Inputs-checklist - Mercury Security

Mercury Security

Inputs Checklist for 4-Week Audit → Governance Sprint
(v1.0, 2025)

The 4-Week Sprint is a fixed-scope engagement. To begin, we require specific inputs from your team. This checklist ensures we have everything needed to deliver your Audit Report, Evidence Pack, and Board Roadmap on time.

1. System & Environment Access

Input	Required?	Notes
Read-only access to AI agent or system	Yes	API key, test user account, or equivalent. Required for sampling and logging.
Connector / integration scopes	Yes	Up to 2 connectors (CRM, calendar, knowledge base, etc.). We need read-only or sandbox access.
Environment selection	Yes	Define whether the audit is against production or sandbox. For “small scope,” one environment only.

2. Logs & Data Samples

Input	Required?	Notes
Conversation / interaction logs	Yes	At least 200 anonymized interactions from the past 30 days. Formats: CSV, JSON, or export from platform.
System event logs	Optional	Authentication, role access, error logs if available. Strengthens evidence pack.
Seeded test cases	Optional	If you already run test scripts, please provide. Otherwise, Mercury will generate.

3. Policies & Notices

Input	Required?	Notes
Purpose & scope statement	Yes	Internal description of what the system is used for, who it serves, and out-of-scope declarations.
User-facing notices	Yes	Consent language, disclaimers, or info banners shown to end-users.
Existing governance docs	Optional	DPIAs, security policies, incident response playbooks. Used for cross-validation.

4. Roles & Contacts

Input	Required?	Notes
Named product/data owner	Yes	The accountable internal lead for this AI system.
Compliance / legal contact	Yes	Point of contact for GDPR/AI Act questions.
IT / security contact	Yes	Point of contact for identity, RBAC, and log integrity.
Support / ops contact	Optional	Useful if AI agent is customer-facing.

5. Submission

All inputs are uploaded to Mercury’s secure client portal:
https://mercurysecurity.io/secure-upload
Please submit within 5 business days of kickoff. The Sprint clock begins only after complete inputs are received.
Sensitive data should be anonymized or redacted prior to upload. Mercury can assist with redaction patterns if needed.

6. Support

If you have questions on any item in this checklist, see the Inputs FAQ at:
https://mercurysecurity.io/docs/inputs-faq
or contact us at support@mercurysecurity.io.

✅ With these inputs in place, Mercury commits to delivering your Sprint outcomes in 20 business days.