Trust Center Settings
Configure the Trust Center module for your organization. Manage assessment schedules, notification preferences, data retention policies, automation settings, and integrations with external GRC tools and ticketing systems used in your MSP operations.
Note: Trust Center Settings controls the global behavior of all Trust Center features including compliance assessments, drift detection, evidence collection, alerting, and reporting. Settings are applied at the MSP organization level with per-tenant overrides available for specific configurations.
Settings Overview
| Metric | Value |
|---|---|
| Configuration Sections | 6 |
| Active Integrations | 3 |
| Scheduled Tasks | 8 |
| Tenants Enrolled | 24 |
Assessment Schedules and Automation
| Setting | Default | Options | Description |
|---|---|---|---|
| Scan Frequency | Weekly | Daily, Weekly, Bi-weekly, Monthly | How often full compliance assessments run |
| Scan Day | Sunday | Any day of the week | Preferred day for scheduled scans |
| Scan Time Window | 02:00 - 06:00 UTC | Any 4-hour window | Time window for running assessments |
| Drift Check Interval | 4 hours | 1h, 2h, 4h, 6h, 12h, 24h | How often drift detection checks run |
| Auto-Remediation | Disabled | Disabled, Critical only, All drift | Automatically revert drift to baseline |
| Evidence Collection | Enabled | Enabled, Disabled | Automatically collect evidence on scan completion |
| Concurrent Tenant Scans | 5 | 1-20 | Maximum tenants scanned in parallel |
Notification Preferences
- Email Notifications — Configure email notification recipients for compliance alerts, assessment completions, and report delivery. Set up per-severity routing so critical alerts go to on-call technicians while informational notifications go to a shared inbox. Configurable per severity level, tenant group, and framework. Options: Individual emails, distribution lists, digest mode.
- Microsoft Teams Notifications — Post compliance notifications to Microsoft Teams channels. Use Adaptive Cards for rich formatting with actionable buttons. Configure separate channels for different severity levels or tenant groups. Requires Teams incoming webhook or Bot registration.
- Webhook Endpoints — Send JSON-formatted notifications to external systems via webhooks. Configure multiple endpoints with payload customization. Supports HMAC signature verification for secure delivery and retry logic for failed deliveries. Supports Slack, PagerDuty, ServiceNow, and custom HTTP endpoints.
- Notification Rules — Create granular notification rules that combine event type, severity, tenant scope, and framework to route notifications to the right people through the right channel. Support for escalation chains and reminder schedules.
Data Retention Settings
| Data Type | Default Retention | Minimum | Maximum | Notes |
|---|---|---|---|---|
| Assessment Results | 24 months | 6 months | 84 months | Required for trend analysis |
| Evidence Items | 13 months | 3 months | 84 months | Align with audit cycle + overlap |
| Drift Events | 12 months | 3 months | 60 months | Used for recurring drift analysis |
| Remediation History | 24 months | 6 months | 84 months | Includes rollback snapshots |
| Alert History | 12 months | 1 month | 60 months | Resolved alerts archive |
| Audit Reports | 84 months | 12 months | Unlimited | 7-year default for regulatory compliance |
| Risk Register | Permanent | 12 months | Unlimited | Active risks are never auto-deleted |
Warning: Apply legal hold to prevent automatic deletion of compliance data during active audit engagements or legal proceedings. Legal hold overrides retention policies and preserves all data types until the hold is released by an administrator.
Integration Settings
GRC Tool Integrations
Connect Trust Center with external Governance, Risk, and Compliance platforms to synchronize assessment results, control status, and evidence.
| Integration | Sync Type | Data Shared |
|---|---|---|
| Vanta | API push | Control status, evidence artifacts |
| Drata | API push | Assessment results, evidence |
| OneTrust | CSV export | Risk register, control mapping |
| Custom API | Webhook / REST | Configurable per endpoint |
Ticketing System Integrations
Automatically create tickets in your PSA or ticketing system when compliance alerts are generated or remediation actions are needed. Sync ticket status back to Trust Center for unified tracking.
| System | Features | Sync Direction |
|---|---|---|
| ConnectWise Manage | Auto-create tickets, sync status, map boards | Bidirectional |
| Datto Autotask | Auto-create tickets, sync status, map queues | Bidirectional |
| HaloPSA | Auto-create tickets, sync status | Bidirectional |
| ServiceNow | Incident creation, CMDB sync | Push only |
| Jira | Issue creation, status sync | Bidirectional |
Tenant Enrollment
- Enroll Tenants — Select which managed Microsoft 365 tenants are enrolled in Trust Center. Enrollment enables compliance scanning, drift detection, and evidence collection. Requires the OpsPilot365 service principal to have the necessary Graph API permissions on the target tenant.
- Framework Assignment — Assign one or more compliance frameworks to each enrolled tenant. Framework assignments determine which controls are evaluated during assessments. Frameworks can be assigned individually or via tenant groups for bulk management.
- Tenant Groups — Organize enrolled tenants into groups based on industry, compliance requirements, or client tier. Apply framework assignments, scan schedules, and notification rules at the group level for efficient management of large tenant portfolios.
- Per-Tenant Overrides — Override global settings for specific tenants. Customize scan frequency, drift check intervals, notification routing, and retention periods on a per-tenant basis when a client’s requirements differ from the default configuration.
Best Practices
- Run compliance scans during off-hours to minimize API throttling impact on tenant operations
- Set drift check intervals to 4 hours for production tenants to catch changes promptly
- Configure ticketing integrations early to ensure all compliance alerts create trackable work items
- Align data retention settings with the longest applicable regulatory requirement across your client base
- Use tenant groups to standardize framework assignments by industry (e.g., healthcare clients get HIPAA)
- Enable email digest mode for low-severity notifications to reduce inbox noise for technicians
- Test webhook integrations with a staging endpoint before connecting to production PSA systems
- Review and update integration credentials quarterly to prevent authentication failures
- Apply legal hold before any audit engagement to prevent accidental data deletion
API Reference
GET /api/addons/trust-center/settings— Retrieve all Trust Center settings for the organizationPUT /api/addons/trust-center/settings— Update Trust Center settings (assessment schedule, automation, retention)GET /api/addons/trust-center/settings/notifications— Get notification rules and channel configurationsPUT /api/addons/trust-center/settings/notifications— Update notification preferences and routing rulesGET /api/addons/trust-center/settings/integrations— List configured integrations with connection statusPOST /api/addons/trust-center/settings/integrations— Configure a new integration with a GRC tool or ticketing systemPOST /api/addons/trust-center/settings/integrations/:integrationId/test— Test an integration connection and verify credentialsGET /api/addons/trust-center/settings/enrollment— List enrolled tenants with framework assignments and override status
Last updated on