Scoring Methodology

TrustSignal scores are based entirely on publicly verifiable signals — things any buyer, procurement team, or competitor can independently check about your company. We don't require any internal access or self-reported data.

How Scoring Works

Each scan crawls the target website, checks DNS records, and analyzes page content. Every finding becomes a signal — either a verified positive (something you're doing right) or a gap (something that could be improved).

Signals are weighted by category and severity. Critical security gaps (like no HTTPS) have a larger impact than informational findings (like blog freshness). The final score is a weighted composite of all categories, normalized to 0–100.

Scores are not certifications, audit opinions, or legal determinations. They represent the observable trust posture as seen from the outside.

Grade Scale

A90–100Excellent trust readiness. Strong across all categories.
B75–89Good trust posture with minor gaps to address.
C55–74Average. Several gaps that buyers will notice.
D35–54Below average. Significant gaps that will slow deals.
F0–34Critical trust gaps. Likely to fail procurement review.

Signal Categories

Security & Headers

Weight: 30%

SSL/TLS configuration, security headers (CSP, HSTS, X-Frame-Options), email authentication (SPF, DMARC), and DNS security.

ATLS 1.3, strong CSP with nonces, HSTS with preload, SPF+DMARC configured
CHTTPS present but missing CSP or HSTS, partial email auth
FNo HTTPS, no security headers, no email authentication

Policy & Documentation

Weight: 30%

Privacy policy completeness and readability, terms of service, refund policy, subprocessor disclosure, and policy update dates.

AComplete privacy policy with retention, rights, sharing sections. Clear, readable language.
CPolicies present but missing key sections (retention periods, user rights)
FNo privacy policy or terms of service found

Content & Messaging

Weight: 15%

Pricing transparency, claim consistency across pages, blog freshness, and content accuracy.

AClear pricing page, consistent messaging, active blog with recent content
CPricing present but vague, some content inconsistencies detected
FNo pricing transparency, contradictory claims, stale content

Infrastructure & Operations

Weight: 15%

Public status page, changelog/release notes, security page depth (SOC 2, ISO 27001 references), and operational transparency.

AStatus page, changelog, security page mentioning SOC 2/ISO 27001, bug bounty program
CSecurity page present but light on details, no status page
FNo security page, no status page, no operational transparency

Third-Party & Trackers

Weight: 10%

Third-party script inventory, cookie consent mechanisms, tracker categories (analytics vs advertising), and script count.

AMinimal tracking, cookie consent present, only functional third-party scripts
CMultiple trackers with cookie consent, mix of analytics and advertising
FMany advertising trackers with no cookie consent mechanism

Specific Signals Checked

SSL/TLS certificate & configuration
TLS version & protocol analysis
Certificate expiry & issuer details
EV / Wildcard certificate detection
Content-Security-Policy (CSP) depth
Strict-Transport-Security (HSTS)
X-Frame-Options & X-Content-Type
Referrer-Policy header
Permissions-Policy header
Subresource Integrity (SRI)
SPF email authentication
DMARC email authentication
DKIM email signing
DNSSEC validation
CAA DNS records
Cookie attributes (Secure, HttpOnly, SameSite)
Cookie consent mechanism
Cookie lifetime analysis
Privacy policy presence & completeness
Privacy policy readability (Flesch)
Terms of Service key clause detection
Refund/cancellation policy
Data retention disclosures
User rights section (GDPR)
Subprocessor disclosure
AI/ML usage disclosure
Security page depth (SOC 2, ISO, pentest)
Public status page
Public changelog / release notes
Blog content freshness
Third-party script risk assessment
Third-party script inventory
Pricing page transparency
Content consistency
Marketing claim verification
Broken link detection

Our Commitment to Transparency

TrustSignal scores are deterministic — the same inputs always produce the same score. We don't use opaque ML models for scoring. Every signal comes with evidence and a clear explanation.

We welcome feedback on our methodology. If you believe a signal is being incorrectly weighted or detected, please contact us at support@trustsignal.tech.