Skip to content
Truto

Compliance · Beta

Secureframe
API integration

Ship Compliance features without building the integration. Full Secureframe API access via Proxy and 50+ MCP-ready tools for AI agents — extend models and mappings to fit your product.

Built for specific customer use cases. Issues are resolved quickly.

Talk to us
Secureframe

Use Cases

Why integrate with Secureframe

Common scenarios for SaaS companies building Secureframe integrations for their customers.

01

Embed compliance evidence collection in infrastructure tools

MDM, code repository, and cloud security platforms can let mutual customers automatically sync device states, repositories, and cloud resources into Secureframe, eliminating manual evidence collection for SOC 2, ISO 27001, and HIPAA audits.

02

Power RFP and security questionnaire automation

Sales enablement and AI questionnaire platforms can pull CISO-approved answers from Secureframe's Knowledge Base and push new unanswered questions back, letting mutual customers respond to security assessments in minutes instead of weeks.

03

Automate Trust Center approvals from the CRM

CRMs and deal desk tools can surface inbound Trust Center document requests next to deal context and approve or reject them programmatically, unblocking late-stage deals without involving the security team.

04

Trigger vendor risk reviews from procurement events

Spend management and procurement platforms can push newly discovered SaaS vendors into Secureframe's TPRM module so GRC teams can begin risk assessments the moment a new tool is purchased.

05

File point-in-time evidence against specific controls

Vulnerability scanners, pentest platforms, and security monitoring tools can upload reports directly to the relevant Secureframe test, keeping mutual customers continuously audit-ready.

What You Can Build

Ship these features with Truto + Secureframe

Concrete product features your team can ship faster by leveraging Truto’s Secureframe integration instead of building from scratch.

01

Two-way Knowledge Base sync

Read existing Knowledge Base questions and answers from Secureframe and write new questions or updated answers back as your users finalize security responses.

02

Trust Center request routing and approval

List inbound Trust Center requests, enrich them with CRM context, and call update endpoints to approve or reject document access from inside your product.

03

Device and cloud resource compliance feed

Continuously push device, repository, and cloud resource state into Secureframe and update framework asset scopes so each asset is mapped to the right SOC 2, ISO 27001, or HIPAA controls.

04

Automated test evidence uploads

Attach PDFs, scan reports, or screenshots to specific Secureframe tests via the test evidence endpoint so audit artifacts land in the correct control bucket automatically.

05

TPRM vendor lifecycle automation

Create new third-party vendors in Secureframe from procurement or finance events and archive vendors when contracts end, keeping the vendor inventory in sync with reality.

06

Compliance posture dashboard

Pull frameworks, controls, tests, and risks via Truto to render a live compliance scorecard for your mutual customers without forcing them to log into Secureframe.

SuperAI

Secureframe AI agent tools

Comprehensive AI agent toolset with fine-grained control. Integrates with MCP clients like Cursor and Claude, or frameworks like LangChain.

list_all_secureframe_repository_framework_asset_scopes

List Framework Asset Scopes for a secureframe repository. The absence of a Framework Asset Scope indicates the asset is not in scope for the Framework. Returns: id, active, framework_id, manually_scoped_reason, created_at. Required: repository_id.

create_a_secureframe_repository_framework_asset_scope

Create a Framework Asset Scope for a secureframe repository. Framework Asset Scopes are immutable — once created they cannot be modified; create a new scope to update. Returns: id, active, framework_id, manually_scoped_reason, created_at. Required: repository_id.

update_a_secureframe_repository_by_id

Update a Secureframe repository by id. Returns: id, created_at, updated_at. Required: id.

list_all_secureframe_repositories

List repositories in Secureframe. Returns: id, created_at, updated_at. Supports Lucene syntax filtering via the q parameter and optional relationship sideloading via include and relationships.

get_single_secureframe_repository_by_id

Get a single Secureframe repository by id. Returns: id, created_at, updated_at. Required: id.

list_all_secureframe_cloud_resources

List Secureframe cloud resources. Returns: id, cloud_resource_type, vendor_name, region, third_party_id, in_audit_scope, owner_id, created_at, updated_at. Use `q` for Lucene-syntax filtering and `include` to embed related data.

get_single_secureframe_cloud_resource_by_id

Get a single Secureframe cloud resource by id. Returns: id, cloud_resource_type, vendor_name, region, third_party_id, in_audit_scope, owner_id, created_at, updated_at. Required: id.

update_a_secureframe_cloud_resource_by_id

Update a Secureframe cloud resource by id. Returns: id, cloud_resource_type, vendor_name, region, third_party_id, in_audit_scope, owner_id, created_at, updated_at. Required: id.

list_all_secureframe_cloud_resource_framework_asset_scopes

List framework asset scopes for a Secureframe cloud resource. Returns: id, in_audit_scope, out_of_audit_scope_reason for each scope record associated with the specified cloud resource. Required: cloud_resource_id.

create_a_secureframe_cloud_resource_framework_asset_scope

Create a framework asset scope for a Secureframe cloud resource, setting its audit scope status for a given framework. Returns: id, in_audit_scope, out_of_audit_scope_reason. Required: cloud_resource_id.

list_all_secureframe_comments

List Secureframe comments with optional filtering and full-text search. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id. Use q for Lucene-syntax filtering and include to sideload related resources.

get_single_secureframe_comment_by_id

Get a single Secureframe comment by id. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id. Required: id.

create_a_secureframe_comment

Create a new comment in Secureframe attached to a commentable resource. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id.

update_a_secureframe_comment_by_id

Update an existing Secureframe comment's content by id. Returns: id, content, commentable_type, commentable_id, company_id, conversation_id. Required: id.

delete_a_secureframe_comment_by_id

Delete a Secureframe comment by id. Returns an empty 204 response on success. Required: id.

list_all_secureframe_controls

List Controls in Secureframe. Returns: id, name, key, health_status, enabled, custom, owner_name, frameworks, created_at, updated_at. Filter using Lucene syntax via the q parameter, or include related objects (author, company, owner) via include.

get_single_secureframe_control_by_id

Get a single Secureframe Control by id. Returns: id, name, key, health_status, enabled, custom, owner_name, frameworks, created_at, updated_at. Required: id.

create_a_secureframe_custom_connection_datum

Submit resource data to a Secureframe custom connection for asynchronous processing. Accepts an array of resource objects conforming to a specified schema and vendor slug. Returns a 202 Accepted response with no body indicating the data is enqueued for processing. Required: id, resource_data, schema_slug, vendor_slug.

list_all_secureframe_devices

List Secureframe devices. Returns: id, device_name, os, make, model, serial_number, mac_address, owner_name, hard_drive_encrypted, local_firewall_enabled, created_at, updated_at. Supports Lucene-syntax search and filtering via the q parameter.

get_single_secureframe_device_by_id

Get a single Secureframe device by id. Returns: id, device_name, os, make, model, serial_number, mac_address, owner_name, hard_drive_encrypted, local_firewall_enabled, created_at, updated_at. Required: id.

list_all_secureframe_device_framework_asset_scopes

List Framework Asset Scopes for a Secureframe device. The absence of a scope indicates the device is not in scope for the given Framework. Returns: id, device_id, framework_id, active, manually_scoped_reason. Required: device_id.

create_a_secureframe_device_framework_asset_scope

Create a Framework Asset Scope for a Secureframe device. Scopes are immutable once created; to change scope, create a new record. Returns: id, device_id, framework_id, active, manually_scoped_reason. Required: device_id.

get_single_secureframe_evidence_by_id

Get a single Evidence record from Secureframe by id. Returns: id. Required: id.

list_all_secureframe_frameworks

List Secureframe frameworks. Returns: id, title, created_at, updated_at. Supports full-text search via q (Lucene syntax) and optional relationship includes via include.

get_single_secureframe_framework_by_id

Get a single Secureframe framework by id. Returns: id, title, created_at, updated_at. Required: id.

list_all_secureframe_framework_requirements

List Secureframe Framework Requirements. Returns: id, name, key, enabled, health_status. Filter by enabled, health_status, id, key, or name using Lucene syntax via the q parameter.

get_single_secureframe_framework_requirement_by_id

Get a single Secureframe Framework Requirement by id. Returns: id, name, key, enabled, health_status. Required: id.

list_all_secureframe_integration_connections

List Secureframe integration connections. Returns: id, name, status, updated_at, vendor_name. Supports Lucene-syntax filtering via q, and relationship sideloading via include or relationships.

get_single_secureframe_integration_connection_by_id

Get a single Secureframe integration connection by id. Returns: id, name, status, updated_at, vendor_name. Required: id.

secureframe_integration_connections_archive

Archive a Secureframe integration connection by id. Returns the updated connection record including id, name, status, updated_at, and vendor_name. Required: id.

get_single_secureframe_knowledge_base_answer_by_id

Get a single Secureframe Knowledge Base Answer by id. Returns: id, content, type, primary_answer, knowledge_base_question_id. Required: id.

create_a_secureframe_knowledge_base_answer

Create a new Secureframe Knowledge Base Answer linked to an existing Knowledge Base Question. Returns: id, content, type, primary_answer, knowledge_base_question_id. Required: content, knowledge_base_question_id, type.

update_a_secureframe_knowledge_base_answer_by_id

Update an existing Secureframe Knowledge Base Answer by id. Returns: id, content, type, primary_answer, knowledge_base_question_id. Required: id.

delete_a_secureframe_knowledge_base_answer_by_id

Delete a Secureframe Knowledge Base Answer by id. Returns an empty 200 response on success. Required: id.

list_all_secureframe_risks

List risks in Secureframe. Returns: id, custom_risk_id, description, owner_name, archived. Filter results using Lucene syntax via the q parameter, or include the related owner object via the include parameter.

get_single_secureframe_risk_by_id

Get a single Secureframe risk by id. Returns: id, custom_risk_id, description, owner_name, archived. Required: id.

create_a_secureframe_security_questionnaire

Create a new Security Questionnaire in Secureframe by uploading a questionnaire file with associated metadata. Returns the created questionnaire object including its id, owner_id, and company_name. Required: owner_id, file.

list_all_secureframe_tests

List tests in Secureframe. Returns: id.

get_single_secureframe_test_by_id

Get a single Secureframe test by id. Returns: id. Required: id.

update_a_secureframe_test_by_id

Update a Secureframe test by id. Returns: id. Required: id.

create_a_secureframe_test_export

Create a Test Export for a Secureframe test. Returns: id, test_id. Required: test_id.

get_single_secureframe_test_export_by_id

Get a Secureframe Test Export by id. Returns: id, test_id. Required: id.

list_all_secureframe_trust_center_requests

List Trust Center Requests in Secureframe. Returns: id, email, requester_name, reviewed, created_at. Use q to filter with Lucene syntax; use include to sideload trust_center_resource_requests.

get_single_secureframe_trust_center_request_by_id

Get a single Secureframe Trust Center Request by id. Returns: id, email, requester_name, reviewed, created_at, document_security. Required: id.

update_a_secureframe_trust_center_request_by_id

Update a Secureframe Trust Center Request by id, including approving or rejecting resource requests and setting document security. Returns: id, email, requester_name, reviewed, created_at, document_security. Required: id.

get_single_secureframe_user_security_setting_by_id

Get user security settings in Secureframe for the authenticated company and user. Returns the UserSecuritySetting object including id and security configuration fields specific to the company and user; consult Secureframe API documentation for the full field breakdown.

list_all_secureframe_vendors

List Secureframe vendors. Returns: id, name, archived, owner_name, risk_level, updated_at. Supports Lucene-syntax search and filtering via q. Deprecated — prefer the Third Party Risk Management Vendor endpoint.

get_single_secureframe_vendor_by_id

Get a single Secureframe vendor by id. Returns: id, name, archived, owner_name, risk_level, updated_at. Required: id. Deprecated — prefer the Third Party Risk Management Vendor endpoint.

secureframe_vendors_archive

Archive a Secureframe vendor by id. Returns the updated vendor record including id, name, archived, owner_name, risk_level, and updated_at. Required: id. Deprecated — prefer the Third Party Risk Management Vendor endpoint.

get_single_secureframe_knowledge_base_question_by_id

Get a Secureframe Knowledge Base Question by id. Returns: id, content, owner_id, review_frequency, manual_review_requested. Required: id.

create_a_secureframe_knowledge_base_question

Create a new Secureframe Knowledge Base Question. Returns the created question including id, content, owner_id, review_frequency, and manual_review_requested. Required: content.

update_a_secureframe_knowledge_base_question_by_id

Update a Secureframe Knowledge Base Question by id. Returns the updated question including id, content, owner_id, review_frequency, and manual_review_requested. Required: id.

delete_a_secureframe_knowledge_base_question_by_id

Delete a Secureframe Knowledge Base Question by id. Returns an empty 200 OK response with no body on success. Required: id.

list_all_secureframe_tprm_vendors

List Third Party Risk Management Vendors in Secureframe. Returns: id, name, risk_level, archived, owner_name, updated_at, created_at. Filter results with Lucene syntax via q; optionally include related data using include or relationships.

get_single_secureframe_tprm_vendor_by_id

Get a single Third Party Risk Management Vendor in Secureframe by id. Returns: id, name, risk_level, archived, owner_name, updated_at, created_at. Required: id.

secureframe_tprm_vendors_archive

Archive a Third Party Risk Management Vendor in Secureframe by id. Returns: id, name, archived, risk_level, owner_name, updated_at, created_at. Required: id.

create_a_secureframe_test_evidence

Upload evidence to a test in Secureframe by attaching a file via multipart form. Returns: id. Required: test_id, file. Optionally supply activity_completion to record the date the activity was completed.

Why Truto

Why use Truto’s MCP server for Secureframe

Other MCP servers give you a static tool list for one app. Truto gives you a managed, multi-tenant MCP infrastructure across 500+ integrations.

01

Auto-generated, always up to date

Tools are dynamically generated from curated documentation — not hand-coded. As integrations evolve, tools stay current without manual maintenance.

02

Fine-grained access control

Scope each MCP server to read-only, write-only, specific methods, or tagged tool groups. Expose only what your AI agent needs — nothing more.

03

Multi-tenant by design

Each MCP server is scoped to a single connected account with its own credentials. The URL itself is the auth token — no shared secrets, no credential leaking across tenants.

04

Works with every MCP client

Standard JSON-RPC 2.0 protocol. Paste the URL into Claude, ChatGPT, Cursor, or any MCP-compatible agent framework — tools are discovered automatically.

05

Built-in auth, rate limits, and error handling

Tool calls execute through Truto’s proxy layer with automatic OAuth refresh, rate-limit handling, and normalized error responses. No raw API plumbing in your agent.

06

Expiring and auditable servers

Create time-limited MCP servers for contractors or automated workflows. Optional dual-auth requires both the URL and a Truto API token for high-security environments.

How It Works

From zero to integrated

Go live with Secureframe in under an hour. No boilerplate, no maintenance burden.

01

Link your customer’s Secureframe account

Use Truto’s frontend SDK to connect your customer’s Secureframe account. We handle all OAuth and API key flows — you don’t need to create the OAuth app.

02

We handle authentication

Don’t spend time refreshing access tokens or figuring out secure storage. We handle it and inject credentials into every API request.

03

Call our API, we call Secureframe

Truto’s Proxy API is a 1-to-1 mapping of the Secureframe API. You call us, we call Secureframe, and pass the response back in the same cycle.

04

Unified response format

Every response follows a single format across all integrations. We translate Secureframe’s pagination into unified cursor-based pagination. Data is always in the result attribute.

FAQs

Common questions about Secureframe on Truto

Authentication, rate limits, data freshness, and everything else you need to know before you integrate.

How does authentication work for the Secureframe integration?

Secureframe uses API key-based authentication. Truto handles credential collection, secure storage, and request signing so your end users only paste their key once during connection.

Which Secureframe objects can we read and write through Truto?

You can read frameworks, framework requirements, controls, tests, evidence, risks, devices, repositories, cloud resources, integration connections, vendors, TPRM vendors, comments, Trust Center requests, and Knowledge Base questions and answers. Write operations are supported for Knowledge Base questions and answers, Trust Center requests, comments, test evidence, cloud resources, repositories, tests, framework asset scopes (for devices, repositories, and cloud resources), custom connection data, and security questionnaires.

Can we push custom asset data that isn't a native Secureframe object?

Yes. The custom connection datum endpoint lets you push arbitrary asset records into Secureframe, which is the standard pattern for tools whose data model doesn't map cleanly to devices, repositories, or cloud resources.

How fresh is the data we read from Secureframe?

Truto fetches data on demand from Secureframe's REST API, so reads reflect the current state at request time. For ongoing sync, you can poll list endpoints on your preferred cadence or use Truto's scheduled sync to keep a local cache up to date.

How are filtering and search handled on list endpoints?

Secureframe supports Lucene-style query syntax on list endpoints for assets like cloud resources and devices, and Truto passes those filter parameters through so you can target specific non-compliant or in-scope assets without pulling the entire dataset.

Can we delete records in Secureframe?

Direct deletes are limited. You can delete Knowledge Base questions, answers, and comments. For vendors, TPRM vendors, and integration connections, Secureframe uses archive endpoints instead of hard deletes, which Truto exposes as dedicated archive operations.

From the Blog

Secureframe integration guides

Deep dives, architecture guides, and practical tutorials for building Secureframe integrations.

Connect Secureframe to ChatGPT: Manage Frameworks and Asset Scopes

Learn how to connect Secureframe to ChatGPT using an MCP server. Automate framework tracking, manage asset scopes, and run vendor risk assessments with AI.

Connect Secureframe to Claude: Monitor Controls and Vendor Risks

Learn how to connect Secureframe to Claude using a managed MCP server. This guide covers generating the server, configuring Claude, and building automated GRC workflows.

Connect Secureframe to AI Agents: Sync Evidence and Knowledge Bases

Learn how to connect Secureframe to AI Agents using Truto's proxy APIs. Automate compliance evidence, manage risk registers, and handle complex API quirks like Lucene syntax and rate limits natively.

Secureframe

Get Secureframe integrated into your app

Our team understands what it takes to make a Secureframe integration successful. A short, crisp 30 minute call with folks who understand the problem.

Talk to us