This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Connections and setup

A customer wants to re-enable the Google integration but needs assurance it's safe. What do we tell them?

• Secureframe does not access Gmail, Drive, Calendar, or any user content — those require entirely separate scopes that Secureframe never requests. All integrations requiring more than name and email are whitelisted internally, including Secureframe's own. Customers with VRM access can review Secureframe's vendor documentation directly.

Can we use AI tools (like Claude Code or Gemini) for integration testing with our code base, or do we need a more traditional tool like SonarQube?

• Yes, you can use AI tools for integration testing as long as you maintain and provide evidence that testing occurs for each relevant change. Auditors will focus on whether testing is consistently performed and documented, not on which tool you use.

Does Secureframe support pulling custom fields from Namely via the integration?

• No, custom fields from Namely are not supported at this time. The current integration only pulls standard personnel attributes such as first name, last name, job title, manager, department, and start/end dates.

  Namely is connected through a third-party provider, which limits the fields that can be accessed today. As a result, any custom fields configured in Namely cannot be synced into Secureframe. Customers who need to track additional attributes will need to manage those fields manually outside of the integration for now.

Does the Jumpcloud integration support both US and EU instances?

• Currently, the Secureframe Jumpcloud integration is limited to the US instance (https://console.jumpcloud.com/api). It does not yet support connections to the EU instance (https://console.eu.jumpcloud.com/api).

  We do have this planned in our roadmap as a near future improvement.

How can priorities be configured when using multiple human resource integrations?

• At this time, we don't currently offer this functionality, but have plans to introduce this prioritization behaviour in the future.

How do Secureframe’s integrations improve audit efficiency?

• The platform provides deep integrations that map directly to audit requirements, minimizing manual follow-ups from auditors and allowing for custom automated testing.

I need help with integration?

• You're in the right place — and good news: every integration in Secureframe includes step-by-step connection guidance directly in the platform, no need to wait for an agent!

  Here’s how to get started:

  Go to the Integrations tab in the platform.

  Click on the integration you’re working on (e.g., AWS, Okta, GitHub).

  You’ll see:

  Connection workflow to guide you through setup

  A “View Details” option showing:

  Which tests and controls it powers

  What permissions are needed

  What data is being pulled

  This is the fastest and most accurate way to complete your setup and understand how the integration supports your compliance program.

  Still stuck? You can always reach out, but we recommend reviewing the in-platform guidance first — it covers most common issues and saves you time.

If a customer transitions to a new company name and Office 365 tenant (with new email addresses), will connecting a new Office 365 integration in Secureframe bring in their users as a brand new set, or will it retain existing user progress?

• It depends on how the integration change is handled. There are two scenarios:
  Scenario A: Update the existing integration. If the customer updates their current Office 365 integration to reflect the new email addresses (rather than disconnecting it), Secureframe will overwrite the old email with the new one for each existing user during the next sync. User onboarding progress and historical data are retained with no extra steps needed.
  Scenario B: Disconnect and reconnect a new integration. If the customer disconnects the old integration and connects a brand new one pointing to a different Office 365 tenant, users will have both new email addresses and new third-party IDs (since Microsoft treats them as entirely different users). Secureframe has no way to automatically link the new users to the existing ones, so they will appear as a new set of users. In this case, the customer will need to manually merge users to retain historical data and onboarding progress.
  Important note for Scenario B: When archiving the old integration, make sure the customer does NOT check the box to remove users that were pulled in via that integration. Checking that box will delete all their existing user data.

Is there an integration available for Hetzner?

• You can find a full list of our available integrations on this page: https://secureframe.com/integrations.

  Alternatively, you can also view the complete list directly in the Secureframe platform by navigating to the Integrations page.

  If you don’t see the integration you’re looking for, feel free to submit a request here: https://docs.google.com/forms/d/e/1FAIpQLScuLa49MAdxf1d6kikYxE6fFq_9TN0S88Cxk6cO2VnOU4MKBQ/viewform

  Let us know if we can help with anything else!

Should I remove the stack from my account if I'm using an old integration?

• Yes, you should remove the stack if you're no longer using the old integration.

  In Secureframe, a stack typically refers to a set of integration configurations or data pipelines tied to a specific service (e.g., AWS, GitHub). If you’ve upgraded to a newer version of an integration or changed how you're connecting the service, leaving the old stack in place can cause:

  Duplicate or outdated data showing up in your account

  Conflicts between the old and new integration behavior

  Unnecessary test failures or confusing evidence mappings

  Possible security or compliance noise

  Why remove it?
  Cleaning up unused stacks ensures your environment is running only what’s actively in use and prevents stale data from interfering with tests, evidence collection, or dashboards.

What are Secureframe’s integration capabilities?

• Secureframe integrates with over 200 tools to automate evidence collection and security compliance checks.

What happens to integrations in a trial account once it is deactivated?

• When a trial account is deactivated, all connected integrations will be disconnected and will need to be reconnected if the account is reactivated.

What if I don’t see the integration I need in Secureframe?

• If you can’t find the integration you’re looking for in our list, you have two options:

  Request an Integration – Go to the Integrations Page > Native Tab > click + Add native connection > Request integration

  Build a Custom Integration – You can also create a custom integration using our built-in option. This gives you flexibility to connect Secureframe with tools not yet on our standard list. Learn more in our [Custom Integrations Guide](https://support.secureframe.com/hc/en-us/articles/40263351779731-Create-Custom-Integrations)

What information does Secureframe collect from integrations?

• The specific data collected varies by integration.

  For the most accurate and up-to-date details, click "View Details" on any integration in the Secureframe platform, then navigate to the Permissions and Data tab on the right side of the screen.

  This section outlines required permissions and exactly what data is pulled.

  Examples of data and permissions may include:

  Read-only or read/write access

  Authentication scopes (e.g., OAuth tokens, API keys)

  User data such as email, role, or access status

  System profiles and configurations

  Audit logs or activity metadata

  While our Help Center includes examples for common integrations, the in-platform Permissions and Data tab is the most complete and current source.

What is the value of Secureframe’s integrations?

• Secureframe integrates with 200+ applications, automatically pulling in audit-relevant configurations and reducing manual evidence collection efforts.

Why does Secureframe require write access to Heroku for the integration?

• Secureframe does not request write access to Heroku. Instead, we request the global scope, which is read-only but more permissive than the default read scopes. This scope is required because the standard read-only scopes (e.g., read, read-protected, identity) do not allow access to key information such as Heroku users within a team or add-ons tied to applications. Secureframe ingests this data to populate the Asset Inventory, Vendor Access, and Personnel pages. The global scope allows us to read this data securely without making any changes to your Heroku environmen

Why does Secureframe's Google integration request the admin.directory.user.security scope — isn't that overly broad?

• The scope sounds broad but Secureframe only calls one method within it: tokens.list. This surfaces third-party OAuth app connections per user, which is what populates the shadow SaaS and unexpected OAuth grant evidence in your Secureframe account — exactly the class of risk the Vercel incident highlighted.

Why would an integration be disabled?

• Integrations can become disabled for a few common reasons:

  The connected application was updated, which disrupted the integration.

  Authorization tokens expired or were revoked.

  Permissions were changed on the third-party platform (e.g., user roles or API keys).

  In most cases, you can resolve this by reconnecting the integration in your Secureframe settings. If the issue persists, check the permissions or token validity on the connected platform.

Integrations

Can findings from a past audit be integrated with existing tests in Secureframe?

• This is not currently available, but it is a feature request we are actively tracking. Please reach out to your CSM or our support team at support@secureframe.com to submit your feedback!

Can the knowledge base be integrated with Confluence?

• While Secureframe does offer a native Jira integration, it’s specifically designed for managing compliance tasks — not for syncing Knowledge Base content into Confluence.

  However, if you're looking to surface Secureframe Knowledge Base content in Confluence, this may be possible through Secureframe’s [public API.](https://developer.secureframe.com/tag/Knowledge-Base-Question/) The API allows you to programmatically pull Knowledge Base questions and answers, which could then be transformed and imported into Confluence using a custom script or third-party automation.

  You can explore the API endpoints for Knowledge Base Questions and Knowledge Base Answers to get started.

How is an avatar picture integrated into SecureFrame?

• Secureframe automatically pulls your profile picture from the business suite your organization has integrated with—such as Microsoft 365 (O365) or Google Workspace. If your organization has connected one of these services, your avatar in Secureframe will reflect the profile picture from your associated account.

We are looking at integrating AWS, but typically integrating with these throws up a bunch of red flags internally with key stakeholders. What should I be aware of?

• Review the following link for more information on AWS integration: AWS Integration Guide.

What tests should be enabled for a customer if they don't have a CSP integrated?

• Ensure IT infrastructure tests are enabled, including network security, backup, and network traffic tests/controls.

Sync and data flow

Finch confirms an integration is connected and syncing, but in Secureframe it still shows as “Pending” for an extended period. What should I do?

• If Finch confirms the integration is connected and syncing but the status in Secureframe remains “Pending,” use the internal integrations management tool (RT) to trigger a manual sync. This often resolves the status mismatch.

  If you run into this situation, reach out to Support@secureframe.com to assist in the manual sync.

How are system clocks and time synchronized?

• System clocks and time are synchronized using time-synchronization technology.

Is there a step-by-step guide available for setting up Jamf Pro to Secureframe Sync integration?

• Yes, all integrations in Secureframe have a step by step guide directly in the platform.

  Head to Secureframe, then integrations, click on the available tab, then search for the integration in question and click connect.

  Each integration will guide you through the steps.

What can happen when clocks are not properly synchronized?

• When clocks are not properly synchronized, it can be difficult, if not impossible, to compare log files from different systems and establish an exact sequence of events, which is crucial for forensic analysis following a breach.

Additional customer questions

How to fix sync issues with Mosyle?

• If your Mosyle integration in Secureframe is failing to sync, showing “failed to connect” errors, or getting stuck in progress, here are some steps you can take before contacting support:

  
  Verify your credentials - Make sure the Mosyle credentials you're using are valid and authorized. If you've tried multiple sets, note which ones you've tested.

  Test the API locally - Run a local test against the Mosyle API (outside of Secureframe) to confirm that API access is working independently.

  Look at the sync status - Check whether the sync status in Secureframe says "In Progress" or "Failed." This helps pinpoint where it's getting stuck.

  Note any error messages - Even generic messages like “failed to connect” or “connection type error” can help us troubleshoot. Take a screenshot if possible.

  Share your sync attempt history - Let us know how many times you’ve tried syncing, whether it has ever successfully completed, and if you’ve opened a ticket before.