Trust Center API

Host a public-facing compliance trust center for your organization. Show certifications, compliance scores, and controls publicly. Gate sensitive documents behind NDA e-signatures. Includes AI-powered Q&A, embeddable badges, and visitor analytics.

๐ŸŒ Two API Surfaces

Public endpoints (/api/v1/trust/:slug/*) require no authentication โ€” they're your public trust center. Admin endpoints (/api/v1/trust-center/*) require JWT auth for managing configuration, documents, and access requests.

Public Endpoints

GET /api/v1/trust/:slug
Get public trust center data โ€” company info, frameworks, certifications, and overall compliance score. No authentication required.
curl https://api.privabase.com/api/v1/trust/acme-corp
// JavaScript
const res = await fetch('https://api.privabase.com/api/v1/trust/acme-corp');
const trustData = await res.json();
# Python
resp = requests.get('https://api.privabase.com/api/v1/trust/acme-corp')
trust_data = resp.json()

Response

{
  "company_name": "Acme Corp",
  "logo_url": "https://storage.privabase.com/logos/acme.png",
  "description": "Enterprise security platform",
  "primary_color": "#7c3aed",
  "show_controls": true,
  "show_frameworks": true,
  "show_certifications": true,
  "certifications": [
    { "name": "SOC 2 Type II", "issued_at": "2025-12-01", "expires_at": "2026-12-01" }
  ],
  "frameworks": ["soc2", "iso27001", "gdpr"],
  "overall_score": 94
}
GET /api/v1/trust/:slug/controls
List publicly visible controls with their pass/fail status.
curl https://api.privabase.com/api/v1/trust/acme-corp/controls

Response

[
  { "id": "ctrl-001", "name": "Encryption at Rest", "description": "All data encrypted with AES-256", "status": "passing" },
  { "id": "ctrl-002", "name": "MFA Enforced", "description": "Multi-factor auth for all accounts", "status": "passing" }
]
GET /api/v1/trust/:slug/documents
List available public documents (names and descriptions only โ€” no file URLs).
POST /api/v1/trust/:slug/request-document
Request access to a specific document. No authentication required.

Request Body

FieldTypeRequiredDescription
document_idstringYesDocument UUID
emailstringYesRequester's email
namestringNoRequester's name
companystringNoRequester's company
nda_acceptedbooleanNoWhether NDA was accepted
 
curl -X POST https://api.privabase.com/api/v1/trust/acme-corp/request-document \
  -H "Content-Type: application/json" \
  -d '{
    "document_id": "doc-uuid-123",
    "email": "prospect@company.com",
    "name": "John Doe",
    "company": "Prospect Inc"
  }'
POST /api/v1/trust/:slug/request-access
Request access to NDA-gated documents. Submits a request that the admin can approve or deny.

Request Body

FieldTypeRequiredDescription
namestringYesRequester's name
emailstringYesRequester's email
companystringNoCompany name
reasonstringNoReason for access
POST /api/v1/trust/:slug/sign-nda
E-sign the NDA to immediately gain access to gated documents.

Request Body

FieldTypeRequiredDescription
namestringYesSigner's name
emailstringYesSigner's email
companystringNoSigner's company
signature_datastringYesBase64 signature image or typed signature
access_request_idstringNoLink to a prior access request
 
curl -X POST https://api.privabase.com/api/v1/trust/acme-corp/sign-nda \
  -H "Content-Type: application/json" \
  -d '{
    "name": "John Doe",
    "email": "john@prospect.com",
    "company": "Prospect Inc",
    "signature_data": "data:image/png;base64,iVBOR..."
  }'

Response 201

{
  "nda_id": "nda-uuid-456",
  "access_granted": true,
  "message": "NDA signed successfully. Access to gated documents granted."
}
GET /api/v1/trust/:slug/nda-template
Get the NDA template text for the organization.
POST /api/v1/trust/:slug/ask
Ask an AI-powered question about the company's security posture. Grounded in actual compliance data.

Request Body

{ "question": "Do you encrypt data at rest?", "email": "prospect@company.com" }

Response

{
  "question": "Do you encrypt data at rest?",
  "answer": "Yes. All data at rest is encrypted using AES-256. This is verified by our SOC 2 Type II audit and continuously monitored through our AWS integration."
}
GET /api/v1/trust/:slug/badge
Get an embeddable compliance badge. Returns SVG by default or JSON (shields.io compatible) with ?format=json.
# SVG badge (embed in HTML)
<img src="https://api.privabase.com/api/v1/trust/acme-corp/badge" alt="Compliance Badge">

# JSON format
curl "https://api.privabase.com/api/v1/trust/acme-corp/badge?format=json"

Admin Endpoints

All admin endpoints require JWT authentication.

GET /api/v1/trust-center/config ๐Ÿ”’
Get trust center configuration for the authenticated account.
curl https://api.privabase.com/api/v1/trust-center/config \
  -H "Authorization: Bearer YOUR_TOKEN"
PUT /api/v1/trust-center/config ๐Ÿ”’
Create or update trust center configuration โ€” branding, visibility settings, custom domain.

Request Body

FieldTypeDescription
slugstringURL-friendly identifier
company_namestringCompany name
company_logo_urlstringLogo URL
primary_colorstringBrand color (hex)
descriptionstringCompany description
custom_domainstringCustom domain for trust center
enabledbooleanEnable/disable the trust center
show_controlsbooleanShow controls publicly
show_frameworksbooleanShow frameworks publicly
show_certificationsbooleanShow certifications publicly
 
curl -X PUT https://api.privabase.com/api/v1/trust-center/config \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "slug": "acme-corp",
    "company_name": "Acme Corp",
    "primary_color": "#7c3aed",
    "enabled": true,
    "show_controls": true,
    "show_frameworks": true
  }'
POST /api/v1/trust-center/documents ๐Ÿ”’
Upload a document to the trust center (SOC 2 report, ISO cert, pentest report, etc.).

Request Body

FieldTypeRequiredDescription
namestringYesDocument name
typestringNosoc2_report, iso_cert, pentest, policy, other
file_urlstringNoFile URL
descriptionstringNoDescription
requires_ndabooleanNoGate behind NDA
GET /api/v1/trust-center/documents ๐Ÿ”’
List all uploaded documents.
PUT /api/v1/trust-center/documents/:id ๐Ÿ”’
Update document visibility (public, nda-gated, private) and metadata.
DELETE /api/v1/trust-center/documents/:id ๐Ÿ”’
Delete a document from the trust center.
GET /api/v1/trust-center/requests ๐Ÿ”’
List document access requests.
POST /api/v1/trust-center/requests/:id/approve ๐Ÿ”’
Approve a document access request.
POST /api/v1/trust-center/requests/:id/deny ๐Ÿ”’
Deny a document access request.
GET /api/v1/trust-center/access-requests ๐Ÿ”’
List NDA access requests. Filter by ?status=pending|approved|denied.
PUT /api/v1/trust-center/access-requests/:id ๐Ÿ”’
Approve or deny an access request.

Request Body

{ "status": "approved" }
PUT /api/v1/trust-center/controls/:id/visibility ๐Ÿ”’
Toggle whether a specific control is publicly visible on the trust center.

Request Body

{ "is_public": true }
GET /api/v1/trust-center/controls/visibility ๐Ÿ”’
Get all control visibility settings.
GET /api/v1/trust-center/analytics ๐Ÿ”’
Get trust center analytics โ€” visits, questions asked, document requests, and conversion rates.
curl https://api.privabase.com/api/v1/trust-center/analytics \
  -H "Authorization: Bearer YOUR_TOKEN"

Response

{
  "visits_30d": 1240,
  "questions_asked": 87,
  "document_requests": 34,
  "approved_requests": 28,
  "conversion_rate": "82.4%"
}
GET /api/v1/trust-center/access-analytics ๐Ÿ”’
Document access analytics โ€” views, downloads, unique accessors, and recent activity. Filter with ?days=30.

PrivaBase API v1.3.0 ยท privabase.com