Trust Signal Directory

by CodeYourCompliance

Signal taxonomy

How public evidence is grouped

Signal strength is interpretive. The same evidence surface can carry different weight depending on timing, combination, and surrounding context. These categories are meant to structure review, not to produce definitive intent claims.

Weak signals

Weak signals

  • Privacy policy small update
  • Generic security page
  • Terms date change
  • Footer legal link added
  • Broad compliance marketing language

What it means

These are lightweight public changes or baseline trust surfaces that may be useful context but usually do not stand alone.

Why it may matter

Weak signals can help establish whether a company is beginning to formalize outward-facing trust documentation.

False positive risk

High. Many of these changes can be routine legal housekeeping or standard marketing site maintenance.

Next signal to watch

Look for supporting evidence such as a DPA page, a subprocessor page, or new enterprise control features.

Medium signals

Medium signals

  • DPA page added
  • Subprocessor page added
  • Enterprise security feature added
  • SSO, RBAC, SCIM, audit log, or data residency added
  • Security FAQ or questionnaire page added

What it means

These signals often reflect clearer readiness work because they require more operational detail than generic marketing language.

Why it may matter

They may indicate that teams are preparing for or responding to common enterprise review requirements.

False positive risk

Moderate. The change may reflect backlog completion, standardization work, or existing maturity becoming more visible.

Next signal to watch

Watch for a Trust Center, framework pages, regulated-industry pages, or relevant trust and compliance hiring.

Strong signals

Strong signals

  • Trust Center added
  • SOC 2 or ISO page added
  • Report request flow added
  • Security, privacy, compliance, GRC, or legal operations role posted
  • AI data usage, responsible AI, or model safety page added
  • HIPAA, GDPR, or regulated-industry page added

What it means

Strong signals usually point to more explicit trust infrastructure, external review preparation, or public clarification of important customer assurance topics.

Why it may matter

These changes can indicate that trust and compliance work is operationally important enough to warrant dedicated public surfaces.

False positive risk

Moderate. Strong signals can still reflect maturity already achieved rather than a new near-term milestone.

Next signal to watch

Look for combined evidence such as new enterprise pricing, multiple related trust pages, or public statements about review processes.

Very strong signals

Very strong signals

  • Publicly stated SOC 2, ISO, or vendor review in progress
  • Public sign of customer security review or DPA pressure
  • Trust Center plus compliance hiring plus enterprise pricing appearing together
  • DPA plus Subprocessor plus AI data usage evidence appearing together
  • Regulated-industry motion combined with new trust evidence surfaces

What it means

Very strong signals usually come from combinations of evidence or unusually explicit public statements about trust and review work.

Why it may matter

When multiple trust surfaces move together, the public record may suggest more concentrated enterprise-readiness activity.

False positive risk

Lower, but still present. Combined signals may be tied to broader maturity programs rather than a specific buyer motion.

Next signal to watch

Monitor whether the combined evidence persists, expands, or is reinforced by additional public documentation over time.