diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index b6a04c4b0..54379ab42 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -151,6 +151,9 @@ jobs:
       packages: write
       id-token: write
     runs-on: ubuntu-latest
+    outputs:
+      digest: ${{ steps.digest.outputs.digest }}
+      version: ${{ steps.meta.outputs.version }}
     steps:
       - uses: actions/checkout@v4
 
@@ -167,6 +170,13 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository_owner }}/one-enterprise
 
+      - id: digest
+        run: >
+          digest=$(docker buildx imagetools inspect
+          "ghcr.io/${{ github.repository_owner }}/one-enterprise:${{ steps.meta.outputs.version }}"
+          --format '{{json .Manifest}}' | jq --raw-output '.digest');
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+
       - run: >
           node ./enterprise/scripts/sbom.js
           "ghcr.io/${{ github.repository_owner }}/one-enterprise:${{ steps.meta.outputs.version }}"
@@ -185,8 +195,26 @@ jobs:
           "https://github.com/${{ github.repository }}/.github/workflows/deploy.yml@${{ github.ref }}"
           "/tmp/sbom.spdx.json"
 
+  # SLSA Build Level 3 Provenance
+  # See https://github.com/slsa-framework/slsa-github-generator
+  enterprise-provenance:
+    needs: enterprise-cosign
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/one-enterprise
+      digest: ${{ needs.enterprise-cosign.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
   release:
-    needs: docker-multi-arch
+    needs:
+      - docker-multi-arch
+      - enterprise-provenance
     runs-on: ubuntu-latest
     permissions:
       contents: write
diff --git a/docs/commercial.md b/docs/commercial.md
index 2c4490928..a3cbff210 100644
--- a/docs/commercial.md
+++ b/docs/commercial.md
@@ -81,6 +81,16 @@ supply chain security and regulatory compliance capabilities:
   FIPS provider (`openssl-provider-fips`) for all cryptographic operations,
   supporting organizations that require FIPS 140 compliance.
 
+- **SLSA Build Level 3 Provenance.** Each Enterprise release publishes a
+  [SLSA v1.0](https://slsa.dev/spec/v1.0/) Provenance attestation that
+  describes how the image was built, including the source repository, the
+  exact commit, the workflow invocation, and the runner identity. The
+  attestation is generated and signed by GitHub Actions through Sigstore on
+  a hardened, isolated build platform, satisfying the SLSA Build Level 3
+  non-forgeability requirements and providing verifiable evidence of build
+  integrity for supply chain audits and regulatory frameworks such as the
+  NIST Secure Software Development Framework (SSDF).
+
 ### Verifying Image Signatures
 
 You can verify that an Enterprise container image was built and signed by
@@ -107,6 +117,23 @@ cosign verify-attestation --type spdx \
   | jq -r '.payload' | base64 -d | jq '.predicate'
 ```
 
+### Verifying Build Provenance
+
+The SLSA Build Level 3 Provenance attestation can be verified using
+[`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier), which
+checks both the Sigstore signature and that the provenance references the
+expected source repository and tag. Verifying images from `ghcr.io` requires
+exporting `GH_TOKEN` with a GitHub token that has read access to the
+container registry. For example:
+
+```sh
+export GH_TOKEN=<your-github-token>
+slsa-verifier verify-image \
+  ghcr.io/sourcemeta/one-enterprise:v6.2.0 \
+  --source-uri github.com/sourcemeta/one \
+  --source-tag v6.2.0
+```
+
 ## Our Commitment to Excellence
 
 Sourcemeta is led by a member of the JSON Schema Technical Steering Committee,
diff --git a/docs/index.md b/docs/index.md
index 910db3893..2472ee734 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -141,7 +141,10 @@ instances.
 
 **Supply chain security**: The Enterprise container image is cryptographically
 signed with Cosign/Sigstore, includes a signed SPDX Software Bill of Materials
-(SBOM), and ships with the OpenSSL FIPS provider for FIPS-ready cryptography.
+(SBOM), publishes a [SLSA](https://slsa.dev/spec/v1.0/) Build Level 3
+Provenance attestation, and ships with the OpenSSL FIPS provider for FIPS-ready
+cryptography. See the [commercial documentation](./commercial.md#supply-chain-security)
+for details.
 
 **Expert commercial support & training**: [Commercial
 Licenses](./commercial.md) give you access to world-class JSON Schema expertise