# CapitalGuard Fulfillment SLA

This launch SLA defines how CapitalGuard handles paid license delivery while automation is being completed.

## Immediate Delivery

After payment, the buyer receives access to:

- Delivery vault
- Commercial license summary
- License certificate
- Secure scan intake
- AI-agent policy starter
- Safe-use guide
- Delivery checklist

## Manual License Issuance

During the launch phase, CapitalGuard verifies the Stripe payment before issuing a private license key. The plaintext key
is sent once to the purchase email. Only the license-key hash should be stored in operational records.

## Scan Start Criteria

CapitalGuard starts scan work only after:

- Payment is successful.
- License key is issued or matched.
- Purchase email is confirmed.
- Repository ownership or written authorization is confirmed.
- Scope is clear enough to avoid scanning unrelated systems.

## Report Standard

Each material finding should include:

- Severity
- Affected file or path
- Why it matters
- How an AI agent could expose it
- Business impact
- Preventive control
- Confidence level

Raw secret values must stay redacted in reports, exports, emails, support replies, logs, and screenshots.

## Launch Fulfillment Targets

- License issue target: same business day after verified payment.
- Intake review target: within 1 business day after authorized scope is submitted.
- First report target: aligned to purchased tier and repository size after scope is approved.
- Protect monitoring target: begins after the first authorized baseline scan.

## Security Handling

CapitalGuard should use least-privilege access, time-bound access, redaction, and approved scope boundaries. Repository
materials should not be retained longer than needed for the purchased service unless monitoring is enabled or the buyer
requests ongoing retention.

## Buyer Delays

Fulfillment timing depends on buyer response time, repository access, scope clarity, written authorization, and payment
status.
