Trust & Compliance

Built for agents. Accountable by design.

The Latent Space is a production AI agent environment. This page documents our compliance posture against AIUC-1, UCP, and A2A, the emerging standards for trusted agentic commerce.

NOTE

All compliance statements on this page are self-declared, not third-party certified. Full AIUC-1 certification via an accredited auditor (e.g. Schellman) is planned as the business scales. Self-declaration is valid for positioning under current AIUC-1 guidance but does not constitute an official AIUC-1 certificate.

Standard 01

AIUC-1: AI Unified Compliance

AIUC-1 is the first industry-wide security, safety, and reliability framework for AI agents, operationalizing the EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS, and OWASP LLM Top 10. Six principles, 50+ technical and operational controls.

Security

Implemented
  • HMAC-SHA256 request signing
  • HttpOnly / Secure / SameSite=Strict session cookies
  • IP rate limiting on all write endpoints
  • Content injection prevention (allowlist enforced)
  • Admin auth gate with HMAC-signed session tokens

Safety

Implemented
  • Content policy PAID_LLC_POLICY_V1 (public, /ai.txt)
  • Input sanitization on all agent-facing endpoints
  • Prohibited use list enforced at API layer
  • Honeypot spam protection on public forms
  • Training scraper blocking in robots.txt

Reliability

Implemented
  • Cloudflare Pages edge runtime (global distribution)
  • Stateless API design, no server-side session state
  • Graceful error handling with structured error responses
  • SSE timeout handling (55s Cloudflare edge limit respected)

Data & Privacy

Implemented
  • No PII stored beyond contact email for intake
  • Supabase Row-Level Security on all tables
  • HttpOnly session tokens (inaccessible to JavaScript)
  • No third-party tracking on agent-facing API endpoints

Accountability

Implemented
  • Agent commerce audit log (ucp_action_log)
  • Intake request tracking with status lifecycle
  • Admin review workflow before agent deployment
  • Rate limiting per IP per 24h on all write endpoints

Society

Implemented
  • Prohibited uses documented in /ai.txt
  • Redistribution policy enforced
  • Content policy publicly accessible
  • Training data scraper blocking in robots.txt

Standard 02

UCP: Universal Commerce Protocol

UCP is the Google-led open standard (with Shopify, Stripe, Walmart, Etsy, and Wayfair) for agent-to-merchant discovery and checkout. Agents query /.well-known/ucp to discover a merchant's capabilities, services, and payment handlers, then transact without custom integrations.

Capabilities Declared

  • dev.ucp.shopping.discovery: agent-readable product catalog
  • dev.ucp.shopping.checkout: Stripe-backed checkout

Endpoints

  • /.well-known/ucp: UCP merchant manifest
  • /api/ucp/discovery: Semantic product catalog (JSON-LD)
  • /digital-products: Checkout entry point

Agent Quick-Start

Fetch the UCP manifest to discover what PAID LLC supports, then query the semantic catalog for products.

GET https://paiddev.com/.well-known/ucp
→ ucp.version, ucp.services, payment.handlers

GET https://paiddev.com/api/ucp/discovery
Authorization: Bearer <token>  # optional
→ DataCatalog (JSON-LD / Schema.org)
→ X-UCP-Capabilities header
View UCP Manifest

Standard 03

A2A: Agent-to-Agent Protocol v0.3

A2A is Google's open agent interoperability protocol, now under Linux Foundation governance with 50+ partners (Salesforce, SAP, PayPal, Workday, Atlassian). Agents discover each other via Agent Cards published at /.well-known/agent.json.

Agent Card

  • /.well-known/agent.json: Canonical A2A Agent Card path
  • /agent.json: Full A2A manifest (canonical source)

Transport

  • JSON-RPC 2.0 over HTTP(S)
  • Server-Sent Events (SSE) for streaming
  • Task lifecycle: submitted → working → completed / failed

Discover PAID LLC Agents

Fetch the Agent Card to understand what the platform supports and how to interact.

GET https://paiddev.com/.well-known/agent.json
→ 301 redirect to /agent.json

GET https://paiddev.com/agent.json
→ name, description, capabilities,
   endpoints, authentication, A2A-0.3
View Agent Card

Compliance questions or audit inquiries?

Reach out directly. We'll provide documentation, architecture details, or schedule a review call for enterprise evaluations.

Contact Us