This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Operational databases

Does the FTC Safeguards rule require an audit?

• It depends on the institution’s size, nature of operations, and specific regulatory requirements. Generally, a comprehensive security program is required, but the need for audits may vary.

How do I scope FTC Safeguards Rule?

• Confirm if only the Safeguards Rule applies or if the FTC Privacy Rule or GLBA also applies. Use a custom framework if needed.

How often are passwords rotated?

• Password rotation is done quarterly, with key staff changes also triggering rotation.

How should entities correlate their selected change frequency for application and system passwords/passwords with their selected complexity?

• The complexity should be more rigorous when passwords/passphrases are changed infrequently and can be less rigorous when changed more frequently.

In regards to Data Classification, should the footer be visible for all documents?

• Ideally, all documents should be labeled and marked confidential, while documents not labeled should remain private and treated as confidential.

We have temporary RDS instances that get recreated regularly. We keep ignoring them but they reappear as failing. Is there a way to permanently exclude them?

• Currently, when you ignore a resource in Secureframe, that exclusion is tied to the specific resource ID. When an ephemeral instance is destroyed and recreated, it gets a new ID and a new record, so it starts failing again. There is no built-in way to exclude resources by name pattern or tag today. The current workaround is to mark the new instance out of scope each time it's recreated. We recognize this is not ideal for teams running ephemeral infrastructure — if you'd like to see pattern-based exclusions added as a feature, we'd recommend submitting that as a product feedback request.

What are the elements of configuration standards for NSC rulesets?

• Configuration standards for NSC rulesets should be defined, implemented, and maintained.

What are the security requirements in these standards focused on?

• The security requirements in these standards are focused on protecting the integrity and confidentiality of payment transactions and account data.

What do configuration standards outline?

• Configuration standards outline an entity’s minimum requirements for the configuration of its NSCs.

What does "RDS for customer data" mean?

• It typically means that your organization is storing customer data in a relational database hosted on a platform like Amazon RDS (or similar services from Azure or GCP).

What does the implementation of configuration standards result in for NSCs?

• The implementation of these configuration standards results in the NSC being configured and managed to properly perform their security function (often referred to as the ruleset).

What should I do if a trust page is not working after updating CNAME records with my domain registrar?

• If your Trust Center page isn’t loading after updating the CNAME records with your domain registrar, try the following troubleshooting steps:

  Confirm CNAME setup:
  Ensure the CNAME record was added correctly and is pointing to the provided secureframe.site value (e.g., yourcompany.secureframe.site). Check for typos or incorrect subdomains.

  Allow time for DNS propagation:
  DNS changes can take up to 24–48 hours to fully propagate, depending on your registrar.

  Check for conflicting DNS records:
  Make sure there are no conflicting records (like A records or other CNAMEs) for the same subdomain, which can prevent the Trust Center from resolving properly.

  Verify Trust Center is published:
  In the Secureframe platform, double-check that your Trust Center is published and live under Trust Center > Settings.

  Use a DNS lookup tool:
  You can verify DNS propagation using public tools like DNSChecker.org to see if the CNAME is resolving globally.

  If you've confirmed all the above and the page is still not working after 24 hours, please contact our support team for further assistance.

What type of passwords needs to be included in a commonly used password list?

• The test aims to prevent the use of weak passwords like "password" or "password123." Here are lists of common passwords for reference: Cybernews Most Common Passwords and NordPass Most Common Passwords.

Where can customers learn more about the safeguards they need?

• Point them to the International Transfer section of our GDPR Framework in Secureframe, which walks through what’s required to remain complian

Additional customer questions

How do you separate tenant environments?

• We do not segment customer data; we store all sensitive data with encryption enabled in RDS, Redis, Elasticsearch, and S3.

Do you retain a documented record of the processing activities carried out on our behalf or as part of our agreement with you?

Yes, Secureframe maintains internal records of data collection and processing activities related to customer data.

How can I reactivate a deactivated account or reuse the same email address for a new user?

If a user has been deactivated in Secureframe and you're trying to onboard a new user with the same email address, follow these steps:

To reuse an email address tied to a previously deactivated user:

Preserve the previous user record - Update the email on the deactivated account to something else (e.g., append .old or change to a placeholder address). This allows the original record to remain for audit/compliance purposes without conflicting with the new user.

Sync your identity provider (e.g., Google Workspace) - Ensure that your identity provider is updated and syncs the new user's details correctly to Secureframe.

Add the new user - Once the previous email is freed up, you can onboard the new user using the original email address.

Optional – Notify Support If the new user is still appearing under the previous account after syncing. We can unlink the records internally and ensure the new user is correctly registered with a fresh profile.

How does Secureframe simplify risk management?

Secureframe uses Comply AI to identify risks, provides a digital risk register for tracking, links risks to controls, and enables comprehensive risk reporting and dashboards.

I left a Secureframe review on the Capterra website, how do I get my gift card?

If you left a review on Capterra, they will send an email 2 days after the review is published with instructions on how to claim their gift card.

You can also find further instructions at this link on how to redeem your gift card.

https://digitalmarkets.gartner.com/help-center/reviews/how-do-us-reviewers-redeem-their-gift-cards

If you do not recieve the email, please contact your CSM at success@secureframe.com

Thank you so much for leaving a review! We appreciate the feedback.

Are there any other technical documents that can explain/show where our data resides when using these features, and when data leaves Secureframe infrastructure for processing on third-party resources?

No, but all your data stays within Secureframe when using these AI features. We submit the minimal number of API requests to OpenAI required to do a given task. We don't use OpenAI for storage or any 3rd parties. It's all stored within Secureframe's existing database infrastructure.