A growing share of B2B SaaS companies publish a public trust center: a single place to read about security practices, certifications, and subprocessors. Buyers expect it; auditors appreciate the paper trail; sales teams use it to shorten security reviews.
Why public, not email-only
Email-only diligence does not scale when you have hundreds of vendors. Public pages let prospects self-serve baseline answers—encryption in transit, data residency options, where to request the SOC 2—before your staff spends time on custom threads.
Public does not always mean no gating. Some artifacts stay behind forms or NDAs while policies remain open. That hybrid is normal.
What you typically find
- High-level architecture or data handling narrative
- List of certifications with dates or refresh cadence
- Subprocessors and infrastructure regions
- Status pages, incident history, or commitment to notification timelines
- Links to DPAs, terms, and privacy policies
What you should not expect
Trust centers are not a substitute for contract terms, a full audit package, or your own testing. They orient you; your review validates whether claims match your risk appetite and regulatory context.
How directories help
The hard part is discovery: the same company might use trust.example.com, example.com/trust, or a third-party hosted subdomain. Curated directories (like TrustLists) map company names to known trust URLs and hosting patterns so you spend less time on DNS archaeology.
Using TrustLists in a review
Start from the directory entry, open the trust center, capture what is public, then branch to questionnaires or report requests as needed. For deep dives on individual vendors, our company pages link straight to their trust center and website when available.
Entries reflect what we have observed in public registries and URLs. Vendors change hosts; always verify the live page.