sS 'https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN' — returns JSON with signature, issued_at, issuer, and Ed25519 public key fingerprint.

Verify Ed25519 offline

The response includes a base64 signature over the canonical JSON. Decode with any Ed25519 lib + the published public key at https://meok.ai/publickey.

Verify HMAC online

For a real-time check, POST the cert_id to https://meok.ai/api/verify and the API returns the HMAC-SHA256 over the canonical message, recomputed against the same key the customer uses to sign their own evidence.

Trust no one (including us)

If the signature is valid, the cert is valid. The signing keys are rotated quarterly; rotation events are signed by the previous key, so you can verify continuity. The full rotation history is at https://meok.ai/security#key-rotation.

Why both HMAC AND Ed25519?

Frequently asked

How do I verify a MEOK attestation?

Why does MEOK co-sign with both HMAC-SHA256 and Ed25519?

Which frameworks have live signed attestations?

Can I verify offline without contacting MEOK?