Methodology & trust
This page explains the machinery behind the promises on the overview page: how provenance works, what we deliberately never do, how customer data is handled, and who reviews what. No hype - just the chain every value has to survive.
Every value that matters on a certificate - a manufacture date, a lab report number, a rule citation - travels the same five-stage chain. A value that has not completed the chain is visibly unresolved; it cannot silently become part of the record.
Why immutability matters: the version a shipment shipped under is a historical fact. A records program that can quietly rewrite history is not a records program - it is a liability with good formatting.
This is the same boundary stated on the overview page, verbatim, because it does not change with the audience: applicability, testing sufficiency, and certification are decisions that belong to you and your qualified reviewer. We record those decisions; we never make them.
No customer data enters any consumer AI tool. If any model-assisted processing is used, it runs under commercial no-training terms - or not at all, at your election, recorded in the engagement terms.
Before any customer document enters the workspace, a binding checklist applies: contracts (NDA/DPA), written customer data authorization, a named reviewer with recorded scope, an approved commercial no-training AI path (or none), an isolated workspace, MFA, least-privilege access, encryption, access and audit records, malware scanning on upload, and backup/recovery.
The evidence bundle and full version history are retained for the five-year records window behind each certificate family, and are exportable on demand - your evidence remains yours, in portable form, at any time.
At the end of an engagement, data is exported to you and deleted on request under the agreed retention/deletion procedure. One honest caveat: an active retention obligation or legal hold blocks deletion until it lapses - and that block is itself recorded, not silent.
Software surfaces problems; it never decides them. Every material decision passes through a person whose qualification and reasoning are on the record.
| Element | How it works |
|---|---|
| Qualified reviewer | Material approvals reference an active qualification covering the module - "someone looked at it" is never anonymous or unqualified. |
| Recorded decisions | Who decided, what they decided, the basis, and the date - captured for every resolution, approval, and correction, in an append-only audit log. |
| Separation of events | Internal review and your data approval are separate recorded events on every certificate version - two signatures, two timestamps, never merged. |
| Blocking checks | A field with no source document, or with an unresolved contradiction, cannot be approved. The queue is worked to zero with you; nothing is waved through. |
| Your decisions stay yours | Applicability, testing sufficiency, and certification are decisions you make with your qualified reviewer. We record the decision and its basis - we never compute it. |
Yes - eFiling became mandatory for covered imports on July 8, 2026, with applicability for imports from foreign-trade zones (FTZs) beginning January 8, 2027 (Federal Register correction). Regulatory state drifts - verify at the official CPSC eFiling hub before relying on any date here.
No. The CPSC Product Registry is free and supports individual entry, CSV upload, and API; your broker files the ACE PGA Reference message using your Certifier, Product, and Version IDs. We prepare the broker-ready packet and the Registry workpaper - the filing step remains with you and your broker.
No. We do not certify products and do not decide which rules apply to your product. Applicability, testing sufficiency, and certification are yours and your qualified reviewer's; we record those decisions with their basis and date.
No. Completed versions are immutable. Corrections create new linked versions with recorded reasons, so the version your broker filed against stays exactly as approved and the correction history is visible end to end.
Every field links to a source document, the exact page or cell reference, the approver, and a timestamp. Contradictions and missing citations are flagged in a queue and resolved by a human with a recorded rationale - the software never decides applicability.
We retain the full evidence bundle and version history for the five-year records window, exportable on demand. At engagement end, data is exported to you and deleted on request under the agreed retention/deletion procedure; an active retention obligation or legal hold blocks deletion until it lapses.
No customer data enters any consumer AI tool. Any model-assisted processing runs under commercial no-training terms - or not at all, at your election.
Nothing leaves your browser. The 2-minute Certificate Data Health Check runs entirely client-side - nothing is uploaded, nothing to install, and closing the tab discards everything, including any CSV you paste for the completeness check.
Dates referenced: mandatory eFiling Jul 8, 2026 and FTZ applicability Jan 8, 2027 per the Federal Register correction; program details per CPSC eFiling for importers and for brokers. Verify against the official source before relying on any date here.