Methodology & trust

How a certificate field earns its place

This page explains the machinery behind the promises on the overview page: how provenance works, what we deliberately never do, how customer data is handled, and who reviews what. No hype - just the chain every value has to survive.

Provenance: field → source document → approver → immutable version → correction chain

Every value that matters on a certificate - a manufacture date, a lab report number, a rule citation - travels the same five-stage chain. A value that has not completed the chain is visibly unresolved; it cannot silently become part of the record.

1
Field. Each certificate data point is a named field on a versioned certificate family - never a loose spreadsheet cell. Fields start empty or flagged, and the queue shows exactly which fields still need evidence.
2
Source document. A field cannot be approved without a source document, and the link records the exact reference - document, page or cell, and timestamp. When two sources disagree (the classic: two manufacture dates), the contradiction blocks approval until a human resolves it with a recorded rationale.
3
Approver. A named person approves each field and each completed version. Internal review and your data approval are separate recorded events - so "who checked this, and when" always has an answer.
4
Immutable version. Once a certificate data version is completed, it is immutable. The packet your broker used stays exactly as approved. Export is not submission: only recorded external events (your broker's filing, a registry receipt) mark anything as filed.
5
Correction chain. When reality changes - a retest, a factory change, a corrected date - a new linked version is created with a recorded reason. The old version is preserved, the audit trail is append-only, and the five-year evidence bundle shows the whole history.

Why immutability matters: the version a shipment shipped under is a historical fact. A records program that can quietly rewrite history is not a records program - it is a liability with good formatting.

What we deliberately do not do

We do not replace the free CPSC Product Registry, do not file ACE/ABI entries, do not certify products, do not decide which rules apply to your product, and do not claim "Registry-ready" output until our export template is frozen against the current official CPSC template and passes validation. Certification and filing remain with you and your broker - we make the data you certify defensible.

This is the same boundary stated on the overview page, verbatim, because it does not change with the audience: applicability, testing sufficiency, and certification are decisions that belong to you and your qualified reviewer. We record those decisions; we never make them.

How customer data is handled

No consumer-AI processing

No customer data enters any consumer AI tool. If any model-assisted processing is used, it runs under commercial no-training terms - or not at all, at your election, recorded in the engagement terms.

Controls before any real data

Before any customer document enters the workspace, a binding checklist applies: contracts (NDA/DPA), written customer data authorization, a named reviewer with recorded scope, an approved commercial no-training AI path (or none), an isolated workspace, MFA, least-privilege access, encryption, access and audit records, malware scanning on upload, and backup/recovery.

Retention with a purpose

The evidence bundle and full version history are retained for the five-year records window behind each certificate family, and are exportable on demand - your evidence remains yours, in portable form, at any time.

Deletion, honestly stated

At the end of an engagement, data is exported to you and deleted on request under the agreed retention/deletion procedure. One honest caveat: an active retention obligation or legal hold blocks deletion until it lapses - and that block is itself recorded, not silent.

The review model: qualified people, recorded decisions

Software surfaces problems; it never decides them. Every material decision passes through a person whose qualification and reasoning are on the record.

ElementHow it works
Qualified reviewerMaterial approvals reference an active qualification covering the module - "someone looked at it" is never anonymous or unqualified.
Recorded decisionsWho decided, what they decided, the basis, and the date - captured for every resolution, approval, and correction, in an append-only audit log.
Separation of eventsInternal review and your data approval are separate recorded events on every certificate version - two signatures, two timestamps, never merged.
Blocking checksA field with no source document, or with an unresolved contradiction, cannot be approved. The queue is worked to zero with you; nothing is waved through.
Your decisions stay yoursApplicability, testing sufficiency, and certification are decisions you make with your qualified reviewer. We record the decision and its basis - we never compute it.

Frequently asked questions

Is CPSC eFiling actually mandatory now?

Yes - eFiling became mandatory for covered imports on July 8, 2026, with applicability for imports from foreign-trade zones (FTZs) beginning January 8, 2027 (Federal Register correction). Regulatory state drifts - verify at the official CPSC eFiling hub before relying on any date here.

Do you file the certificate for us?

No. The CPSC Product Registry is free and supports individual entry, CSV upload, and API; your broker files the ACE PGA Reference message using your Certifier, Product, and Version IDs. We prepare the broker-ready packet and the Registry workpaper - the filing step remains with you and your broker.

Do you certify products or decide which rules apply?

No. We do not certify products and do not decide which rules apply to your product. Applicability, testing sufficiency, and certification are yours and your qualified reviewer's; we record those decisions with their basis and date.

Can a completed certificate version be edited?

No. Completed versions are immutable. Corrections create new linked versions with recorded reasons, so the version your broker filed against stays exactly as approved and the correction history is visible end to end.

Where does each certificate field come from?

Every field links to a source document, the exact page or cell reference, the approver, and a timestamp. Contradictions and missing citations are flagged in a queue and resolved by a human with a recorded rationale - the software never decides applicability.

What do you retain, and can it be deleted?

We retain the full evidence bundle and version history for the five-year records window, exportable on demand. At engagement end, data is exported to you and deleted on request under the agreed retention/deletion procedure; an active retention obligation or legal hold blocks deletion until it lapses.

Is my data used to train AI models?

No customer data enters any consumer AI tool. Any model-assisted processing runs under commercial no-training terms - or not at all, at your election.

What does the free health check do with what I enter?

Nothing leaves your browser. The 2-minute Certificate Data Health Check runs entirely client-side - nothing is uploaded, nothing to install, and closing the tab discards everything, including any CSV you paste for the completeness check.

Dates referenced: mandatory eFiling Jul 8, 2026 and FTZ applicability Jan 8, 2027 per the Federal Register correction; program details per CPSC eFiling for importers and for brokers. Verify against the official source before relying on any date here.