The TRAC document notes that “. . . attaining trusted status is not a one-time accomplishment—achieved and forgotten. To retain trusted status, a repository will need to undertake a regular cycle of audit and/or certification.” To that end CRL expects that in addition to acting to remedy the issues identified above HathiTrust will also make certain disclosures on a regular basis. CRL and HathiTrust have agreed that ongoing certification is contingent upon HathiTrust making the following disclosures every two years:

• An item- or volume-level listing of new content added to the repository since prior certification.  (Public disclosure through the current HathiFiles inventory would fulfill this requirement.)

• Description of any significant changes in repository system architecture or configurations, operating systems and/or critical software;

• New agreements and contracts with key depositors of content, content users, major funders or sources of revenue, and providers of critical repository services;

• New key policies regarding acquisition, management, and disposition of archived content and related files and metadata;

• Records of significant events (such as content migrations, system failures, loss or corruption of digital content)  and significant changes in the characteristics of digital content ingested since the most recent audit, such as server logs; and of significant events and changes in the operations of the repository.

• The most recent three years of financial statements for the repository organization or service unit. The financial statements should indicate the categories and, where appropriate, sources of revenue and the level of same; the functional allocation of expenses; and changes in the financial position of the organization supporting the service unit.

• Revenue and expense projections by function, for the repository organization or service unit, for the next three years.

Certification is also contingent upon HathiTrust’s agreement to a periodic, systematic sampling and inspection of the repository’s archived content by CRL, or by a third party designated by CRL, using either a manual or automated process as determined by mutual agreement between CRL and HathiTrust.