The criteria under which we would shut this product down.

Indirect rate engine error rate

ThresholdIf a sustained error rate above 0.5 percent of computed rates is observed in any calendar quarter (computed against ASBCA test fixtures plus customer-reported variances), we pull the engine and revert to the prior approved version while the regression is investigated.

WhyThe indirect rate engine is the load-bearing computation. A wrong rate that propagates into a customer's CPA-issued rate letter is a real-money harm to the customer and a structural trust failure for us.

Consistency rule false-positive rate

ThresholdIf sustained false-positive rate exceeds 20 percent on any consistency rule across the active customer base in a calendar quarter, we sunset that specific rule until the underlying logic is corrected. The rule does not silently degrade to a warning; it is removed from the engine.

WhyA consistency rule that fires more wrong than right pulls customer attention into manufactured findings and discredits the real ones. Over time, that degrades the trust contract a customer has with the engine.

WH-347 generation correctness

ThresholdAny single confirmed instance of a generated WH-347 form with rate or hours data that does not reconcile to the underlying time entries triggers a Sev 1 incident. Three confirmed instances in a calendar year sunset the certified-payroll feature pending an external review of the generation pipeline.

WhyWH-347 is a federally-required form. A form that misrepresents the underlying labor data exposes the customer to Davis-Bacon Act enforcement risk. Our error becomes their liability.

Regulatory change response window

ThresholdIf a material regulatory change (FAR amendment, DCAA guidance shift, DOL Davis-Bacon update, FAR Part 31.2 revision) requires a product change to remain compliant, we either ship the change within 90 days of effective date or sunset operations in the affected scope.

WhyCompliance products that lag regulation become legal liabilities for the customer. Faster than 90 days is fine. Slower is not.

DSAR and audit-evidence access

ThresholdIf we cannot fulfill a verified data subject access or deletion request within 30 days, or if we cannot produce audit-evidence access for a DCAA contract auditor within 5 business days of a verified request, we publicly disclose the failure and engage outside counsel.

WhyFederal contractors live under DCAA scrutiny. A FieldLedger that cannot promptly produce evidence under audit is worse than no FieldLedger; the customer is in the position of explaining why their tooling cannot support the audit they are inside.

Audit log integrity

ThresholdAny single confirmed instance of audit log mutation (deletion of a row, alteration of an old or new value, gap in the append-only sequence) triggers a Sev 1 incident with direct customer notice. Two confirmed instances in a calendar year sunset the product.

WhyThe audit log is the load-bearing structural commitment of the trust posture. If the audit log can be tampered with, every other commitment becomes unverifiable.

Customer-reported integrity concerns

ThresholdIf customer-reported integrity concerns exceed 10 percent of the active customer base in a single quarter, we trigger an external review. If the external review confirms a structural integrity problem, we sunset the affected feature or the product as warranted by the finding.

WhyDCAA-adjacent customers are sophisticated. When they raise concerns at scale, the data is more reliable than internal self-assessment.

Annual third-party audit findings

ThresholdAny finding from the annual independent third-party audit that is not resolved or formally accepted with mitigation within 180 days triggers public disclosure. Critical findings unresolved at 365 days sunset the affected pipeline.

WhyThe annual audit is the structural commitment that ties our revenue to the quality of our work. Letting findings rot is the failure pattern.

Pricing-rigor breach

ThresholdIf commercial pressure ever requires shipping under terms that violate the Trust Principles ('we issue the cert,' AI without review gates, customer attestation as DCAA-relevant proof), we sunset rather than ship. We do not amend the Trust Principles to enable a deal.

WhyThe Trust Principles are constraints, not goals. Loosening them to close revenue is the failure pattern this whole framework defends against.

Capacity overrun

ThresholdIf we onboard customers faster than we can meet the published response SLAs (privacy email, AUP enforcement, incident response, audit-evidence access), we pause new-customer onboarding until staffing catches up.

WhyThe SLAs are commitments, not aspirations. Breaking them quietly because we are growing is the volume-business failure mode.