International SaaS Trust Center

Trust signals for buyers, users, and AI crawlers.

This page explains the controls TrueLink can stand behind today, the claims that are still roadmap-only, and the public review gates we use before AI-assisted content or international SaaS changes ship.

AI public outputHuman review required
Security programISO 27001 roadmap
Search readinessStructured metadata
Last updated2026-05-30

Control Summary

These statements are intentionally conservative. Roadmap work is labeled as roadmap, not certification.

Implemented baseline

Security and access control

Firebase-backed authentication, admin-only operational surfaces, role-based workflows, audit-oriented docs, and SSRF guard references are tracked in architecture and security docs.

Implemented baseline

Privacy and user data

Privacy policy, app data safety matrix, subprocessor summary, and deletion/export planning are maintained as public and internal governance references.

Enforced for Blog CMS

AI governance

AI-assisted blog drafts store provenance flags and cannot publish or schedule until human review is marked complete.

Roadmap

Compliance readiness

ISO 27001, ISO 27701, SOC 2, GDPR/DPA, and subprocessors are tracked as readiness work. No issued certification is claimed here.

Statement shipped

Accessibility

New user-facing screens target WCAG 2.2 AA. The public Accessibility Statement records current status, known limits, and feedback channels.

Manual register shipped

Status and incident history

The public Status and Incident History page records the current manual status boundary, incident update rules, and blocked uptime/no-incident claims.

Blocked until evidence

Case studies and metrics

AI must not invent customers, numbers, rankings, certifications, testimonials, legal positions, security guarantees, or case results.

Evidence Map

Use this table to review what exists, where it is documented, and what still needs production evidence.

Area Current status Reference Next proof needed
International SaaS gate PR template and CI require explicit gate language for PRs to dev/main. docs/INTERNATIONAL_SAAS_READINESS_STANDARD.md Keep expanding automated checks beyond PR text.
AI-assisted public content Blog CMS publish and schedule gates block unreviewed AI drafts. docs/AI_GOVERNANCE_AND_DISCLOSURE_STANDARD.md Add model/provider provenance capture where provider metadata is available.
SEO/GEO blog quality Articles must pass the quality gate before publish or search submission. docs/BLOG_SEO_GEO_CONTENT_STANDARD.md Connect performance tracking to GSC query and conversion metrics.
Security certification Readiness and ISMS docs exist; certification is not claimed. docs/SECURITY_AUDIT_AND_ISO_27001_ROADMAP.md External audit scope, auditor, dates, and issued report or certificate.
Data processing and subprocessors Public summary exists with current, conditional, and roadmap provider labels. docs/DATA_PROCESSING_SUBPROCESSORS.md Confirm DPA coverage, data region, retention, and enterprise terms per provider.
Incident history Public manual status and incident history register exists. Uptime and no-incident claims remain blocked until monitored evidence exists. docs/STATUS_INCIDENT_HISTORY.md Connect automated public monitoring, historical incident import, and owner review workflow.
Responsible disclosure and security headers Public security.txt exists and low-risk Firebase Hosting headers are configured. CSP and Permissions-Policy remain blocked pending frontend inventory. docs/SECURITY_HEADERS_AND_SECURITY_TXT.md Capture production headers after deploy and complete CSP/Permissions-Policy compatibility testing.

Responsible Disclosure

Security reports should be specific, safe, and reproducible.

Send security findings to security@truelink-group.com. The public security.txt file lists the canonical disclosure contact and policy URL. Include the affected URL, account context if relevant, steps to reproduce, expected impact, and a safe proof of concept. Do not access unrelated accounts, exfiltrate data, or disrupt availability.

FAQ

Short answers for enterprise reviewers and crawler extraction.

Does TrueLink claim ISO 27001 or SOC 2 certification today?

No. TrueLink documents ISO 27001 and SOC 2 readiness work as a roadmap only. Issued certificates or audit reports must be published before any certification claim is made.

Can AI-generated content publish without review?

No. AI-assisted public content must store provenance metadata and pass human review before publish, schedule, submission, syndication, or customer delivery.

How should security issues be reported?

Send security reports to security@truelink-group.com with affected URL, steps to reproduce, impact, and safe proof of concept details.