Trust Signal Directory

by CodeYourCompliance

Methodology

Evidence-first public review

Trust Signal Directory starts from public, reviewable evidence rather than unverifiable claims. The goal is to explain what can be seen, what changed, and how much interpretation risk should be carried with that observation.

Public Reviewable source pages only
Manual Human review before profile publication
Careful Interpretive signals, not definitive claims

Section 1

Evidence-first approach

The directory begins with public evidence that another reviewer can inspect directly. That includes trust pages, security pages, privacy documents, legal terms, public careers pages, product pages, changelogs, and public announcements when they are relevant to trust and enterprise-readiness context.

Reviewable

Every observation should point back to a public source page or announcement that can be checked independently.

Comparable over time

Signals become stronger when the same evidence surface is observed repeatedly and changes can be compared.

Carefully scoped

The site documents public evidence surfaces and interpretation, not private assumptions about pipeline status or internal deal motion.

Section 2

Evidence object

Each reviewed evidence item can be described with a consistent object so interpretation stays grounded and auditable.

Source URL
The public page or announcement being reviewed.
Page type
The surface category, such as Trust Center, privacy policy, careers page, or security feature page.
Captured at
When the evidence was captured or recorded for review.
Company
The vendor associated with the evidence surface.
Current state
The present public state of the page or statement.
Previous state when available
The earlier public state used for comparison when historical review is available.
First seen
The earliest known observation date for that evidence surface.
Last checked
The most recent review date for the page.
Review note
A short note describing the observed change or the reason the page matters.
Review status
A simple status indicating whether the observation is pending, reviewed, or published.

Section 3

Evidence status labels

These labels describe the strength and timing basis of public evidence. They are not compliance ratings, buying intent claims, or vendor recommendations.

Current public baseline

A public trust, security, privacy, legal, or enterprise-readiness surface is currently observable, but the directory is not making a timing or recent-change claim.

Candidate signal

The observed public evidence may indicate trust, compliance, privacy, security, AI governance, or enterprise-readiness activity, but it remains an interpretive signal rather than a confirmed change.

Dated public update observed

A public source contains dated update language, such as a trust center update, report availability date, framework certification date, or subprocessor update. This does not mean the directory has verified the full historical first-seen / last-absent change window.

Confirmed public change window

Reserved for cases where historical review supports a change window, such as previous public absence and later public presence, dated source history, archive comparison, or another reviewable timing basis.

Section 4

Signal interpretation

A page existing is not always a signal. The directory looks for evidence changes, evidence gaps, combinations of signals, and timing. A new DPA page, for example, may matter more if it appears alongside a new subprocessor page and enterprise security feature updates than if it appears on its own without supporting context.

A

Evidence changes

New pages, revised dates, or changed statements can be more informative than static presence alone.

B

Evidence gaps

Missing trust surfaces in expected areas can also shape interpretation, especially for enterprise-facing vendors.

C

Combinations

Multiple related changes often carry more meaning than a single isolated update.

Section 5

False positive control

The directory is designed to be useful without overstating what a public page means. These examples show why caution matters.

Generic security page

A generic security page may be marketing copy only and not evidence of new enterprise-readiness work.

Privacy policy date change

A privacy policy date change may reflect legal maintenance rather than buying intent or procurement pressure.

Trust Center launch

A Trust Center may indicate post-purchase maturity or a broader compliance program, not necessarily a new near-term motion.

SOC 2 page

A SOC 2 page may mean the company is already past the readiness stage rather than newly entering it.

Section 6

Public data boundaries

The public directory reviews sources that are meant to be public and avoids private, personal, or non-public collection methods.

Sources that may be reviewed

  • Public websites and documentation
  • Legal pages, trust pages, and security pages
  • Careers pages and public changelogs
  • Public announcements relevant to trust or compliance evidence

Sources not used for the public directory

  • Private data or non-public sources
  • Scraped personal data
  • Automated LinkedIn scraping
  • Unreviewed or unverifiable evidence