---
title: "ARCS Attestation Template"
---

# ARCS Attestation Template

**Standard:** Automated Record Custody Standard (ARCS) v1.0

**Purpose:** This template documents implementation status for ARCS controls within a defined deployment scope. It may be used for self-attestation, internal audit, or third-party assessment. It does not replace supporting documentation. Where conformance is declared, relevant documentation should be available for review on request.

---

## Section 1: Purpose and use

This template is used to document conformance status against ARCS for a defined deployment scope. It supports the following assessment types:

- **Self-attestation** -- conformance declared by the operator on the basis of internal review
- **Internal audit** -- conformance assessed by an internal function independent of the assessed deployment
- **Third-party assessment** -- conformance assessed by an independent external assessor

All sections should be completed. Each control family should be marked as **Implemented**, **Partial**, **Not Implemented**, or **Not Applicable**. Where a family is marked Partial or Not Implemented, the relevant gap should be identified in the notes field. Where a family is marked Not Applicable, the basis for that determination should be documented.

---

## Section 2: System Identification

| Field | Value |
|-------|-------|
| System name | |
| Operator / deploying entity | |
| Legal entity | |
| Deployment description | |
| Deployment mode(s) | |
| System version / configuration identifier | |
| Date of this attestation | |
| Previous attestation date (if any) | |

---

## Section 3: Scope of Attestation

| Field | Value |
|-------|-------|
| Systems in scope | |
| Systems explicitly excluded (with justification) | |
| Vendors / custodians in scope | |
| Vendors explicitly excluded | |
| Scoped conformance level declared | |
| Is this organization-wide? (Yes / Scoped) | |

---

## Section 4: ARCS-LIF -- Record Lifecycle Controls (13 controls)

Status options: **Implemented / Partial / Not Implemented / Not Applicable**

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| LIF-01 | Default retention posture defined per record category | | |
| LIF-02 | Preservation triggers defined | | |
| LIF-03 | Preservation scope defined | | |
| LIF-04 | Deletion suspended upon preservation trigger | | |
| LIF-05 | User-visible deletion distinguished from backend retention | | |
| LIF-06 | Multi-vendor preservation procedure defined | | |
| LIF-07 | Exit from preservation posture defined | | |
| LIF-08 | Lifecycle disclosure available | | |
| LIF-09 | Non-creation controls defined where applicable | | |
| LIF-10 | Per-artifact retention classification for agentic sessions | | |
| LIF-11 | Governed persistence defined where applicable | | |
| LIF-12 | Vendor deletion verifiability documented | | |
| LIF-13 | Architecturally precluded deletion documented | | |

---

## Section 5: ARCS-CUS -- Custody Surface Controls (12 controls)

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| CUS-01 | Custody surface defined across all layers | | |
| CUS-02 | Custodians identified | | |
| CUS-03 | Record locations mapped | | |
| CUS-04 | Multi-vendor propagation defined | | |
| CUS-05 | Vendor retention disclosed | | |
| CUS-06 | Custody surface defined during preservation | | |
| CUS-07 | Derived artifact custody governed | | |
| CUS-08 | Backup and archive custody governed | | |
| CUS-09 | Custody surface disclosure available | | |
| CUS-10 | Delegation chain custody fragmentation assessed | | |
| CUS-11 | Authorization-gap custody mapped | | |
| CUS-12 | Vendor governance declarations obtained | | |

---

## Section 6: ARCS-TAX -- Record Taxonomy Controls (11 controls)

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| TAX-01 | All required record categories defined | | |
| TAX-02 | Deliberative records classified | | |
| TAX-03 | Exported outputs classified | | |
| TAX-04 | Telemetry classified | | |
| TAX-05 | System logs classified | | |
| TAX-06 | Safety and review records classified | | |
| TAX-07 | Derived artifacts classified | | |
| TAX-08 | Metadata classified | | |
| TAX-09 | Lifecycle rules defined per category | | |
| TAX-10 | Taxonomy documentation available | | |
| TAX-11 | Agent runtime artifact sub-classification applied | | |

---

## Section 7: ARCS-OPB -- Operator Boundary Controls (5 controls)

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| OPB-01 | Operator boundary defined | | |
| OPB-02 | In-scope systems listed | | |
| OPB-03 | Vendor inclusion rule defined | | |
| OPB-04 | Out-of-scope systems documented | | |
| OPB-05 | Boundary change procedure defined | | |

---

## Section 8: ARCS-PUB -- Publish Boundary Controls (6 controls)

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| PUB-01 | Publish boundary defined | | |
| PUB-02 | Exported output classification defined | | |
| PUB-03 | Post-publish retention documented | | |
| PUB-04 | Preservation at publish boundary defined | | |
| PUB-05 | API propagation governed | | |
| PUB-06 | Publish events and recipients documented | | |

---

## Section 9: ARCS-PV -- Preservation and Legal Hold Controls (7 controls)

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| PV-01 | Preservation trigger defined | | |
| PV-02 | Legal hold process defined | | |
| PV-03 | Preservation overrides deletion | | |
| PV-04 | Preservation responsibility identified | | |
| PV-05 | Multi-vendor preservation defined | | |
| PV-06 | Exit from preservation posture defined | | |
| PV-07 | Multi-vendor preservation communication documented | | |

---

## Section 10: ARCS-VER -- Verification and Audit Controls (7 controls)

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| VER-01 | Documentation current | | |
| VER-02 | Internal verification completed | | |
| VER-03 | Vendor verification obtained | | |
| VER-04 | Preservation verification completed | | |
| VER-05 | Documentation available for audit | | |
| VER-06 | Attestation available | | |
| VER-07 | Cross-vendor traceability documented | | |

---

## Section 11: ARCS-NCR -- Non-Creation Controls (6 controls)

Complete this section only where non-creation or non-retention is claimed. Otherwise, mark the section Not Applicable.

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| NCR-01 | Non-creation declaration documented | | |
| NCR-02 | Memory-only processing documented | | |
| NCR-03 | Non-retention declaration documented | | |
| NCR-04 | Preservation posture interaction defined | | |
| NCR-05 | Non-creation documentation available | | |
| NCR-06 | Publish boundary lifecycle verification documented | | |

**Section 11 applicability:** ☐ Not Applicable -- deployment does not claim non-creation or non-retention

---

## Section 12: ARCS-AGT -- Agent Runtime Controls (13 controls)

Complete this section where the deployment involves multi-step execution, tool invocation, or intra-session state. If the section is not applicable, document the basis below.

**Section 12 applicability:**
☐ Applicable -- system operates across multiple steps, invokes external tools, or maintains session state
☐ Not Applicable -- system processes only single request-response interactions with no intermediate state

If not applicable, reason: _______________

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| AGT-01 | Agent runtime artifact classes identified and classified | | |
| AGT-02 | Content-telemetry separation applied | | |
| AGT-03 | Session scope defined | | |
| AGT-04 | Planning traces classified as ephemeral by default | | |
| AGT-05 | Tool call metadata and content governed separately | | |
| AGT-06 | Intermediate results classified as ephemeral by default | | |
| AGT-07 | Error recovery artifacts classified as deliberative | | |
| AGT-08 | Security-sensitive tool outputs decomposed | | |
| AGT-09 | Vendor retention disclosed for all tool integrations | | |
| AGT-10 | Preservation posture covers all agent runtime storage locations | | |
| AGT-11 | Session receipt identifies scope, artifact classes, and retention classes | | |
| AGT-12 | Undifferentiated security-relevant content documented | | |
| AGT-13 | Lifecycle boundary identification documented | | |

---

## Section 13: ARCS-DEL -- Delegation and Memory Controls (12 controls)

Complete this section where the deployment involves persistent memory, delegated authority, or autonomous execution. If the section is not applicable, document the basis below.

**Section 13 applicability:**
☐ Applicable -- system maintains memory across sessions, operates with delegated authority, or executes autonomous sequences
☐ Not Applicable -- system has no persistent memory, no delegation chains, and no autonomous execution

If not applicable, reason: _______________

| Control | Description | Status | Notes |
|---------|-------------|--------|-------|
| DEL-01 | Persistent memory, delegation, and autonomous execution conditions identified | | |
| DEL-02 | Governed-persistence classification applied to cross-session memory stores | | |
| DEL-03 | Automatic purge schedule in place for governed-persistence stores | | |
| DEL-04 | Preservation suspension for governed-persistence stores on hold trigger | | |
| DEL-05 | Delegation artifacts classified as deliberative | | |
| DEL-06 | Delegation scope documented per agent or agent class | | |
| DEL-07 | Governance posture defined for autonomous execution sequences | | |
| DEL-08 | Custody surface extended to cover memory stores, delegation artifacts, execution records | | |
| DEL-09 | Vendor retention of agent memory and execution records disclosed | | |
| DEL-10 | Preservation posture covers governed-persistence memory and execution records | | |
| DEL-11 | Attestation identifies memory use, delegation, autonomous execution, purge schedules, vendor holdings | | |
| DEL-12 | Emergent autonomous execution documentation | | |

---

## Section 14: Exceptions and Compensating Controls

| Exception | Affected Control(s) | Justification | Compensating Control |
|-----------|---------------------|---------------|----------------------|
| | | | |

---

## Section 15: Attestation Statement and Authorized Signature

| Field | Value |
|-------|-------|
| Declared conformance profile | ☐ Foundation  ☐ Minimum  ☐ Enterprise  ☐ Partial |
| Declared maturity level (if applicable) | |
| Assessment type | ☐ Self-attestation  ☐ Internal audit  ☐ Third-party assessment |
| Record surface map version and date | |
| Custody surface map version and date | |
| Configuration matrix version and date | |
| Routing table version and date | |
| Preservation posture documented | ☐ Yes  ☐ No |
| Unknown surfaces identified | ☐ Yes  ☐ No  ☐ None |
| Custody fragmentation present | ☐ Yes  ☐ No |
| Agent runtime in scope (AGT) | ☐ Yes  ☐ Not applicable |
| Delegation/memory in scope (DEL) | ☐ Yes  ☐ Not applicable |
| Non-creation claimed (NCR) | ☐ Yes  ☐ Not applicable |

**Declaration:** The undersigned attests that this assessment was performed with reference to ARCS v1.0 (Automated Record Custody Standard), as published by Vega Commons Project, Inc., and that the information provided in this attestation is accurate to the best of the undersigned's knowledge and authority.

Signature: _________________________ Date: _____________

Name: _____________________________

Title: _____________________________

Organization: ______________________