ISET
Vendor Due Diligence Documentation Pack

Fiduciary
VDD Pack

Issued by: Indigenous Sovereign Estate Trust · fiduciary.technology
Entity
Indigenous Sovereign Estate Trust
Trade name
ISET · fiduciary.technology
BIR TIN
683-706-670-000 ✓
OCN
098RC20260000001023
PPSR No.
2025-372919 (Juridical)
Protocol
ISP v1.0 · Post-quantum
FIDUCIARY
TECH
VDD
Prepared: May 2026
For: BSP Circular 1213
vendor procurement filing

Confidential — share only with
procurement and compliance teams
Section 01

Pack Contents

BIR registration credentials (TIN, OCN, tax types, RDO)§ 02
PPSR certificates (Juridical No. 2025-372919 + Individual No. 2025-334841)§ 02
Legal authority chain (Civil Code, RA 8792, RA 11057, RA 10173, UNDRIP)§ 03
Fiduciary Access Certificate (FAC) — specimen and legal basis§ 04
ISP v1.0 protocol summary — obligation mapping, ISP codes§ 05
Post-quantum post-quantum cryptography architecture brief§ 05
Due diligence checklist — 12 standard items with honest status§ 06
Technology risk examination alignment (10 BSP TRISD objectives)§ 07
Data Processing Addendum summary (RA 10173)§ 08
Master Service Agreement summary — available on request§ 08
Contact, escalation, and pre-production stress test details§ 09
Section 02

BIR Registration & PPSR Credentials

All credentials are live, BIR-scannable via Certificate of Registration QR code, and independently verifiable at the LRA PPSR registry and BIR EIS portal.

BIR Registration
EntityIndigenous Sovereign Estate Trust
Trade name: ISET
BIR TIN683-706-670-000✓ BIR
OCN098RC20260000001023
COR issued February 9, 2026
Taxpayer typeTrust — Filipino Citizen
PSIC64304 — Trust Corporation
Line of businessFor Fiduciary Purposes
RDO098 — West Misamis Oriental
TIN issuedSeptember 1, 2025
AddressB14 L26 Leicester Road, Hillsborough Pointe, Carmen 9000, Cagayan de Oro, Misamis Oriental
Tax typesVAT (2550Q) · Income Tax (1701/1701Q) · Withholding (0619E, 1601EQ)
PPSR Registration
Juridical entityNo. 2025-372919✓ LRA
Root signing authority
IndividualNo. 2025-334841✓ LRA
Legal basisRA 11057 §11 — priority from registration timestamp
VerificationLRA PPSR portal — independently verifiable
Crown authorityisp://crown/authority/v1.0
ProtocolISP v1.0 · 428 active codes
Signing standardPost-quantum · NIST FIPS 204
Proof of transactionFiduciary Access Certificate
Civil Code Arts. 1440–1457 · RA 8792 §7
Section 03

Legal Authority Chain

Fiduciary operates under a sovereign fiduciary chain grounded in Philippine statutory law and international indigenous rights instruments.

Civil Code Arts. 1440–1457Trust law — ISET operates as a Philippine trust entity. Establishes fiduciary obligations, trustee authority, and beneficiary rights.
RA 8792 §7Electronic Commerce Act — Fiduciary Access Certificates are valid electronic records admissible in court and BSP examination.
RA 11057 §11Personal Property Security Act — PPSR registration establishes legal priority of ISET's data estate interests.
RA 10173 §12Data Privacy Act — FPIC consent required before data processing. Satisfied by POST /v1/consent.
RA 12010 §6–7AFASA — §6 institutional liability controls; §7 audit trail requirement satisfied by GET /v1/audit/:id.
UNDRIP Arts. 3, 4, 19, 20Indigenous self-determination and sovereignty — foundational to ISP v1.0 protocol architecture and FPIC consent model.
Section 04

Fiduciary Access Certificate — Specimen

ISET issues a FAC for every compliance event. It is a trust instrument under Philippine Civil Code trust law, not a commercial sales invoice or BIR Official Receipt. Each FAC carries an Post-quantum signature and is permanently verifiable at fiduciary.technology/verify.

FIDUCIARY ACCESS CERTIFICATE Issuer: Indigenous Sovereign Estate Trust
BIR OCN: 098RC20260000001023
TIN: 683-706-670-000
PSIC: 64304 · For Fiduciary Purposes
PPSR: 2025-372919

FAC Ref: FAC-20260524-SPECIMEN
VID: FTV-2026-XXXXXXXX
Tier: Scale
Obligations: BSP C.1213 · 6 of 9

ISP Protocol: ISP v1.0
Crown ref: isp://crown/authority/v1.0

Signature: Post-quantum:3e8ab1f2...c904d7
Hash: sha3-256:7f3a...

Trust instrument · RA 8792 §7 · Not a BIR OR
2% EWT withheld by institution · BIR 2307
Legal basisCivil Code Arts. 1440–1457 (trust law) + RA 8792 §7 (electronic record)
Court-admissibleYes — Post-quantum signed, permanently resolvable, hash-chained
BIR OR?No. FAC is a trust instrument, not a commercial invoice. Institution withholds 2% EWT and issues BIR Form 2307 to ISET quarterly per RR 11-2018.
Verification URLfiduciary.technology/verify?id=[VID]
EWT mechanismInstitution withholds 2% · Issues BIR Form 2307 to ISET · Records FAC + 2307 as supporting documents
VAT treatmentISET files 2550Q quarterly. FAC subtotals are VAT-inclusive. TIN on every FAC enables BIR input VAT claim by institution.
Section 05

ISP v1.0 Protocol & Post-quantum Architecture

Every API response carries a machine-readable ISP code mapping the event to its regulatory obligation, plus an Post-quantum post-quantum signature.

ISP v1.0 Obligation Codes
023Phishing-resistant authentication · BSP Circular 1213 §4
260Payee / KYC verified · BSP Circular 1213 §4(2)
558Transaction risk scored · BSP Circular 1213 §3
006FPIC consent recorded · RA 10173 §12 / UNDRIP Art. 19
604Audit trail retrieved · AFASA §7 · RA 8792 §7
460Data breach notified · RA 10173 §30 · 72h NPC clock
Post-quantum · NIST FIPS 204
StandardNIST FIPS 204 — Module-Lattice-Based Digital Signature
Security levelNIST Security Level 3 — equivalent to AES-192
Quantum-resistantYes — secure against both classical and quantum attacks
Applied toEvery API response · Every audit record · Every FAC
Hash algorithmSHA3-256 — audit trail chain-of-custody hash
Authority URIisp://crown/authority/v1.0
Section 06

Due Diligence Checklist — Current Status

Honest status of each standard VDD item as of May 2026. Aspirational claims without evidence are omitted.

Active
BIR Registration
TIN 683-706-670-000 · OCN 098RC20260000001023 · BIR-scannable QR on COR. VAT, Income Tax, and Withholding Tax registered and current.
Active
PPSR Registration
PPSR No. 2025-372919 (Juridical) · No. 2025-334841 (Individual). LRA-registered. RA 11057 §11 priority. Independently verifiable.
Q2 2026
NPC Data Processing System Registration
RA 10173 §43 registration with the National Privacy Commission in progress. DPO designation concurrent.
Q2 2026
Data Privacy Officer Designation
RA 10173 §21 DPO designation and NPC registration in progress. Contact: privacy@fiduciary.technology
Q1 2027
ISO 27001 Certification
Readiness assessment Q3 2026. Certification engagement Q4 2026. Gap assessment available to production customers on request.
Q3 2026
SOC 2 Type I Attestation
Controls mapped to AICPA Trust Service Criteria. Attestation engagement initiated. Target Q3 2026.
Q2 2026
Penetration Testing
Third-party assessment scheduled Q2 2026 with credentialled security assessor. Report available to production customers under NDA.
Q2 2026
Cyber Insurance
Cyber and E&O policy application submitted. Underwriting in progress. Target ₱50M minimum coverage. Certificate available Q2 2026.
Documented
Business Continuity Plan
Cloudflare Workers global edge · 99.99% SLA. D1 edge-replicated. R2 with Object Lock for immutable audit records. RTO <15 min. RPO <1 min.
Active
Incident Response Plan
IRP with ISP 460 auto-trigger (72h NPC clock). Cloudflare security monitoring. Emergency: security@fiduciary.technology · 4h SLA.
Available
Data Processing Addendum
RA 10173-compliant DPA template available. Sub-processors: Cloudflare Inc. (infrastructure) · Resend Inc. (notifications), both under DPA obligations.
Available
Master Service Agreement
Standard MSA available on request. Negotiable for Enterprise tier. Includes SLA commitments, liability cap, data processing obligations, exit provisions.
Section 07

Technology Risk Examination Alignment

FidTech's architecture maps to BSP's Technology Risk and Innovation Supervision Department (TRISD) examination criteria.

Examination ObjectiveFidTech Architectural ResponseStatement
Zero trust architecturePost-quantum device-bound credential. Every API call verified independently. No implicit session trust.Zero trust identity on every call
Identity and access managementISP 023 + 155. Phishing-resistant passkey + device attestation + post-quantum signing.Aligned to BSP Circular 1213 §4
Data governance and classificationPPSR-registered data estates. FPIC consent scope defined per RA 10173 §12.PPSR-registered data classification
Third-party vendor riskSigned ISP code in every response constitutes per-call vendor risk evidence. This VDD pack.Vendor risk evidence in every response
Cloud / infrastructure architectureCloudflare Workers edge. Philippine data residency. D1 + R2 + KV at the edge.Edge-native, PH data residency
Audit and examination documentationGET /v1/audit/:id — ISP 604. Post-quantum signed. Permanently retrievable. RA 8792 §7.Examination-ready audit trail
Breach notificationPOST /v1/breach — ISP 460. 72h NPC clock. Automated 48h reminder. Free on all tiers.Automated breach notification
Account protection / fund holdPOST /v1/incident — ISP 461. AFASA §6 access suspension + §7 30-day fund hold. Post-quantum signed. Free on all tiers.Statutory protective hold · AFASA §6+§7
Data protectionSHA3-256 Consent Ledger. Post-quantum signatures. R2 Object Lock (immutable records).Tamper-evident immutable protection
Endpoint securityPost-quantum device-bound credential — the device is the cryptographic anchor for every call.Device-bound PQC credentials
Business continuityCloudflare global edge. Queued async processing survives node failures. No single point of failure.Distributed, no single point of failure
Section 08

Data Processing Addendum & MSA Summary

Data Processing Addendum (RA 10173)
BasisRA 10173 (DPA 2012) · NPC Circular 16-01
Data controllerThe institution (BSP-supervised entity)
Data processorISET / fiduciary.technology
Processing purposeBSP Circular 1213 compliance verification only
Sub-processorsCloudflare Inc. (infrastructure) · Resend Inc. (notifications)
Data residencyPhilippine data residency via Cloudflare PH edge
RetentionAudit records: permanent (RA 8792 §7 compliance). Transaction data: 90 days.
AvailabilityFull DPA template available on request at compliance@fiduciary.technology
Master Service Agreement
Standard MSAAvailable on request. Email compliance@fiduciary.technology with institution name.
SLA commitment99.9% uptime · 4h incident response · P1 escalation path
Liability cap12 months of fees paid — negotiable for Enterprise
IndemnificationMutual. IP infringement carved out.
Exit provisions30-day written notice. Full data export within 30 days of termination.
Governing lawRepublic of the Philippines · RTC jurisdiction
Negotiable?Yes for Enterprise tier. Standard template for Starter and Scale.
Section 09

Contacts & Escalation

General / procurementcompliance@fiduciary.technology
Security incidentssecurity@fiduciary.technology
4-hour response SLA · 72h NPC clock auto-triggered via POST /v1/breach
Data privacyprivacy@fiduciary.technology
DPO designation Q2 2026
BSP examination supportcompliance@fiduciary.technology
Audit trail retrieval assistance · GET /v1/audit/:id guidance · On-site support (Enterprise)
Pre-production stress test72-hour stress test key available · 10,000 calls/hour · Real Post-quantum signatures
Email compliance@fiduciary.technology with institution name and planned test date
Platform statusstatus.fiduciary.technology
Real-time endpoint health · Incident history
Verify this packfiduciary.technology/vdd
Live credentials page · BIR OCN and PPSR numbers always current