How to Build a Trust Center with the Orbiq API
A step-by-step guide to building a trust center programmatically using the Orbiq REST API — brand config, documents, certifications, NDAs, and custom domains.
How to Build a Trust Center with the Orbiq API
A trust center is a dedicated, branded portal where your company proactively shares its security posture, compliance certifications, and legal documents with customers, prospects, and partners — and with the Orbiq API, you can build and manage one entirely programmatically.
For B2B software companies, a trust center eliminates the back-and-forth of security questionnaires, reduces deal friction, and demonstrates compliance maturity to enterprise buyers. Building it via API means you can automate document updates, integrate with your CI/CD pipeline, and deploy across multiple tenants in minutes rather than days.
What Is a Trust Center and Why You Need One
A trust center (also called a security portal or compliance portal) is the single source of truth for your company's compliance posture. Rather than emailing SOC 2 reports on request, sharing PDFs through unsecured links, or filling out repetitive vendor security questionnaires, a trust center gives prospects self-serve access to exactly the information they need to approve your vendor onboarding.
Enterprise procurement teams increasingly require a trust center as part of vendor due diligence. Companies with trust centers report 30–40% faster deal closures because security reviews can start before the first sales call — not after the verbal close.
With the Orbiq API, you can build and manage your trust center entirely through code. This guide walks you through every step from initial brand configuration to deploying on a custom domain. For the agentic AI counterpart to this tutorial — where AI agents manage your trust center autonomously — see Agentic AI for Compliance.
Prerequisites
Before you begin, you'll need:
- An Orbiq account (sign up at orbiqhq.com)
- An API key from your Orbiq dashboard
- Basic familiarity with REST APIs and HTTP requests
- Optional: Node.js or Python if you want to follow along with code examples
Set your API key as an environment variable:
export ORBIQ_API_KEY="your_api_key_here"
export ORBIQ_BASE_URL="https://app.orbiqhq.com/api/v1"
All examples in this guide use cURL, but the same API calls work with any HTTP client. Check the full API reference at docs.orbiqhq.com for SDK examples in JavaScript and Python.
Step 1: Configure Your Brand
The first step is setting up your brand identity so your trust center matches your product's visual design. The brand settings endpoint expects your public title plus the core theme fields it uses to render the portal.
Use the PATCH /brand endpoint:
curl -X PATCH "$ORBIQ_BASE_URL/brand" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"title": "Acme Corp Trust Center",
"primary_color": "#0F172A",
"background_color": "#FFFFFF",
"text_color": "#111827",
"font_family": "Inter",
"deployment_domains": "trust.acmecorp.com",
"overview_text": "Acme Corp is committed to security and compliance. Explore our certifications and policies below.",
"footer_text": "© 2026 Acme Corp. All rights reserved."
}'
Then upload your company logo using a multipart form upload:
curl -X PUT "$ORBIQ_BASE_URL/brand/logo" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-F "file=@logo.png"
The brand endpoint lets you customize the trust center title, theme colors, typography, overview copy, and deployment domains. Custom domains (e.g., trust.acmecorp.com) are still finalized through the Orbiq dashboard, where you point DNS to Orbiq's infrastructure for SSL and CDN delivery.
Step 2: Upload Compliance Documents
Compliance documents — SOC 2 reports, penetration test summaries, data processing agreements, security policies — are the core of any trust center. The Orbiq API handles document metadata and file storage separately, giving you control over versioning and access.
Create a document record
curl -X POST "$ORBIQ_BASE_URL/documents" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"title": "SOC 2 Type II Report",
"description": "Annual SOC 2 Type II audit report covering the period Jan–Dec 2025",
"category": "11111111-2222-3333-4444-555555555555",
"access_level": "requires_nda",
"expiry_date": "2026-12-31"
}'
The metadata response includes a documentId plus an uploadUrl. Use the document ID to upload the actual file:
curl -X PUT "$ORBIQ_BASE_URL/documents/{document_id}/file" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-F "file=@soc2-report-2025.pdf"
The access_level field controls access:
"public"— anyone visiting your trust center can download"restricted"— visitors must submit an access request before access is granted"requires_nda"— visitors must sign your NDA before downloading"internal"— visible only to internal users and workflows
This access control model is central to how trust centers work: you share that you have a SOC 2 report (builds trust) while still gating the actual document (protects sensitive information).
Step 3: Add Certifications
Certifications are the badges that show up prominently on your trust center — ISO 27001, SOC 2 Type II, GDPR compliance, HIPAA, and so on. The certifications endpoint creates metadata first; certificate files and badge assets are uploaded separately through their dedicated routes.
curl -X POST "$ORBIQ_BASE_URL/certifications" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"title": "SOC 2 Type II",
"description": "Independent audit covering Acme production systems.",
"issue_date": "2025-03-01",
"expiry_date": "2026-03-01",
"state": "valid",
"featured": true
}'
If you want the certification card to follow a specific design, fetch a template from GET /certifications/templates and pass its UUID in the optional template field. Upload the certificate file and badge after the metadata object exists.
Adding multiple certifications in a script
const certifications = [
{ title: "SOC 2 Type II", description: "Independent controls report" },
{ title: "ISO 27001", description: "Information security certification" },
{ title: "GDPR Readiness", description: "Internal privacy control program" }
];
for (const cert of certifications) {
const response = await fetch(`${ORBIQ_BASE_URL}/certifications`, {
method: "POST",
headers: {
"Authorization": `Bearer ${ORBIQ_API_KEY}`,
"Content-Type": "application/json"
},
body: JSON.stringify({
...cert,
issue_date: "2025-01-01",
validity_months: 12,
state: "valid"
})
});
const data = await response.json();
console.log(`Created certification: ${data.data?.uuid ?? data.uuid}`);
}
Step 4: Set Up Your Knowledge Base
The knowledge base powers Orbiq's AI Ask feature — the conversational interface that lets trust center visitors ask natural language questions like "Are you SOC 2 compliant?" or "Where is my data hosted?" and get instant, accurate answers.
curl -X POST "$ORBIQ_BASE_URL/knowledge-base" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"question": "Where is customer data stored and processed?",
"answer_md": "All customer data is stored on **EU-based infrastructure**. We do not transfer data outside the EU/EEA.",
"answer": "All customer data is stored on EU-based infrastructure.",
"access_level": "public"
}'
Add entries for all common security and compliance questions: data residency, encryption standards, backup procedures, access controls, incident response, and subprocessors. The more comprehensive your knowledge base, the more questions the AI can answer autonomously — reducing the manual burden on your security and sales teams.
Step 5: Configure NDA Templates
Before sharing sensitive compliance documents, you typically require visitors to sign a mutual NDA or a confidentiality agreement. Orbiq's NDA API automates this entire flow.
# Create NDA template
curl -X POST "$ORBIQ_BASE_URL/nda-templates" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"title": "Standard Mutual NDA",
"type": "mutual",
"language": "en",
"validity_in_months": 12,
"content_markdown": "# Mutual NDA\n\nThis Mutual Non-Disclosure Agreement applies before access to restricted compliance materials is granted."
}'
If you need to create a new draft from the current active template, use the versions endpoint:
curl -X POST "$ORBIQ_BASE_URL/nda-templates/{template_id}/versions" \
-H "Authorization: Bearer $ORBIQ_API_KEY"
That endpoint creates a new draft version by cloning the current template state unless you optionally provide a specific source_version_id. Visitors who request access to NDA-gated documents will automatically see the NDA signing flow before they can download. Monitor acceptance status via GET /nda-acceptances.
Step 6: Deploy on Your Custom Domain
Once your trust center is configured, you can deploy it on a custom domain through the Orbiq dashboard. Navigate to your trust center settings, enter your custom domain (e.g., trust.acmecorp.com), and add the CNAME record shown to your DNS provider:
trust.acmecorp.com CNAME tenant.orbiqhq.com
Orbiq automatically provisions SSL certificates, configures CDN delivery, and activates your custom domain within minutes of the DNS change propagating. There is no server infrastructure for you to manage.
For enterprise customers with multiple products or a multi-tenant SaaS, you can deploy separate trust centers for each tenant by creating multiple contacts and configuring distinct custom domains per trust center through the dashboard.
API at a Glance
Here is a summary of the key endpoints used in this tutorial:
| Endpoint | Method | Purpose |
|---|---|---|
/brand | PATCH | Update trust center title, theme, and copy |
/brand/logo | PUT | Upload company logo |
/documents | POST | Create document metadata record |
/documents/{id}/file | PUT | Upload document file |
/certifications | POST | Create certification metadata |
/knowledge-base | POST | Add a Q&A item for the Ask API |
/nda-templates | POST | Create NDA template |
/nda-templates/{id}/versions | POST | Create a new draft NDA version |
/nda-acceptances | GET | List NDA acceptances |
/access-requests | GET | List pending access requests |
The full API reference with request/response schemas is available at docs.orbiqhq.com/docs/api/v1.
Next Steps: Access Request Automation
Once your trust center is live, the real power of the API comes from automation.
Use scheduled jobs to check for new access requests, recent NDA acceptances, or documents that need review. From there you can trigger Slack alerts, create CRM records, or automatically approve requests from trusted domains:
curl -X PATCH "$ORBIQ_BASE_URL/access-requests/{request_id}" \
-H "Authorization: Bearer $ORBIQ_API_KEY" \
-H "Content-Type: application/json" \
-d '{"review_status": "approved"}'
Certification expiry monitoring: Query GET /certifications regularly to detect certifications expiring within 30 days and alert your compliance team before they lapse.
CI/CD integration: Add document upload steps to your deployment pipeline so your trust center always reflects your latest penetration test, audit report, or security policy — automatically, without manual uploads.
For a deeper look at agentic automation patterns — where AI agents manage these workflows autonomously — see Agentic AI for Compliance.
How Orbiq Helps
Orbiq is the API-first trust center platform built for developers. Unlike traditional compliance portals that require manual document uploads through a web interface, Orbiq exposes every trust center capability through a well-documented REST API — brand configuration, document management, certifications, NDA workflows, AI-powered questionnaire responses, and access request automation.
The platform is EU-hosted, GDPR compliant, and designed for white-label deployment. Whether you are a B2B SaaS company building your first trust center, an MSP managing compliance for multiple clients, or a platform offering trust center capabilities as a feature, Orbiq's API gives you the building blocks you need.
Visit the Orbiq Developer Hub to explore the full API and view code samples. The complete API reference is at docs.orbiqhq.com.
FAQ
What is a trust center API?
A trust center API is a programmatic interface that lets developers create, update, and manage a compliance trust center through code rather than a web interface. With a trust center API like Orbiq's, you can automate document uploads, configure branding, manage NDA workflows, and respond to access requests — all through REST endpoints that integrate with your existing developer toolchain.
How long does it take to build a trust center with the Orbiq API?
Using the Orbiq API, you can have a fully configured trust center live on a custom domain in under two hours. The time is primarily spent gathering your compliance documents — SOC 2 reports, certifications, security policies — and uploading them. The actual API calls take minutes, and DNS propagation typically completes within an hour.
Can I white-label a trust center built with the Orbiq API?
Yes. Orbiq supports full white-label deployment through its brand configuration API (PATCH /brand). You can set custom colors, upload your own logo, deploy on your own domain (e.g., trust.yourcompany.com), and remove all Orbiq branding. This is commonly used by MSPs, consultancies, and SaaS platforms that offer trust center features to their own customers.
What authentication does the Orbiq API use?
The Orbiq API supports two authentication methods, both passed as Bearer tokens in the Authorization header. You can generate an API key from your Orbiq dashboard and use it directly as Bearer {api_key}, or you can authenticate with your email and password to receive a JWT token and use it as Bearer {jwt_token}. For more details on authentication, rate limits, and error handling, see the API documentation.
Can I automate access request approvals with the Orbiq API?
Yes. The PATCH /access-requests/{id} endpoint lets you approve or reject access requests programmatically. You can build automation rules — for example, auto-approving requests from verified corporate email domains or companies already in your CRM — and run them from a scheduled worker that checks for new requests.