EXHIBIT M · MATURITY MANIFESTlast updated ·

Pilot maturity, not production maturity (yet).

Vera is in pilot deployment with our first design partner. Here's the honest state of every system, and what it takes to reach production-grade.

This page is the proactive companion to our public collateral. Most early-stage compliance vendors overclaim. We'd rather you ask sharp questions on day one.

§ 01 · THE THREE TIERS

TIER · PILOT-GRADE

Pilot-grade

Ships today. Tested in design-partner staging, behavior known. Suitable for non-critical AI workflows and for design partners aligned on the maturity tradeoffs.

TIER · PRODUCTION-GRADE

Production-grade

Survives a real audit. Tested under load. All known failure modes have explicit handling. Suitable for regulated production deployments.

TIER · ENTERPRISE-GRADE

Enterprise-grade

Survives a security review at a Fortune 500. SSO, SOC 2 Type II, BAA-by-default, dedicated infra. Not on the 6-month roadmap.

§ 02 · SYSTEM BY SYSTEM

Every row is something that runs in pilot today or sits on the roadmap. The right column describes the engineering and process work between now and the production-grade tier above — not a marketing promise.

Vera systems by current maturity tier and what production-grade requires.
SYSTEMCURRENT TIERPRODUCTION-GRADE REQUIRES
Cryptographic audit chain
SHA-256 hash chain, KMS-signed exports
PILOTPilot-grade
Independent legal opinion on FRE 901/902 admissibility (Q3 2026); third-party verification tool.
HITL approval workflow
Clerk-RBAC; audit-of-audit on every approval
PILOTPilot-grade
SLA on approver response times; mobile push notifications; escalation policies.
PHI redaction
Redactor.medtech() + schema-driven mode
PILOTPilot-grade
Customer-specific schema validation tooling; full FHIR resource-type coverage; quarterly red-team review.
Durable encrypted spool
AES-256-GCM + SQLite WAL on the SDK side
PILOTPilot-grade
Multi-region replication; per-tenant key rotation tooling; documented RPO/RTO.
Policy engine
Guardrails (alerting rules) only
PILOT · PARTIALGuardrails only
Customer-defined DSL for policy rules; policy versioning and rollback; dry-run mode.
Authentication
Clerk JWT for dashboard; API keys for SDK
PILOTPilot-grade
Enterprise SSO (SAML, OIDC, SCIM); IP allowlisting; org-scoped API keys with rotation policy.
Clerk role-drift reconciler
Svix-verified webhooks + periodic re-fetch fallback
PILOTWebhook-driven + periodic re-fetch fallback
SLA on webhook delivery; reconciliation worker for missed events; per-org audit dashboard of role drift events.
SDK fork safety
gunicorn, Celery, multiprocessing.Pool
PILOTTested for fork
Full spawn/forkserver support; managed connection pool; Windows process model support.
Compliance evidence export
PDF + CSV export of signed audit chain
PILOTAvailable; not third-party audited
Third-party audit of export shape; templated per-jurisdiction (EU AI Act Art. 13 vs. ISO 42001 vs. HIPAA).
Insurance underwriting data feed
Continuous telemetry for underwriters
ROADMAPRoadmap (Act 2 vision)
6+ months of runtime telemetry across regulated verticals; partnership with a licensed carrier.

§ 03 · WHY WE PUBLISH THIS

Most early-stage compliance vendors overclaim. We've seen the failure mode: a buyer asks a sharp question in week 2 of a pilot, the vendor doesn't have an answer, the deal stalls.

We'd rather lose deals at week 1 to honesty than lose them at week 6 to surprises. If the gap between pilot-grade and your needs is too wide, we'll say so. If it's bridgeable on a known timeline, this page tells you when.

The pilot-grade items above are real product today. The production-grade column is real engineering work we know how to do, sequenced by customer demand. Email us if your use case demands a tier we haven't shipped yet — we'll tell you straight.

hello@usevera.xyz →