Trust Center - Documentation & Security Controls

Use this section to provide a clear, concise summary of your organisation’s security practices. Sprinto generates an initial overview that you can keep or replace with your own text.

Each time you edit and save the overview, Sprinto creates a new version. You can assign different versions to different Trust Center profiles as needed.

Compliance

List all compliance standards your organisation has achieved or is currently pursuing. This helps customers verify your alignment with recognised global security frameworks.

Trusted By

Showcase key customers who use your products or services. This strengthens trust by demonstrating that reputable organisations rely on your security and controls.

Policies

Policies formalise your organisation’s information security practices. They are a core component of your Trust Center and are often required for security audits.

Sprinto automatically imports relevant security policies from your account. You can also upload additional policies that sit outside Sprinto’s compliance modules.

Documents

Upload any security-related documents that support your Trust Center. These help customers understand your security posture and processes.

Network Diagram

Shows how components in your infrastructure interact. Used for maintenance, security review, and compliance.

Penetration Test Report (Pentest Report)

Provides findings from penetration testing activities. Always upload the most recent report.

Security Whitepaper

A high-level document explaining your security model, threat landscape, and mitigation strategies.

Vulnerability Assessment Report

Lists vulnerabilities identified during a scan, their severity, and recommended remediation steps. Demonstrates diligence in vulnerability management.

Legal Requirements

Upload or link to documentation required for legal, contractual, or regulatory purposes.

Terms of Service

Defines the agreement between your organisation and its users.

Master Services Agreement (MSA)

Provides the framework that governs all current and future engagements.

Privacy Policy

Explains how customer data is collected, used, stored, and protected.

Business Associate Agreement (BAA)

Required when working with Protected Health Information (PHI) under frameworks such as HIPAA.

Data Processing Agreement (DPA)

Defines the relationship between a data controller and a data processor. Required under several compliance frameworks.

Product Security

Describe the processes and controls used to build and maintain a secure product.

Role-Based Access Control (RBAC)

Assigns permissions based on a user’s role. Example roles include: Administrator, Information Security Officer, and Employee.

Audit Logging

Records user and system activity to support anomaly detection and forensic analysis. Logs are centralised in a SIEM and monitored regularly.

Data Security

Provide an overview of how your organisation safeguards data throughout its lifecycle.

Typical measures include:

• Annual independent audits

• Internal risk and privacy assessments

• Regular penetration testing and vulnerability scanning

• Encryption of sensitive data at rest and in transit

• Firewalls with a deny-all default

• MFA and RBAC for all sensitive systems

• Centralised logging with alerting

• Timely patching and updates

Integrations

List the integrations your organisation supports to help users streamline workflows across systems. Examples: Zoho, HubSpot, Salesforce.

Service Level Agreement (SLA)

Explain your service commitments, including availability and responsibilities. Include a link to your SLA if available.

Single Sign-On (SSO)

List all SSO mechanisms your product supports (for example, OAuth and SAML). SSO improves security and simplifies user access.

Team Management

Describe how your product manages internal teams, permissions, and administrative roles.

Data Security — Operational Controls

Explain the operational controls that protect customer data.

Access Monitoring

Describe the systems used to monitor access and enforce least-privilege principles. Examples include AWS GuardDuty, CloudTrail, CloudWatch, and Kibana.

Backups Enabled

Explain your backup frequency, retention, and recovery processes.

Encryption at Rest

Describe encryption standards, such as AES-256, and key management via services like AWS KMS.

Encryption in Transit

Describe encryption protocols used for data transmission, such as HTTPS with TLS/SSL.

Physical Security

Outline the physical protections applied by your cloud provider and your organisation.

Network Security

List the controls used to protect systems from network-based threats.

Data Loss Prevention (DLP)

Protects data from unauthorised exfiltration.

Firewall

Describe the firewall used and how it filters traffic.

IDS/IPS

Detail the intrusion detection and prevention capabilities in place.

Spoofing Protection

Describe email and network spoofing controls, such as SPF, DKIM, and anti-DDoS.

Virtual Private Cloud (VPC)

Explain your hosting architecture, including cloud regions.

Wireless Security

Describe VPN or secure wireless policies.

Application Security

Explain the processes and tools used to ensure secure software development.

Bug Bounty / Responsible Disclosure

Describe your policy for reporting vulnerabilities.

Code Analysis (SAST)

Explain tools and processes used for static code analysis.

Secure Software Development Life Cycle (SDLC)

Describe how secure coding and testing practices are embedded into development workflows.

Credential Management

Explain how secrets are stored and rotated securely (for example, AWS KMS).

Vulnerability and Patch Management

Describe how vulnerabilities are identified, prioritised, and resolved.

Web Application Firewall (WAF)

Explain how your WAF filters and blocks malicious traffic.

Endpoint Security

Outline the controls applied to endpoint devices used by employees.

Disk Encryption

Describe the encryption tools and standards used for employee devices.

Mobile Device Management (MDM)

Explain how devices are provisioned, secured, and remotely managed.

DNS Filtering

Describe tools used to block malicious domains.

Threat Detection

Outline endpoint detection capabilities and threat classification.

Endpoint Detection and Response (EDR)

Explain how devices are monitored continuously for malicious behaviour.

Corporate Security

Describe internal controls, employee responsibilities, and organisational safeguards.

Email Protection

List email protections such as spam filtering, phishing analysis, SPF/DKIM/DMARC.

Employee Training

Describe mandatory security and privacy training requirements.

Incident Response

Outline your incident response framework, including identification, containment, and remediation.

Internal Assessments

Describe periodic risk assessments and their ownership.

Mobile Device Management (Admin)

Explain administrative controls for issuing and managing devices.

Single Sign-On (Internal)

Detail internal SSO requirements for employee access to systems.

Trust Center Updates

Use this section to publish updates on security changes, incidents, remediation actions, or general trust communications. Regular updates demonstrate transparency and strengthen customer trust.