Divide content into three groups
| Zone | What belongs there |
|---|---|
| Public | High-level security and compliance information |
| Gated | Sensitive reports or detailed evidence for qualified buyers |
| Internal only | Operational runbooks, raw screenshots, and privileged documents |
Why this works
The map prevents both over-sharing and under-sharing. Buyers get enough confidence early, and your team keeps control of deeper evidence.
A trust center should be curated. If it exposes too little, buyers still send long questionnaires. If it exposes too much, the team creates unnecessary confidentiality and security risk. A content map helps decide what belongs where before the page becomes a document dump.
Public content
Public content should help buyers understand your security posture without needing a meeting. Good public items include:
- Security overview
- Framework status
- High-level architecture and hosting summary
- Data protection summary
- Subprocessor overview
- Contact path for security requests
- Availability or status page link
- Responsible disclosure or vulnerability reporting path
Gated content
Gated content is useful for qualified buyers, customers, auditors, or partners who need deeper evidence. Examples:
- SOC 2 report
- ISO certificate
- Penetration test summary
- Cyber insurance certificate
- Detailed policy documents
- Security questionnaire exports
- Business continuity summary
- Data processing agreement or subprocessor details
Internal-only content
Some material should stay internal:
- Raw vulnerability reports
- Incident investigation notes
- Internal runbooks
- Detailed network diagrams
- Secrets handling procedures
- Unredacted customer data examples
- Internal audit working papers
Ownership model
Every item in the trust center needs:
- Content owner
- Review cadence
- Sensitivity level
- Source of truth
- Last reviewed date
- Expiration or renewal date if applicable
Practical template
| Artifact | Zone | Owner | Review cadence | Notes |
|---|---|---|---|---|
| Security overview | Public | Security | Quarterly | Keep buyer-friendly |
| SOC 2 report | Gated | Compliance | On new report | NDA required |
| Subprocessor list | Public or gated | Privacy | Quarterly | Match DPA commitments |
| Incident response policy | Gated summary | Security | Annual | Share summary, not runbook |
| Internal incident runbook | Internal only | Security | Semi-annual | Never publish directly |