Trust Center Overview
The Trust Center page is where you will create and manage your Trust Center and see a list of access requests
The Access requests will show the history of viewers who have requested an access to restricted documents, like pentest report or SOC 2 report for example.
The settings page will allow you to publish your Trust Center, copy public URL of your Trust Center and select Assignees - Secfix users who will receive the notifications about Trust Center access requests. Per default your Trust Center is set to draft mode and the URL will not be reachable until you publish your Trust Center.
Editing your Trust Center
From the Trust Center page, select Trust center editor.
Every editable section will be highlighted on hover. We will guide your through a set up of every section one by one.
Customize Branding
To customize colors and other brand parameters, click on Customize branding.
From there you can:
Customize Trust Center colors
💡 Tip: When customizing up colors, we recommend to open your landing page in another window and use color picker in Secfix Trust Center. Main button color should be your primary color on Secfix Trust Center.
Customize Trust Center title
We recommend to leave it as it is. But in case you want it to be called Security Hub or similar, that’s the place to start with.
Company name
We recommend to leave out the legal entity when you add company name. We use its value to customize your controls and many other fields dynamically on your behalf.
Company website
It’s where user would land once clicked on logo.
Logo
💡 Tip: If you have an asymmetrical logo like Secfix, we recommend to add your company name to the Trust Center title and add a square logo instead. You can see example below.
Favicon
A favicon is the small icon that appears in the browser tab next to your trust center title. To set one, simply upload a square PNG or ICO image.
Overview
In overview you can customize:
Section title and company description
💡 Typically you can leave it as it is - Overview. But some other example we’ve seen are ‘Company’s mission’. At Secfix we wanted to write a personal letter from co-founder, inspired by our friends at Kombo, so we call it ‘Introduction from our CTO’. The options are limited to your creativity.
Email and privacy policy
Compliance
List the compliance Frameworks your company has achieved or is currently working on by selecting the Edit icon in Compliance section
There you can:
Select a compliance framework from our database.
Typically, our customers would add ISO 27001, any other certification and GDPR.
Add a custom compliance framework.
For each framework you can customize: display name, status, auditor, description and compliance label.
💡 You don’t always need a description. But we recommend to add an auditor if you are going through a certification and the specific version of certification, like ISO 27001:2022. However, avoid long framework display names and keep them short to keep the overview minimalistic.
Sort the compliance frameworks.
Controls
Controls is a section that helps prospects understand which controls are implemented in your company. Click on edit.
There you can:
Customize section description
Sort categories
Add and edit custom category. Note: Delete is not available at the moment.
Under Manage controls you can further select the controls that will be shown on your Trust Center.
Automatically select all passed controls. This will automatically select the controls with status ‘Passed’.
Add custom controls.
Edit controls. Secfix allows you to customize control categories, titles and descriptions
💡 To get started quicker, we recommend first of all to select all passed controls. This will get you started. As you mature you will be able to add more finer details like encryption types etc. that are applicable to your company. However, this is not required in your trust center and not every prospect needs to know this.
Resources
Resources can be selected from your Secfix documents or uploaded from your computer. We suggest you include the following if available:
Publicly Accessible Resources
These documents can be freely downloaded by anyone visiting your Trust Center:
Public InfoSec and Privacy Certifications and Reports: Examples include ISO 27001, ISO 27701, TISAX, and SOC 3 reports.
Restricted Resources
These documents will only be accessible through an access request:
Policies Frequently Requested by Customers
Restricted InfoSec and Privacy Certifications and Reports: Examples include the SOC 2 report, which contains more detailed and potentially sensitive information than public reports.
CAIQ Questionnaire: Link to template
ISO SOA (Statement of Applicability)
Network Diagram
Subprocessors
A vendor is a subprocessor if they process your customers' personal data (PII) as part of the service they provide to you.
Typical examples of subprocessors for B2B SaaS companies:
Cloud infrastructure providers: AWS, GCP, Azure Cloud, etc.
Email service providers: Google Workspace, Microsoft 365, etc.
User authentication services: Firebase, Auth0, etc.
Customer Relationship Management (CRM) systems: Hubspot, Salesforce, Attio, etc.
Support ticketing systems: Jira Service Management, Zendesk, Intercom, etc.
Customer support chat services: Intercom, Zendesk, Pylon, etc.
User analytics platforms: Mixpanel, Amplitude, Hotjar, etc.
App notification services: Twilio, Courier, etc.
If you have questions regarding your subprocessors, we recommend to reach out to your company’s DPO.
Access Requests
When visitors to your Trust Center request access to restricted documents, they will go through a simple access request flow. Here’s how it works:
Requesting Access:
Users can choose to request access to all restricted documents or just a specific few.
Admin Notification
Once the request is submitted, the admins on your subscribers list will receive an email notification with details of the access request. Admins will then need to review the request and send the requested documents directly to the requester.
💡 Admins who get these emails are chosen from the subscribers list. To change which admins get these emails, go to the Trust Center settings.
Tracking Access Requests
Admins can view all incoming access requests in the Access Requests Table on the Trust Center dashboard.
To keep track of decisions made, admins can leave comments in the Notes field within the table, documenting whether they have accepted or rejected an access request.
Publishing the Trust Center
Once everything is set up, you can publish your Trust Center to generate a shareable link. You can unpublish it at anytime if needed.
