Trust Center

Scope

Trust communication should reflect actual operating posture, not get ahead of it. This guide keeps the customer-facing workflow guidance and excludes private publishing or implementation mechanics.

Workstream: WS-16

Overview

The Trust Center is your organization’s public-facing compliance page. Use it to share certifications, security overviews, and controlled-access documents with prospects, partners, and customers.

Key rule: The trust center never auto-publishes from internal compliance status. Everything that appears publicly is something an operator intentionally added and published.

Building Your Trust Center

Step 1: Create the Trust Center

1. Navigate to Settings → Trust Center.
2. If no trust center exists yet, a setup form appears.
3. Enter a URL Slug (e.g. your-company) — this becomes your public URL: the relevant workflow.
4. Lowercase letters, digits, and hyphens only.
5. Choose carefully; changing the slug after publishing breaks existing links.
6. Enter a Title (e.g. “Acme Corp Trust Center”).
7. Optionally add a Description.
8. Click Create Trust Center.

The trust center is created in draft (unpublished) state. Visitors cannot see it yet.

Step 2: Add Content

Navigate to the Sections tab to add content blocks.

Each section has: - Title — displayed as a heading on the public page - Content — Markdown text. The public page renders headings, lists, emphasis, and links from this Markdown. Use it for security overview narrative, subprocessor lists, FAQs, and similar copy. - Visibility — toggle sections visible/hidden without deleting them

Use the Hide/Show button to control which sections appear on the public page without losing your draft content.

Step 3: Add Certifications

Navigate to the Certifications tab.

Important: Certifications are entered manually. Internal compliance program status does NOT automatically populate this section. Adding a certification here is a deliberate publication decision.

For each certification: - Framework Name — e.g. “SOC 2 Type II”, “ISO 27001:2022”, “HIPAA” - Auditor Firm — the audit firm that issued the certification - Display Badge — whether to show in the badge strip at the top of the public page

Certifications with Display Badge enabled and status: current appear prominently in the header.

Step 4: Add Documents

Navigate to the Documents tab.

For each document: 1. Click + Add Document. 2. Set the title, optional description, document type, and access level. 3. Click Add. The document is registered (the file attachment step is separate).

Access Levels

Level	Who can download	Process
Public	Anyone, immediately	None — the public page resolves a download URL and the browser navigates straight to the document content
NDA Required	Anyone who accepts the NDA	Submit request form → operator approval
Request Only	Anyone approved by an operator	Submit request form → operator approval

Choose access levels carefully. A SOC 2 Type II full report typically warrants nda_required. A security overview policy might be public.

Step 5: Custom Domain (Optional)

In the Overview tab, enter a Custom Domain (e.g. trust.yourcompany.com).

After saving: 1. Create a CNAME record in your DNS: trust.yourcompany.com CNAME trust.meridian.app 2. SSL is handled automatically.

Step 6: Publish

When you’re ready for the public to see the trust center:

1. Click the Publish button in the top-right corner.
2. Confirm the prompt.
3. The badge changes to Published. The public URL (the relevant workflow) is now live.

Managing Document Access Requests

Navigate to Settings → Trust Center → Document Requests.

Reviewing Pending Requests

Pending requests show: - Requester name, email, and company - The document they’re requesting - Their stated reason - Whether they accepted the NDA (for nda_required documents) - Submission date

Approving a Request

1. Click Approve on the request.
2. Confirm the action.
3. The system generates a time-limited download link (valid for 48 hours).
4. The requester’s email address is recorded in the audit log.

Denying a Request

1. Click Deny on the request.
2. Confirm the action.
3. The request is marked denied. This is a terminal state — you cannot re-approve a denied request. Create a new approval flow if needed.

Filtering

Use the status filter (Pending / Approved / Denied / All) to find specific requests.

Updating Published Content

Changes to sections, certifications, and documents are saved immediately but do not re-publish or un-publish the trust center. If the trust center is published, visitors see changes in real time after you save.

This means: - Adding a section while published → visible immediately. - Hiding a section while published → hidden immediately. - Changing a document’s access level while published → takes effect immediately.

To stage updates without showing visitors: unpublish first, make changes, then re-publish.

Frequently Asked Questions

A: The trust center must be explicitly published. Click Publish in the Trust Center Builder.

Q: Can I connect the Trust Center to my internal SOC 2 program status? A: No — this is intentional. The Trust Center certifications are manually managed. An internal program being “green” is not the same as having a certified audit with an auditor firm. You add certifications manually when you have an actual certification to advertise.

Q: A requester’s download link expired. Can I re-issue it? A: No — re-issuance is not automated. The requester should submit a new access request. Download tokens are valid for 48 hours.

Q: Can I change the slug after publishing? A: Yes, but this will break any existing bookmarks or links to the old slug. Make sure to update any external references.

Q: How does the custom domain work? A: Add a CNAME record pointing your domain to trust.meridian.app. SSL is provisioned automatically. Contact support if your SSL certificate is not issuing.

Permissions

All Trust Center admin actions require Meridian.manage permission.

The public trust center page (the relevant workflow) requires no authentication.