TrustSurface Framework Governance Framework for Digital Trust
v1.1 public draft

Open framework

Your organisation has a Trust Surface.

Every domain, login flow, email, cloud service, and third-party platform sends a signal about whether your organisation can be trusted.

Most organisations don't govern these signals. TrustSurface changes that.

Read the framework One-page spec
The Trust Signal Gap - the divide between internal security posture and external trust perception.

Security posture protects the organisation.
Trust posture persuades the outside world.

Customers, partners, regulators, and the public experience your organisation through a narrow set of digital systems. When those systems are poorly understood or weakly governed, trust erodes - even when internal security programs are strong.

This is the Trust Signal Gap. TrustSurface is the framework for closing it.

Six domains. One Trust Surface.

TrustSurface organises digital trust into six observable domains - the systems through which trust is actually experienced.

Identity

Authentication, federation, and access signals.

Domains and DNS

Registration, resolution, and infrastructure trust.

Email Integrity

SPF, DKIM, DMARC, and transit encryption.

Digital Services

Websites, portals, and application trust.

Infrastructure and Platforms

Cloud, hosting, and operational resilience.

Third-Party Ecosystem

Vendor, supply chain, and delegated trust.

A repeatable operating rhythm

TrustSurface defines a five-stage lifecycle that turns trust from an abstract concept into a governed practice.

  1. Discover - identify the systems that form your Trust Surface
  2. Assess - observe trust signals and record evidence
  3. Harden - close gaps and strengthen weak signals
  4. Govern - assign ownership, set cadence, integrate with risk
  5. Signal - communicate trust posture to stakeholders
TrustSurface Lifecycle: Discover, Assess, Harden, Govern, Signal.
Canonical TrustSurface Framework diagram showing the complete model.

The TrustSurface model - from Trust Surface domains through Trust Signals to governance integration.

Where to start

Understand Framework overview What TrustSurface is, why it exists, and how the framework is structured. See it applied Worked example The lifecycle applied to email trust signals - a practical, end-to-end walkthrough. Executive briefing Board questions Five questions for board-level digital trust oversight. Designed for 10-20 minutes.

What TrustSurface is not

  • Not a replacement for cybersecurity frameworks
  • Not a compliance certification
  • Not a product or vendor tool
  • Not a claim that trust can be reduced to a single score

It is an open framework for making digital trust visible, assessable, and governable over time.