Glossary. the words we use.
Trust engineering has its own vocabulary. So does our firm. This page exists so nothing on the rest of the site is a black box, and so when you write us, we mean the same things you do.
A
Alfred
The name of our operating model: one shared Slack channel, a Trust Architect on point, a Big 4 senior manager on review, and an AI assistant drafting first passes. Alfred refers to the way the work runs, not a software product.
See: Alfred page · Trust Architect
AIUC-1
An emerging standard for AI risk underwriting, used by insurance carriers and large enterprises to assess AI model deployments. We map your AI stack to AIUC-1 controls when buyers or insurers require it.
See: AIUC-1 framework
B
BACEN 4.658
Resolution 4.658 from Banco Central do Brasil, the cybersecurity policy framework for Brazilian financial institutions. Mandates incident response, third-party risk, and cloud-service rules. We work in BACEN scope as part of our enterprise engagements in Brazil.
C
Continuous monitoring
Automated, ongoing checks that controls are still operating, not a once-a-year audit point-in-time. Vanta and Drata provide the plumbing; we provide the program that uses them. Required for SOC 2 Type II and ISO 27001 surveillance audits.
D
DPO (Data Protection Officer)
A privacy officer required under LGPD and GDPR for organizations processing personal data at scale. We act as outsourced DPO of record (vDPO) for customers who don't want to hire one full-time.
See: Privacy & LGPD
DSAR (Data Subject Access Request)
A request from an individual to see, correct, or delete their personal data. Mandated by LGPD and GDPR with strict response windows. We run the response process so engineering doesn't have to.
F
Foundation
The first stage in our Trust Framework. Compliance leads, security follows. You're getting your first SOC 2 or ISO audit on the books, building the policy stack, getting Vanta operational. Typically pre-seed to Series A.
G
GRC (Governance, Risk, Compliance)
The umbrella discipline covering policy governance, risk management, and regulatory compliance. We use the term sparingly, most of what's called "GRC" we treat as engineering work.
See: AI GRC
I
ISMS (Information Security Management System)
The set of policies, processes, and controls an organization runs to manage information security. ISO 27001 certifies that you have one and operate it. We build them from scratch and we operate them after certification.
ISO 27001
The international standard for information security management. The dominant framework outside North America; required by most enterprise buyers in Europe, Latin America, and Asia. Pairs naturally with SOC 2 for companies selling globally.
See: ISO 27001 framework
ISO 42001
The AI Management System standard, published by ISO in 2023. The first internationally recognized framework for AI governance. Increasingly demanded by enterprise buyers and insurance carriers for AI-heavy products.
See: ISO 42001 framework
L
LGPD (Lei Geral de Proteção de Dados)
Brazil's general data protection law, the local analogue of GDPR. Effective since 2020, enforced by the ANPD. Applies to any company processing the personal data of Brazilian residents, including foreign companies with Brazilian users.
See: LGPD framework · Privacy & LGPD
O
Operate
The second stage in our Trust Framework. Security shifts left, into the SDLC, into vendor management, into the way sales sells. Typically Series B+ companies running an embedded vCISO retainer.
Open Trust Seal
A customer-facing badge and Trust Center we build for Scale-stage customers. Single page that aggregates SOC 2, ISO 27001, sub-processor list, status, and recent attestations. Shortens the sales cycle by giving prospects what they need before they ask.
P
Pentest (Penetration Test)
An authorized simulated attack against your application, network, or cloud, run by professionals to find exploitable weaknesses. Required annually for SOC 2 Type II and ISO 27001. We run them in-house and track findings to closure, not to a PDF.
See: Pentest
S
Scale
The third stage in our Trust Framework. Trust becomes a moat, multi-framework, multi-region, customer-facing. Typically late-stage and enterprise companies running multiple parallel frameworks (SOC 2 + ISO + ISO 42001 + regional regulation).
SOC 2
The dominant US enterprise security framework, governed by the AICPA. Type I attests to control design at a point in time; Type II attests to operating effectiveness over a window (typically 3–12 months). The default ask of any US enterprise buyer.
See: SOC 2 framework
SDLC (Software Development Lifecycle)
How code gets from a developer's laptop to production. Modern security programs require controls embedded in the SDLC, code review, secrets scanning, dependency review, deployment gates. "Shift left" means moving security earlier in this lifecycle.
T
Trust Architect
Our title for the person operating your program day-to-day. Engineer-mindset, audit-trained. Lives in your Slack, owns the roadmap, ships the work. Backed by a Big 4 senior manager on review. Not a project manager; not a contractor.
See: Alfred page
Trust Framework
Our proprietary three-stage maturity model: Foundation, Operate, Scale. Used to map any company's posture and prescribe the next move. Applied across 35+ frameworks, 120+ companies, 3 regions.
See: Trust Framework
Trust Center
A public page where prospects and customers can see your security posture: certifications, sub-processors, incident history, status. Replaces a recurring sales motion of emailing PDFs. We build them in our Open Trust Seal format for Operate and Scale customers.
V
vCISO (Virtual CISO)
A fractional Chief Information Security Officer, a senior security leader on retainer, embedded in your organization. We run vCISO engagements through our Alfred operating model: a Trust Architect on point, a senior reviewer on call, and AI on first drafts.
See: Virtual CISO
Vanta
The leading compliance automation platform, used by 8,000+ companies to monitor controls and prepare for SOC 2, ISO, HIPAA, and GDPR audits. We are a Vanta Premium Partner and the #1 MSP in LATAM.
See: Vanta partner