Methodology

The value of this site is that you can trust what's on it. Here is exactly how data gets here.

Sources

Every fact comes from one of these places, and each fact links to its source:

Vendor-published documentation — trust centers, security pages, subprocessor lists, DPAs, and compliance pages the vendor publishes for customers to read.

Public registries — the FedRAMP Marketplace and the Cloud Security Alliance STAR registry, both published specifically for buyer due diligence.

Public regulatory records — state attorney general breach-notification databases and SEC filings, which are public disclosures required by law.

We never scan, probe, test, or access anything non-public. If a vendor gates their trust center behind an email wall, we record that it exists and where — we don't go behind the gate.

Verification states

VerifiedWe confirmed the claim against the vendor's published documentation and link to it. Re-checked on a schedule.
Reported · pending verificationThe vendor publicly claims this, but our source-by-source confirmation hasn't completed. Treat as unconfirmed.
No public evidence foundWe looked and found nothing published. This is not a statement that the vendor lacks the certification — some only disclose under NDA.

What we deliberately don't do

We don't grade, score, or rank vendor security. We don't publish vulnerabilities, misconfigurations, or anything a vendor hasn't chosen to disclose. We record published facts with dates and sources, and we keep the history when vendors overwrite their own pages.

Corrections

Any vendor (or anyone else) can request a correction: [email protected]. A human reviews every request within 48 hours. Corrections are free and always will be — accuracy is the product, so we don't charge to fix facts.

Freshness

Every vendor page shows a “last checked” date. Changes we detect are logged in the per-vendor change history and the global changelog.