Organisation Assurance Policy is now full POLICY. Various Subsidiary Policies for different countries are in progress or DRAFT. Without a Subsidiary Policy covering the form of entity, OA is not available. The organisation assurance process is based on a package of documentation and other indicators that is prepared by the organisation, one external Assurer reviewing the organisation and documentation from the outside, relationship, one inside and one outside, and one Assurers working for the organisation to manage the relationship on the inside. Both Assurers and the organisation sign off on the application. CAcert makes no distinction between commercial and non-commercial. All are members to CAcert and therefore "within jurisdiction." The question of "permitted to operate in location" is considered covered by the Subsidiary Policy's orientation to the specific form of entity. Review in this area is a lower priority than individual assurance and Assurers. Or at least, there is a heavy dependency on the assurance process. External parties may feel that "commercial" certificates are more sensitive, but R/L/O has substantially controlled that issue. Audit on OAP has been halted as of late 2008 due to failure to address questions, as listed wip OAP Criticisms. Likely this will require a review of the OAP. See §A.2.x.