What a Trust Centre exposes: the buyer’s checklist

Certifications and attestations

The first thing a buyer checks. The Trust Centre lists current certifications (ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 9001, ISAE 3402) and attestations (SOC 1, SOC 2 Type II, GDPR readiness statement) with their dates, the certification body or audit firm, and the scope statement.

A common pitfall: listing an expired or unrenewed certificate. Buyers will check the dates. An expired certificate is worse than no certificate, because it signals control deterioration.

Sub-processor list

The list of sub-processors used to provide the service, with the country of processing for each. Required by GDPR Article 28 and increasingly by buyer-side procurement processes.

Format conventions: the sub-processor name, the service it provides (hosting, email delivery, payment processing, analytics), the country of processing, and a link to the sub-processor’s own DPA terms or security posture. A change to the sub-processor list typically triggers a notification to customers with a defined notice period (commonly 30 days).

Data protection programme

The Trust Centre summarises the data protection programme: the lawful bases used, the categories of personal data processed, the international transfer mechanisms in place, the retention policy, the rights-fulfilment process, the DPO contact (where appointed). The detailed documents (privacy notice, DPA, DPIAs) are often available for download under NDA.

Security programme

The security programme summary covers access controls, encryption (at rest, in transit, key management), software development lifecycle, vulnerability management, incident response, penetration testing cadence, business continuity and disaster recovery testing, employee security training, and physical security (where the vendor operates physical infrastructure).

Where the vendor uses a hosted infrastructure provider (AWS, GCP, Azure), the shared responsibility model is described. The vendor’s controls cover the vendor’s side; the infrastructure provider’s controls are referenced (with a link to their attestations) but not reproduced.

Breach history

Where the vendor is subject to breach notification obligations, the Trust Centre may include a breach-history disclosure. Approaches differ: some vendors list every notified breach with a brief summary; others provide a contact route and answer specific buyer queries under NDA.

Either approach is defensible. What is not defensible is silence followed by discovery during diligence. A buyer who finds out about a previous breach from a news article rather than from the Trust Centre will treat that as a trust failure separate from the breach itself.

Live monitoring status

A modern Trust Centre integrates with monitoring systems (uptime monitors, dependency checks, certificate-expiry watchers) to show live status of critical security controls. This is the feature that distinguishes a modern Trust Centre from a static PDF library.

Common live signals: SSL certificate expiry dates, current uptime over the last 30/90 days, the next surveillance audit date, the current ISO 27001 certificate expiry, the most recent penetration test date.

Document library and contact route

Some artefacts are too detailed to live on a public Trust Centre. ISO 27001 certificates and full SOC 2 reports are typically downloadable under NDA, via a self-service NDA acceptance flow or via a security contact route.

The Trust Centre includes a security contact (typically security@vendor.com or a dedicated form). Procurement and auditor questions that the Trust Centre does not directly answer go through this route.

What buyers and auditors actually check first

• ISO 27001 certificate (or SOC 2 Type II report). The single fastest signal.
• Sub-processor list, especially the country of processing for personal data.
• GDPR readiness statement and DPA terms.
• Most recent penetration test date and remediation status.
• Live monitoring status. A live signal is more credible than a static claim.
• Breach history disclosure approach.
• Security contact route, to confirm it is real.