VENDOR-RISK
Public-safe mapping to common bank vendor-risk areas
This matrix maps CreditAxis posture to the vendor-risk review areas commonly used by community and regional bank vendor-risk teams. Limitations and counsel-gated items are explicit.
Governance posture. AI is assistive only. Humans approve every deliverable. AI does not approve credit. AI does not send externally. Append-only audit ledger. Global kill switch governs external action.
Alignment matrix (14 areas)
Each row publishes CreditAxis posture, current evidence status, and any limitation.
| VENDOR RISK AREA | CREDITAXIS POSTURE | EVIDENCE STATUS | LIMITATION |
|---|---|---|---|
| Access controls | Internal access is role-gated and audit-logged. | documented_internal | Independent attestation not yet completed. |
| AI governance | AI is assistive only. Humans approve all deliverables. AI cannot send, approve credit, or bypass authority. | documented_internal | AI governance attestation pending. |
| Audit logging | Append-only audit ledger with database-level enforcement. | documented_internal | Independent audit of the ledger not yet completed. |
| Business continuity | Internal BCP documented. | documented_internal | Independent BCP test not yet completed. |
| Data access boundary | No production access required for the diagnostic. Optional read-only access only for later, governed engagements. | documented_internal | Live PII not required for the diagnostic. |
| Export/deletion boundary | Customer-supplied materials can be returned or deleted at engagement close. | documented_internal | Export tooling is internal-coordinated, not self-serve. |
| Human approval | Every external-use artifact requires founder approval. | documented_internal | Approval workflow is internal-only at this stage. |
| Incident response | Internal IR plan documented. | documented_internal | Independent IR exercise not yet completed. |
| Legal artifact counsel review | Counsel review required before external execution of legal documents. | pending_counsel | MSA, DPA, NDA pending counsel for external use. |
| No live PII diagnostic path | PII is not required. Buyer may redact or synthesize materials. | documented_internal | If PII is shared, buyer controls scope and retention. |
| No production access diagnostic path | Diagnostic uses buyer-selected redacted, synthetic, or bank-approved materials only. | documented_internal | Production access is out of scope for the diagnostic. |
| Data retention | Retention defined per engagement; diagnostic retains internal findings only. | documented_internal | Customer-data retention defined per engagement. |
| Security posture | Documented internal posture. Independent third-party security certification not yet obtained. | documented_internal | No third-party security attestation or external intrusion-testing report is available at this stage. |
| Subprocessor disclosure | Subprocessor list under counsel review. | pending_counsel | Final subprocessor disclosure pending counsel. |
No guarantee. CreditAxis does not guarantee compliance, audit, examiner, or regulator outcomes. CreditAxis does not replace loan origination or core systems. AI is assistive only. The diagnostic produces findings; outcomes depend on bank-specific facts, data quality, and follow-on action.