Index: Trust Center Badges
Overview
Use Trust Center badges to highlight your organization's security posture and industry-standard recognitions. Important things to note:
- We (UpGuard) provide badge options, not verification: UpGuard does not independently verify or audit the requirements implied by the badges. Adding a badge to your Trust Center constitutes a self-attestation that your organization currently meets the criteria set by the issuing body.
- Documentation goes a long way: we strongly recommend uploading supporting documentation for each badge (e.g., official certificates, recent audit reports, or formal letters of compliance). The badges are easy to visually scan while the documents prove your posture.
Badge index
| Badge name | The badge's full name | Context |
| CCPA | California Consumer Privacy Act | A California state privacy law granting consumers rights over their personal data collected by businesses. |
| CIS7.1 | CIS Controls Version 7.1 | A set of 20 prioritised cybersecurity best practices published by the Center for Internet Security, version 7.1. |
| CIS8.1 | CIS Controls Version 8.1 | The updated and current version of the CIS Controls framework, streamlining controls into 18 categories aligned to modern IT environments. |
| CMMC Level 1 | Cybersecurity Maturity Model Certification – Level 1 | A US Department of Defense (DoD) certification framework. Level 1 covers 17 foundational cybersecurity practices focused on protecting Federal Contract Information (FCI). |
| CMMC Level 2 | Cybersecurity Maturity Model Certification – Level 2 | Covers 110 practices aligned to NIST SP 800-171, focused on protecting Controlled Unclassified Information (CUI). |
| CMMC Level 3 | Cybersecurity Maturity Model Certification – Level 3 | The highest CMMC tier, requiring over 110 practices, including additional controls from NIST SP 800-172 to address advanced persistent threats. |
| CPS 230 | APRA Prudential Standard CPS 230 | An Australian Prudential Regulation Authority (APRA) standard focused on operational risk management and resilience for APRA-regulated entities. |
| CPS 234 | APRA Prudential Standard CPS 234 | An APRA standard requiring regulated entities to maintain information security capabilities commensurate with their cyber threats and vulnerabilities. |
| CSA STAR Level 1 | Cloud Security Alliance – Security, Trust, Assurance and Risk Level 1 | A self-assessment where cloud service providers document their security controls using the CSA Cloud Controls Matrix (CCM) or CAIQ questionnaire, published on the public STAR registry. |
| CSA STAR Level 2 | Cloud Security Alliance – Security, Trust, Assurance and Risk Level 2 | A rigorous third-party independent assessment of a cloud provider's security, combining ISO 27001 or SOC 2 criteria with the CSA Cloud Controls Matrix. |
| CSA TCP | Cloud Security Alliance – Trusted Cloud Provider | A trustmark awarded to cloud providers that hold a current STAR registry entry, have staff certified in CCSK, are CSA corporate members, and volunteer at least 20 hours annually to CSA activities. |
| CREST | CREST (Council of Registered Ethical Security Testers) | An international not-for-profit accreditation body for organizations and individuals providing technical cybersecurity services, particularly penetration testing and threat intelligence. |
| DORA | EU Digital Operational Resilience Act | An EU regulation requiring financial entities and their critical ICT third-party providers to establish robust frameworks for managing digital operational risk and resilience. |
| DPDP | India Digital Personal Data Protection Act | India's first cross-sectoral digital personal data protection law (enacted 2023, rules notified 2025), governing how organizations collect, process and store personal data of individuals in India. |
| DPF | EU-US Data Privacy Framework | A data transfer framework replacing Privacy Shield, enabling lawful transfer of personal data from the EU to certified US organisations that commit to equivalent data protection standards. |
| Essential Eight | Australian Cyber Security Centre Essential Eight | A set of eight baseline cybersecurity mitigation strategies published by the Australian Cyber Security Centre (ACSC), maturity-rated from Level 1 to Level 3. |
| EU Cloud CoC | EU Cloud Code of Conduct | An EDPB-endorsed, legally operational transnational code of conduct providing cloud service providers with a structured way to demonstrate compliance with GDPR Article 28 data processing obligations. Monitored annually by SCOPE Europe. |
| FedRAMP | Federal Risk and Authorization Management Program | A US government programme providing a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services used by federal agencies. |
| GDPR | General Data Protection Regulation | The EU's comprehensive data protection regulation governing the collection, processing and storage of personal data of EU/EEA residents, with broad extra-territorial reach. |
| HECVAT | Higher Education Community Vendor Assessment Toolkit | A standardised security questionnaire toolkit developed by EDUCAUSE, Internet2, and REN-ISAC to help higher education institutions assess vendor cybersecurity and privacy practices. |
| HIPAA | Health Insurance Portability and Accountability Act | A US federal law establishing national standards for protecting sensitive patient health information (PHI) from being disclosed without patient consent or knowledge. |
| HITRUST e1 | HITRUST e1 Certification | The entry-level HITRUST certification, covering a focused set of 44 essential cybersecurity controls. It provides a cost-effective starting point for organisations new to HITRUST. |
| HITRUST r2 | HITRUST r2 Certification | The comprehensive and most rigorous HITRUST certification, encompassing over 200 controls tailored to an organisation's risk profile, regulatory environment and size. |
| ISO 22301 | ISO 22301 – Business Continuity Management | An international standard specifying requirements for a Business Continuity Management System (BCMS) to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents. |
| ISO 27001 | ISO/IEC 27001 – Information Security Management | The leading international standard for Information Security Management Systems (ISMS), providing a framework to manage the security of assets including financial information, intellectual property, and employee data. |
| ISO 27001:2013 | ISO/IEC 27001:2013 | The 2013 version of the ISO 27001 standard. Organizations certified to this version have until October 2025 to transition to the 2022 version. |
| ISO 27001 SoA | ISO 27001 Statement of Applicability | A mandatory document within an ISO 27001 ISMS that lists all Annex A controls, whether each is applicable or excluded, and the justification for those decisions. |
| ISO 27017 | ISO/IEC 27017 – Cloud Security Controls | A code of practice providing guidelines and additional security controls for cloud service providers and cloud customers, building on ISO 27001. |
| ISO 27018 | ISO/IEC 27018 – Protection of PII in the Cloud | A code of practice focused on protection of personally identifiable information (PII) in public cloud environments, establishing controls for cloud processors handling PII. |
| ISO 27701:2019 | ISO/IEC 27701:2019 – Privacy Information Management | An extension to ISO 27001 and 27002 that specifies requirements for a Privacy Information Management System (PIMS) to support compliance with GDPR and other privacy regulations. |
| ISO 42001 | ISO/IEC 42001 – AI Management System | The first international standard for Artificial Intelligence Management Systems (AIMS), providing a framework for responsible development, deployment and use of AI. |
| ISO 9001 | ISO 9001 – Quality Management System | The world's most widely recognized quality management standard, specifying requirements for a Quality Management System (QMS) demonstrating ability to consistently provide products and services that meet customer and regulatory requirements. |
| NIS2 | EU Network and Information Security Directive 2 | An EU directive updating the original NIS Directive, significantly expanding the scope of organizations required to implement cybersecurity risk management measures and incident reporting obligations across critical sectors. |
| NIST CSF v2.0 | NIST Cybersecurity Framework Version 2.0 | The updated version (2024) of the US National Institute of Standards and Technology Cybersecurity Framework, introducing a new "Govern" function and broadening applicability beyond critical infrastructure to organizations of all sizes. |
| NIST SP 800-53 | NIST Special Publication 800-53 | A comprehensive catalogue of security and privacy controls for federal information systems and organizations, widely used as a baseline for US government and government-adjacent security programmes. |
| PCI DSS | Payment Card Industry Data Security Standard | A global security standard established by the PCI Security Standards Council requiring organizations that handle cardholder data to maintain a secure environment across 12 core requirements. |
| PIPEDA | Personal Information Protection and Electronic Documents Act | Canada's federal private-sector privacy law governing how organizations collect, use and disclose personal information in the course of commercial activities. |
| SIG | Standardized Information Gathering Questionnaire | A comprehensive third-party risk assessment questionnaire developed by Shared Assessments, covering 19 domains of cybersecurity, IT risk, and privacy controls used to evaluate vendor security posture. |
| SOC 1 | Service Organisation Control 1 | An AICPA audit report assessing the internal controls at a service organization relevant to user entities' financial reporting, issued under SSAE 18. |
| SOC 2 | Service Organisation Control 2 | An AICPA audit report assessing controls relevant to security, availability, processing integrity, confidentiality, and/or privacy at a service organization, based on the Trust Services Criteria. |
| SOC 2 Type II | Service Organisation Control 2 – Type II | A SOC 2 report that tests the operating effectiveness of controls over a defined period (typically 6–12 months), providing stronger assurance than a Type I report. |
| SOC3 | Service Organisation Control 3 | A publicly shareable summary report of a SOC 2 audit, produced under the AICPA Trust Services Criteria. It confirms that a service organization meets the Trust Services Criteria but omits the detailed control descriptions and auditor findings included in a SOC 2 report. |
| TISAX Level 1 | Trusted Information Security Assessment Exchange – Level 1 | A vehicle-industry-specific information security assessment and exchange mechanism developed by the ENX Association and VDA, based on ISA (Information Security Assessment). Level 1 covers normal protection needs with self-assessment. |
| TISAX Level 2 | Trusted Information Security Assessment Exchange – Level 2 | TISAX Level 2 covers high protection needs (e.g. handling confidential vehicle data) and requires an assessment by an ENX-approved audit provider. |
| TISAX Level 3 | Trusted Information Security Assessment Exchange – Level 3 | TISAX Level 3 covers very high protection needs, including prototype vehicles and parts, requiring the most rigorous third-party assessment under the ENX framework. |
| UK Cyber Essentials | UK Cyber Essentials | A UK government-backed cybersecurity certification scheme helping organizations protect against common cyber threats by demonstrating implementation of five basic security controls. Available at Cyber Essentials (self-assessment) and Cyber Essentials Plus (technical audit) levels. |
| URAC | URAC (formerly Utilization Review Accreditation Commission) | A US non-profit accreditation organization that promotes healthcare quality through independent accreditation programmes covering specialty pharmacy, health plans, digital health, case management, and more. |
| VAPT | Vulnerability Assessment and Penetration Testing | A security testing methodology combining vulnerability scanning (identifying known weaknesses) with penetration testing (actively attempting to exploit vulnerabilities) to provide a comprehensive view of an organization's security posture. |
| VPAT | Voluntary Product Accessibility Template | A document published by a technology vendor detailing how their product conforms to accessibility standards (typically Section 508 of the US Rehabilitation Act and/or WCAG), helping buyers assess suitability for users with disabilities. |