This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Security questionnaires

Do tags get included in suggested answers when utilizing the questionnaire module of Secureframe?

• No, the tags from the Knowledge Base do not get pulled into the questionnaire answers.

Do unused Security Questionnaires roll over to the next year?

• No, they do not roll over into the next contract cycle beyond the end of the contract.

Does the Security questionnaire feature support multiple languages?

• We do not currently support this, but a Feature Request (FR) is already in place for this request.

   

  If you would like to add your organizations name to the Feature Request, please let your CSM know at success@secureframe.com

   

  Adding additional customers to FR helps us prioritize our roadmap and future deployments.

How do I use the Create a Security Questionnaire endpoint (POST /security_questionnaires) in the Secureframe API?

• Endpoint: POST /security_questionnaires
  Summary: Create a Security Questionnaire
  Description: Creates a new Security Questionnaire.
  Category: Security Questionnaire
  Parameters:
  - company_name (query, string, optional): The name of the client who is requesting the questionnaire
  - due_date (query, string, optional): The due date of the questionnaire
  - owner_id (query, string, required): The owner of the questionnaire
  - questionnaire_template (query, string, optional): The template to use for the questionnaire
  Request body (multipart/form-data):
  - file (string): File which you want to attach as evidence
  Responses:
  - default: 
  - 404: Resource not found
  - 403: Forbidden
  - 401: Unauthorized
  - 400: Bad Request
  Authentication: header_authorization

How does Secureframe automate security questionnaires?

• Secureframe uses AI to pre-fill questionnaire responses based on existing compliance data.

What can entities that complete a Self-Assessment Questionnaire elect to do?

• Have a QSA or ISA perform their assessment and document it in a ROC Template.

What is included in the AI Questionnaire Response Automation (questions/yr) with the Fundamentals and Complete packages?

• Fundamentals Package:
  Includes up to 100 AI-assisted questionnaire responses per year. This is ideal for smaller teams or organizations with limited questionnaire volume. You also get access to the Knowledge Base, which powers more accurate, context-aware responses.

  Complete Package:
  Includes up to 15,000 AI-assisted questionnaire responses per year, supporting high-volume use cases like vendor security assessments, RFPs, and due diligence questionnaires. Full access to the Knowledge Base is also included to maximize response quality and consistency at scale.

What is the limit on the number of questions for a given security questionnaire plan?

• The number of questions available depends on your plan. To find out the limit for your account, please reach out to your Customer Success Manager or Account Manager.

What is the Self-Assessment Questionnaire (SAQ)?

• A questionnaire that can be completed by the customer without needing a QSA, unless specifically requested.

What Security Questionnaire endpoints are available in the Secureframe API?

• The Secureframe API provides the following Security Questionnaire endpoints:
  This document describes the API for creating Security Questionnaires.

  - POST /security_questionnaires - Create a Security Questionnaire

Why did I receive an "incompatible file" error when uploading my questionnaire file?

• This error often occurs when the uploaded file contains formulas (such as VLOOKUP, IF, etc.) or complex Excel functions. Our questionnaire module currently does not support processing files with embedded formulas, which causes the upload to fail.

  To resolve this:

  Please re-export your spreadsheet as a plain text version without any formulas.

  You can do this by copying all content and pasting it as values into a new sheet, then saving it as a .xlsx or .csv file.

  If you're still having trouble, feel free to reach out. In some cases, we can help by cleaning up the file for you—as we’ve done here. I’ve gone ahead and removed all formulas and converted the file to plain text. You can now use the attached version for uploading.

Trust Center

Can each Workspace manage and publish its own independent Trust Center?

• Yes — each Trust Center is totally separate and independent based on the Workspace.

Can you provide examples of customers using the Secureframe trust center?

• Yes, here are just a few customer examples using our Trust Center.

   

  https://trustcenter.cohere.com/

  https://finch.secureframetrust.com/

  https://trust.remote.com/

  https://allspice.secureframetrust.com/

   

  The All Spice version is actually using our Free Trust Center option, which is available to all customers.

Can you remove the 'Request all documents' button from the Resources section of the Trust Center?

• Yes, you can using CSS styling.

   

  With that said, customers must be on a paid Trust Center plan to publish custom styling, but free Trust Center users can experiment with them in the Site Designer.

   

  For this particular request, you can use this type of CSS to remove the 'Request all documents' button.

   

  /* Hide the 'Request all documents' button */

  button.trust-center-v2-request-all-resources__request-all-button {

  display: none !important;

  }

   

Does declining requests in the trust center count against the annual limit of requests?

• No. Declining a request does not count toward your annual limit. However, if you choose to unlock a request, it will use one from your total yearly allotment.

How do I use the Get a Trust Center Request endpoint (GET /trust_center_requests/{id}) in the Secureframe API?

• Endpoint: GET /trust_center_requests/{id}
  Summary: Get a Trust Center Request
  Description: Returns a single Trust Center Request by ID
  Category: Trust Center Request
  Parameters:
  - id (path, string, required): Scope response to id
  Responses:
  - default: 
  - 404: Resource not found
  - 403: Forbidden
  - 401: Unauthorized
  - 400: Bad Request
  Authentication: header_authorization

How do I use the List Trust Center Requests endpoint (GET /trust_center_requests) in the Secureframe API?

• Endpoint: GET /trust_center_requests
  Summary: List Trust Center Requests
  Description: Returns a list of Trust Center Requests
  ### Search parameters

  | Filter | Description |
  | :-- | :-- |
  | `id` | The ID of the Trust Center Request |
  | `created_at` | The date when this Trust Center Request was created |
  | `email` | The email of the requester for this Trust Center Request |
  | `requester_name` | The name of the requester for the Trust Center Request |
  | `reviewed` | True if this Trust Center Request has been reviewed, false otherwise |

  Category: Trust Center Request
  Parameters:
  - include (query, string, optional): Comma delimited string of relationships to include. Available relationships: trust_center_resource_requests
  - page (query, integer, optional): Used for pagination of response data (default: page 1). Specifies the offset of the next block of data to receive.
  - per_page (query, integer, optional): Used for pagination of response data (default: 100 items per response). Specifies the number of results for a given page.
  - q (query, string, optional): Search and filter the Trust Center Request data using Lucene syntax.
  - relationships (query, boolean, optional): Set to true to return the associated relationships data within the response. (default: false)
  Responses:
  - default: 
  - 403: Forbidden
  - 401: Unauthorized
  - 400: Bad Request
  Authentication: header_authorization

How do I use the Update a Trust Center Request endpoint (PUT /trust_center_requests/{id}) in the Secureframe API?

• Endpoint: PUT /trust_center_requests/{id}
  Summary: Update a Trust Center Request
  Description: Update a TrustCenterRequest by ID
  Category: Trust Center Request
  Parameters:
  - approve_all_resources (query, boolean, optional): Approve all resources for this trust center request.
  - approved_trust_center_resource_request_ids (query, array, optional): The IDs of the trust center resource requests for approval. Empty array will reject the request
  - custom_response (query, string, optional): Send custom message in email response
  - do_not_send_notification (query, boolean, optional): Set this to true prevent email notifications from being sent
  - document_security (query, string, optional): The document security level for this trust center request.
  - id (path, string, required): Scope response to id
  - rejected_trust_center_resource_request_ids (query, array, optional): The IDs of the trust center resource requests for rejection.
  - rejection_reasons (query, object, optional): Send custom rejection messages per resource
  Request body (multipart/form-data):
  - file (string): The signed trust center nda agreement pdf file.
  Responses:
  - default: 
  - 404: Resource not found
  - 403: Forbidden
  - 401: Unauthorized
  - 400: Bad Request
  Authentication: header_authorization

Is a Trust Center required for compliance?

• No, but it is a useful tool for transparency and trust-building.

One of my vendors flagged our Secureframe Trust Center with an exposed API key, is this okay to be exposed?

• Yes, it is generally okay to expose the TinyMCE API key in the browser because the key is domain-limited.

  This means that even if someone obtains your API key, they cannot use it from an unregistered domain. The Tiny Cloud service verifies the domain TinyMCE is loading from by checking the Referer header in the network request, ensuring that only requests from your registered domains are accepted.

  This is a common practice for client-side integrations with TinyMCE, including when using premium plugins via the CDN.

One of those third-party security scanning services (Coalition Control) detected a TinyMCE API token in our Trust Center that's managed by Secure Frame. Can you let us know if this is sensitive or not?

• TinyMCE is a rich text editor used within our platform, and any content entered into it could theoretically be sent through their API.

   

  After reviewing TinyMCE’s documentation and API security terms, and consulting with our IT, Engineering, and Compliance teams, we confirmed that TinyMCE does not store or access the content passed through the editor.

   

  There is no indication that any private or sensitive data is exposed or at risk through the use of this token.

How do users access the Trust Center once it's published?

• Once your Trust Center is published, users (such as customers or prospects) can access it through the custom URL you’ve configured. This URL is typically hosted on your domain (e.g., trust.yourcompany.com) and can be shared via email, linked from your website, or embedded in sales/security review workflows.

  If document access requires approval, users can request access directly from the Trust Center interface, and your team can manage those requests through the platform.

The browser tab for our Trust Center displays our company name in all caps (e.g., "COMPANY NAME | Trust Center"). How do we change the capitalization?

• The browser tab title pulls directly from your Company Settings. To update the capitalization, simply edit your company name in Company Settings to reflect the casing you prefer, and the Trust Center browser tab will update accordingly.

We are experiencing an issue where a client has requested access to our Trust Center but claim they never received an email with the link once the request was approved. I have attempted to re-approve the request and re-send the confirmation email but the client still states they did not receive anything from "hello@secureframe.com". Could you check the status of the email on your end?

• If the trust center emails are not showing in the primary inbox, then they may be either in the user's spam folder, or there's a possibility of the emails being quarantined on their side before making it to the user's inbox. Unfortunately this is not something we can see on our end.

   

  We can however review the email server to confirm if the email in question was successfully recieved.

   

  Alternatively, you can reachout to the user and having them check their other inboxes, or with their IT team to see why the emails have not been received.

   

  If you prefer, we are happy to review email servers first.

What does it mean to publish my Trust Center?

• When you click Publish in the Trust Center, any updates or edits you’ve made will become live and accessible through your Trust Center URL. Publishing is the final step that makes your content visible to others—until then, changes remain in draft mode and can only be seen internally.

  Before publishing, you also have the option to click Preview to see how your Trust Center will look once live, without making the changes public. This allows you to double-check layout, branding, and content accuracy.

What is a Trust Center?

• A Trust Center is a centralized platform or website providing security, privacy, and compliance information, often used by customers, partners, and stakeholders.

What is Secureframe’s Trust Center?

• A feature that allows organizations to publicly showcase their compliance status and manage security documentation.

What should I do if I encounter an error while adding a request in the Trust Center?

• If you encounter an error, here's what you can do:

  • Contact our support team by clicking "Speak to an agent" in the chat or email support@secureframe.com

  • Include helpful details like:
  - Description of the error message
  - What page you were on
  - What action you were taking
  - Screenshots if possible

  For faster troubleshooting, the more details you provide, the better we can help!

What Trust Center Request endpoints are available in the Secureframe API?

• The Secureframe API provides the following Trust Center Request endpoints:
  This document describes the API for reading and updating Trust Center Requests.\
  Note: In order to access this API, you need to have paid features enabled for Trust.

  - GET /trust_center_requests - List Trust Center Requests
  - GET /trust_center_requests/{id} - Get a Trust Center Request
  - PUT /trust_center_requests/{id} - Update a Trust Center Request

When is the custom domain domain needed in Trust Center DNS settings?

• The custom domain page is only needed if you want to use your own domain host. However, your Public Trust Center URL will still function even if you have not set up a custom domain.

Additional customer questions

Can I track or access NDAs that are signed outside of Secureframe?

• The platform does not support tracking NDAs signed outside of the Trust Center document portal. Only NDAs signed through the portal are accessible. You can export a list of NDA acceptances directly from the [Trust Center NDA settings](https://app.secureframe.com/trust-center/settings/nda).

Can I get a breakdown of what’s available in my current tier vs. higher levels?

Yes—reach out to your Account Manager at accountmanagement@secureframe.com for a feature comparison and recommendations.

Do you have any pre-built or template policies for AI, or automated intelligence?

Yes, we do currently offer an AI policies included with the purchase of ISO 42001 framework.

Each framework purchase includes all the relevant policies related to that framework to assist customers in satisfying all requirements provided.

ISO/IEC 42001 is a new international standard focused on Artificial Intelligence Management Systems (AIMS). It provides a framework for organizations to responsibly develop, deploy, and manage AI systems.

Purpose: To help organizations ensure that AI systems are safe, transparent, and aligned with ethical and legal expectations

If you would like to upgrade to this framework, we would be happy to connect you with our Account Management team at accountmanagement@secureframe.com

Does Secureframe have a data flow diagram that can be shared?

Yes, we can share our data flow diagram with an NDA in place.

How does Secureframe help customers share compliance achievements?

Secureframe provides Audit Reporting, a Trust Center for public compliance sharing, and Security Questionnaires to address customer inquiries efficiently.

Is it possible to create a section for incident-specific information to be posted?

Yes, Secureframe is open to adding a section to the Trust Center for incident-specific information.

What pricing tiers does Secureframe offer?

Secureframe offers two main subscription tiers: Fundamentals and Complete. Learn more at secureframe.com/pricing.

Why does Secureframe provide 5 ISMS policies while our organization maintains 11 (+ SOA)?

Secureframe’s ISMS policies are structured to align with ISO 27001 requirements but are consolidated into fewer documents for simplicity. Some organizations, like yours, choose to break out individual topics (e.g., Risk Management, Communication, or Document Control) into standalone policies, which can result in more total documents.

For example, Secureframe covers risk management, communication, and continual improvement within the ISMS set, but also provides certain elements (like risk treatment or audits) in supporting procedures outside of the “policy” list. Both approaches are valid under ISO 27001 as long as the required content is documented, implemented, and maintained.

You are welcome to continue using your internal set of 11+ policies if that works best for your organization—there’s no conflict, and both formats are audit-acceptable.