Launching: Trust Agent, AI that answers your security questionnaires for you. Get access →
Plain language

Glossary. the words we use.

Trust engineering has its own vocabulary. So does our firm. This page exists so nothing on the rest of the site is a black box, and so when you write us, we mean the same things you do.

A

Alfred

Operating model · Internal name

The name of our operating model: one shared Slack channel, a Trust Architect on point, a Big 4 senior manager on review, and an AI assistant drafting first passes. Alfred refers to the way the work runs, not a software product.

See: Alfred page · Trust Architect

AIUC-1

Framework · AI underwriting

An emerging standard for AI risk underwriting, used by insurance carriers and large enterprises to assess AI model deployments. We map your AI stack to AIUC-1 controls when buyers or insurers require it.

See: AIUC-1 framework

B

BACEN 4.658

Brazilian regulation · Cybersecurity

Resolution 4.658 from Banco Central do Brasil, the cybersecurity policy framework for Brazilian financial institutions. Mandates incident response, third-party risk, and cloud-service rules. We work in BACEN scope as part of our enterprise engagements in Brazil.

C

Continuous monitoring

Practice

Automated, ongoing checks that controls are still operating, not a once-a-year audit point-in-time. Vanta and Drata provide the plumbing; we provide the program that uses them. Required for SOC 2 Type II and ISO 27001 surveillance audits.

D

DPO (Data Protection Officer)

Role · Privacy

A privacy officer required under LGPD and GDPR for organizations processing personal data at scale. We act as outsourced DPO of record (vDPO) for customers who don't want to hire one full-time.

See: Privacy & LGPD

DSAR (Data Subject Access Request)

Process · Privacy

A request from an individual to see, correct, or delete their personal data. Mandated by LGPD and GDPR with strict response windows. We run the response process so engineering doesn't have to.

F

Foundation

Stage 01 · Trust Framework

The first stage in our Trust Framework. Compliance leads, security follows. You're getting your first SOC 2 or ISO audit on the books, building the policy stack, getting Vanta operational. Typically pre-seed to Series A.

See: How we work · Foundation · Startup stage

G

GRC (Governance, Risk, Compliance)

Discipline

The umbrella discipline covering policy governance, risk management, and regulatory compliance. We use the term sparingly, most of what's called "GRC" we treat as engineering work.

See: AI GRC

I

ISMS (Information Security Management System)

Concept · ISO 27001

The set of policies, processes, and controls an organization runs to manage information security. ISO 27001 certifies that you have one and operate it. We build them from scratch and we operate them after certification.

ISO 27001

Framework · Global

The international standard for information security management. The dominant framework outside North America; required by most enterprise buyers in Europe, Latin America, and Asia. Pairs naturally with SOC 2 for companies selling globally.

See: ISO 27001 framework

ISO 42001

Framework · AI management

The AI Management System standard, published by ISO in 2023. The first internationally recognized framework for AI governance. Increasingly demanded by enterprise buyers and insurance carriers for AI-heavy products.

See: ISO 42001 framework

L

LGPD (Lei Geral de Proteção de Dados)

Brazilian law · Privacy

Brazil's general data protection law, the local analogue of GDPR. Effective since 2020, enforced by the ANPD. Applies to any company processing the personal data of Brazilian residents, including foreign companies with Brazilian users.

See: LGPD framework · Privacy & LGPD

O

Operate

Stage 02 · Trust Framework

The second stage in our Trust Framework. Security shifts left, into the SDLC, into vendor management, into the way sales sells. Typically Series B+ companies running an embedded vCISO retainer.

See: How we work · Operate · Growth stage

Open Trust Seal

Customer-facing artifact

A customer-facing badge and Trust Center we build for Scale-stage customers. Single page that aggregates SOC 2, ISO 27001, sub-processor list, status, and recent attestations. Shortens the sales cycle by giving prospects what they need before they ask.

P

Pentest (Penetration Test)

Practice · Security

An authorized simulated attack against your application, network, or cloud, run by professionals to find exploitable weaknesses. Required annually for SOC 2 Type II and ISO 27001. We run them in-house and track findings to closure, not to a PDF.

See: Pentest

S

Scale

Stage 03 · Trust Framework

The third stage in our Trust Framework. Trust becomes a moat, multi-framework, multi-region, customer-facing. Typically late-stage and enterprise companies running multiple parallel frameworks (SOC 2 + ISO + ISO 42001 + regional regulation).

See: How we work · Scale · Enterprise stage

SOC 2

Framework · US

The dominant US enterprise security framework, governed by the AICPA. Type I attests to control design at a point in time; Type II attests to operating effectiveness over a window (typically 3–12 months). The default ask of any US enterprise buyer.

See: SOC 2 framework

SDLC (Software Development Lifecycle)

Concept · Engineering

How code gets from a developer's laptop to production. Modern security programs require controls embedded in the SDLC, code review, secrets scanning, dependency review, deployment gates. "Shift left" means moving security earlier in this lifecycle.

T

Trust Architect

Role · Internal title

Our title for the person operating your program day-to-day. Engineer-mindset, audit-trained. Lives in your Slack, owns the roadmap, ships the work. Backed by a Big 4 senior manager on review. Not a project manager; not a contractor.

See: Alfred page

Trust Framework

Methodology · Proprietary

Our proprietary three-stage maturity model: Foundation, Operate, Scale. Used to map any company's posture and prescribe the next move. Applied across 35+ frameworks, 120+ companies, 3 regions.

See: Trust Framework

Trust Center

Customer-facing artifact

A public page where prospects and customers can see your security posture: certifications, sub-processors, incident history, status. Replaces a recurring sales motion of emailing PDFs. We build them in our Open Trust Seal format for Operate and Scale customers.

V

vCISO (Virtual CISO)

Service

A fractional Chief Information Security Officer, a senior security leader on retainer, embedded in your organization. We run vCISO engagements through our Alfred operating model: a Trust Architect on point, a senior reviewer on call, and AI on first drafts.

See: Virtual CISO

Vanta

Tool · Compliance automation

The leading compliance automation platform, used by 8,000+ companies to monitor controls and prepare for SOC 2, ISO, HIPAA, and GDPR audits. We are a Vanta Premium Partner and the #1 MSP in LATAM.

See: Vanta partner

Talk to a Trust Architect

Ready to turn trust into a competitive edge?

30-min consultation. No commitment. We map your current posture, the frameworks your buyers expect, and a 90-day plan.