This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Exports and downloads

Does AWS GuardDuty need to export to an S3 bucket? Or can we skip that step since we don't use an S3 bucket for GuardDuty?

• You can skip that step but should be prepared to provide manual evidence if necessary.

How can I export integration errors?

• Currently you cannot export integration errors directly in-app, but we are able to request them via our Engineering team.

  Please email support@secureframe.com or ask to speak with a human who can request that report.

Is it possible to export a list of detected applications from vendors?

• No, exporting detected applications is not currently supported. However, you can view them directly within the Detected Applications section of each vendor’s profile. As an alternative, we recommend linking detected applications to your existing vendors in the platform for better tracking and management.

  This functionality has been submitted as a feature request. If you’d like your organization added to the request for visibility, please contact your Customer Success Manager (CSM) at success@secureframe.com.

What should I do if the start/end dates are missing from an export?

• If start or end dates are missing, you can either add them manually by editing the user’s details or upload a CSV import of employee information that includes the missing dates.

Why do I get a "Something went wrong" error when uploading a CSV to the Risks page, even though the preview shows no errors?

• This error typically occurs when one or more Risk IDs in the CSV match an existing risk in Secureframe, including archived risks. To resolve, check both active and archived risks for any IDs that conflict with entries in your spreadsheet. To remove a duplicate from the archive, click the 3-dot menu next to the archived risk entry and select Delete, then re-upload the CSV. If you're unable to identify the conflicts yourself, contact Secureframe support for assistance.

Reporting

Are there reporting metrics?

• Reporting and analytics are planned for Q4.

Can a third party validate that a company’s software features (such as AI-generated SEC or regulatory reports) meet customer compliance requirements?

• There is generally no standard third-party certification that validates whether software can perform specific regulatory reporting functions (such as SEC, FINRA, FDA 21 CFR Part 11, or similar reporting outputs). Frameworks like SOC 2 can provide assurance that the software maintains strong security, availability, and processing integrity controls, but they do not certify that the software correctly generates regulatory reports. Validation of reporting functionality is typically handled through the company’s internal product development, testing, and quality assurance processes rather than external compliance certification.

Does Secureframe cover whistleblowers or confidential reporting?

• Yes. Secureframe includes Control COM-05: “Confidential reporting channel.” It’s designed to help you demonstrate that internal personnel and external parties can report security or other concerns through a confidential (and, if you choose, anonymous) channel.

  In the app, go to Controls → COM-05 → Testing. You’ll see mapped tests such as:

  Internal communications channel

  Website support/reporting page

  Website security communication channel

  (Enable the ones that match how your org accepts confidential reports.)

How to approach Cloud Report?

• Track and document fixes using your task management tool and in accordance with your change management policy. If a failure occurs in a production environment, review it with the engineering team and reconfigure if needed. If the configuration is intentional, note it for future reference. Templates can be found in our shared folder via Google Drive.

How were compliance reports historically shared?

• Companies would display a logo on their website and provide certifications ad hoc as needed.

The Fleet dashboard shows a device as offline even though the device is actively reporting and the Fleet osquery service is running. Rebuilding the agent didn't fix it. What's going on?

• This is a known Fleet bug. The root cause is that the device ends up with two entries in the Fleet server — one showing online with data, and one showing offline with little to no data. The offline "ghost" entry is what the dashboard picks up, making the device appear offline despite it reporting successfully.
  To confirm this is the issue, search for the device in Fleet:
  https://agent.secureframe.com/hosts/manage?query=<HOSTNAME>&page=0&order_key=display_name&order_direction=asc
  If you see duplicate entries (one online, one offline), that confirms the bug. Please create a support ticket so our Engineers can remove the duplicate host entry from the Fleet server.

What are examples of legal requirements for reporting compromises?

• Legal requirements for reporting compromises include those in most US states, the EU General Data Protection Regulation (GDPR), and the Personal Data Protection Act (Singapore).

What happens after the draft report is approved?

• A final report or certification is submitted to the customer for signing, marking the completion of the audit.

What is a Cloud Report?

• The cloud report is a security scan of your cloud environment, showing misconfigurations and security risks. It highlights the status (pass/fail) for cloud resources within scope and can be accessed in the data room. The engineering team should review the report and remediate issues in line with the vulnerability management policy.

What is a Report on Compliance (ROC)?

• The full PCI assessment that must be performed by a Qualified Security Assessor (QSA). The ROC is the deliverable for a Level 1 audit, which we help prepare for but ultimately do not sign off on or write.

What is the process when we get our Draft report back?

• Review the draft report for any comments. Add any necessary context or comments. There’s no strict deadline, but it’s ideal to review it soon after receiving it to avoid delays in report delivery.

What is the purpose of Secureframe’s Final Reporting stage?

• This stage wraps up the audit process, generates compliance reports or certifications, and enables organizations to share compliance proof with stakeholders.

What mechanisms can detect and report on changes to the headers and content of the payment page?

• Mechanisms that detect and report on changes to the headers and content of the payment page could include violations of the Content Security Policy (CSP), external monitoring by systems that request and analyze the received web pages, embedding tamper-resistant, tamper-detection script in the payment page, and reverse proxies and Content Delivery Networks.

What should a client do if old evidence is still in the report from the prior year?

• They can archive the evidence via the data room.

What should be observed and interviewed to verify that failures of critical security control systems are detected and reported for service providers?

• Observe detection and alerting processes and interview personnel to verify that failures of critical security control systems are detected and reported, and that failure of a critical security control results in the generation of an alert.

What should be observed and interviewed to verify that failures of critical security control systems are detected and reported?

• Observe detection and alerting processes and interview personnel to verify that failures of critical security control systems are detected and reported, and that failure of a critical security control results in the generation of an alert.

When does the customer receive the draft report?

• Usually a few weeks after fieldwork, the customer receives a draft report for review to ensure accuracy and completeness.

Where can I find Secureframe's most recent ISO report?

• You can find Secureframe's most recent ISO report in the Trust Center at https://trust.secureframe.com/. All security and compliance documents, including ISO and SOC 2 reports, are available here. The Trust Center is also available to all customers directly in the Secureframe application.

Why doesn’t Secureframe generate the SAQ report for me?

• Secureframe can assist with helping you meet all the requirements, but the report itself must be filled out and downloaded by the customer.

  The SAQ is a self-attestation form that must be completed and signed by the customer, as it reflects your specific cardholder data environment, practices, and controls. Only you can attest to your compliance status.

Why is it important to detect, report, and respond to failures of critical security control systems promptly?

• Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise system components and steal account data from the CDE.

Additional customer questions

If an audit isn't required, what can our customer show their customer “proof” to show they are compliant?

• In lieu of a third-party audit, they can provide the passing (or all) controls from the Framework or Control reports to demonstrate the controls they have in place.

Is there an option to download the policies?

If your auditors or internal teams need copies of your security policies, one of your Secureframe admins can export them directly from the Policies page:

Go to Policies in your admin dashboard.

Select individual policies or use the top checkbox to select all.

From the bottom action bar, click Export as to download.

This export can then be shared with auditors or other internal teams who request them.