Demonstrate your security in real time.
Trust assurance is the capability to measure with confidence that information security, privacy controls, processes, and systems across an organization are effective, predictable, and transparent. Basically, it is knowing and proving that your GRC bases are covered.
Trust Center and Trust Badge
Your Trust Center is your public security page. The Trust Badge is the widget that you can embed on your website, in your commercial proposals or in your email signature. Together they turn your compliance program into a strong sales argument.
Trust Center
It is a page (e.g. trust.kardu.eu/your-company) that shows your live Compliance Score, active frameworks and audited controls. It is what your clients and auditors visit when they want to know if you can protect their data without asking you for a report.
Trust Badge
It is the widget derived from your Trust Center. Embed it on your corporate website with one line of code. A compact version also works in commercial proposals and email signatures. It connects live to your Trust Center — always showing the current data.
Why use it?
Trust Assurance turns your compliance program into verifiable trust. Your clients, partners and auditors see your security posture in real time. Every score update is reflected automatically, with no manual intervention.
Preview
Verified by Kardu
trust.kardu.eu/tu-empresa
Compliance Score
NIS2 · ISO 27001 · ENS · DORA
Compact variant — for email signature
Verified by Kardu
Score: 74 · NIS2 · ISO 27001
Integration snippet
Kardu's trust layers
Where your data lives, how we audit our own security, and how we ensure no evidence has been altered. Each layer has a concrete, verifiable function.
eu-central-1
Frankfurt, DE · EEA
Frankfurt, Germany. No CLOUD Act exposure.
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows the US government to demand data from American companies regardless of where it is hosted. If you use Google Workspace, Microsoft 365 or Salesforce, their US parent entities can be compelled to hand over your data without notifying you.
Sovereignty — important nuance
Full sovereignty would require that no provider in the chain has legal exposure to non-European governments. Kardu uses some tools with US origins; our goal is to be 100% sovereign in the future.
See our sub-processor list and threat model to assess this yourself.
We publish our threat model.
A threat model is a structured analysis of which assets we protect, which threats we consider relevant and which controls we have implemented to mitigate them. Most companies keep it private. We publish ours because asking for your trust without demonstrating it first would be inconsistent with what we are building.
The model covers unauthorized access, data exfiltration, insider threats, supply chain compromise and evidence integrity. It is updated with every relevant architecture change.
View full threat model →sha256:
a3f8c2d1e9b7...
Every piece of evidence has a proof of existence.
When you upload a document to Kardu as evidence for a control, the system automatically generates a cryptographic hash (SHA-256) and anchors it with a timestamp at the exact moment of upload. This creates a mathematical proof that the document existed on that date and has not been modified since.
For an auditor, this eliminates the possibility of retroactive adjustments. What is there is what was there. No room for undetected modifications.
Turn your compliance into a competitive advantage
Companies that demonstrate their security win more contracts.