We use cookies and similar technologies to improve your experience and analyse usage. By continuing you agree to our Privacy Policy.

    VendorLens
    ← Guides

    What to include in a trust center

    6 min read

    There is no single "right" trust center, but buyers expect a consistent set of sections. Treat this as a reference and adapt to your industry.

    Certifications and audits

    List every formal certification with the issuer, scope and validity. Include both passed audits (SOC 2 Type 2, ISO 27001) and ongoing activity (PCI DSS, HIPAA).

    Security practices

    A short paragraph each on: encryption in transit and at rest, access controls, vulnerability management, secure SDLC, employee security training. Buyers skim — keep it tight.

    Data protection

    Where data lives, who can access it, retention windows, deletion on request, sub-processors. This is usually the most-asked section.

    Subprocessors

    Versioned list with name, purpose, location, and DPA. Update when subprocessors change. Customers in the EU expect notification.

    Incident response

    Your incident detection, response and notification process. Include a customer-notification SLA if you have one in your DPA.

    Documents

    PDFs and certificates: SOC 2 report (NDA), ISO certificate (public), DPA (public), pen test summary (NDA), BCP (NDA), responsible disclosure policy (public).

    Contact

    A single security contact email and (optionally) a responsible disclosure / vulnerability reporting endpoint.

    Set up your trust portal

    Free to start. Branded portal in an afternoon.

    Related

    Trust center launch checklistTrust center softwareSecurity document portal