Independent third-party verification

Annual audits of every claim on /trust.

Sery commits to an independent third-party audit every year. The auditor verifies the privacy and security claims we make on /trust against the actual deployed code — and the report is published here, in full, no matter what it says.

What a published audit will look like — preview shape

future · placeholder shape.pdf · ~24 pages
Sery Privacy & Security Audit · 2026by <auditor TBA>
2026-Q4·Scope: claims on /trust, deployed code, data flows
Findings
— pending —
Our response
— pending —
Hash
— pending —
SHA-256 published alongside · auditor signature on file

Past audit reports

No audit reports yet — first audit targeted for Q4 2026.

When the first report lands, it will appear here as a dated PDF with the auditor's name, scope, findings, and our response. Same shape future reports will follow.

What an audit covers

Scope is fixed before the auditor walks in, not negotiated after. Every item below maps to a specific claim or architectural commitment.

  • Code matches what is deployed

    Verify that the AGPL desktop binary distributed via GitHub releases matches the open-source code in the repo, with no undisclosed proprietary additions.

  • Privacy Policy claims match the code

    For every 'we cannot see X' claim on /trust, confirm via code review that the implementation enforces it. Cross-checked against the per-claim source links (F32).

  • No undisclosed telemetry

    Static analysis + traffic capture from a clean install to confirm there are no analytics beacons, telemetry pings, or "phone home" requests beyond what the Privacy Policy enumerates.

  • Sub-processor list is complete

    Verify the sub-processor table on /trust + DPA Annex C lists every external service that receives any user-derived data. No silent processors.

  • Storage-credentials boundary holds

    Verify that storage credentials (AWS keys, Drive OAuth tokens, SFTP passwords) stored in the OS keychain on the user's machine are never transmitted to Sery cloud — including under the cloud `/chat` agent's tunnel-fanout SQL execution path.

  • Auto-updater integrity

    Verify the desktop app fetches its update manifest directly from GitHub releases (not via Sery), and that signature verification rejects unsigned or improperly-signed builds.

Schedule + commitment

First audit

Q4 2026

Auditor selection in progress; firm name will be published here when contracted (and again in the report).

Cadence after that

Annual — every year, no matter what

If a year ever passes without a published audit report, that itself is an incident and shows up on /status.

Commitment dated

A commitment without a date isn't one. This page is version-controlled in the website repo on GitHub, so any walk-back is publicly tracked.

Verify in code today, before the first audit

Audits are slow and expensive — the report won't exist for months. Until then, every claim we make has a direct link to the AGPL source that implements it. You don't need to wait for an auditor to verify the architecture.

The trust posture (claims + source links)

See /trust

Network status (operational health, incident history)

See /status

Desktop app source (AGPL-3.0)

github.com/seryai/sery-link

Security disclosures + audit feedback

[email protected]

Are you an independent security firm interested in conducting the first Sery audit? We're actively scoping. Reach out at [email protected].

Back to trust posture