The Clause5afe Public Registry will be the canonical, public record of every organization holding active certification under the Clause 5® Framework. Independent verification means nothing if the credential cannot be checked.
A certificate that cannot be independently verified is not a certificate — it’s a marketing claim. The Registry exists because every serious certification authority maintains one.
Anyone — a regulator, an underwriter, an enterprise buyer, a journalist — can independently confirm whether an organization holds active certification. Without verification, certification is just a claim.
Each registry entry is anchored to the audit findings that produced it. Certifications cannot be altered, antedated, or quietly removed. Revocations are recorded, not erased.
Each entry specifies the exact frameworks covered, the certification scope (organization-level, system-level, or product-level), the issue date, and the valid-through date. No ambiguity about what was actually certified.
If an organization loses its certification due to material non-conformity or scope drift, the revocation is published. Public accountability runs both directions — a credential that cannot be lost is not a credential.
Registry goes live the moment the first organization completes certification. Manual verification, basic search, organization-name lookup. Simple, defensible, and complete from day one.
Public API for procurement systems, insurance underwriting platforms, and enterprise GRC tools to verify certification status programmatically. Webhook notifications for status changes.
Cryptographically signed certification credentials, tamper-evident audit trails, alignment with W3C Verifiable Credentials specifications. Optional integration with enterprise identity systems.
Where appropriate, registry data structured for interoperability with national accreditation bodies, EU AI Act notifying authorities, and adjacent industry registries. Independence preserved; interoperability earned, not granted.