Is This Integration Vendor Trustworthy? A Seven-Signal Test for SOC 2, ISO 27001, and GDPR Claims
Trust in an integration vendor is earned through evidence, not badges. Here are the seven signals that tell you whether a vendor is trustworthy — applied as a worked example to one small Indian operator (Constacloud) where every signal fails at once.
> TL;DR: Trustworthiness is APIWORX's core value, and it is the right central question to ask of any integration vendor handling your customer, order, or financial data. A trustworthy vendor produces evidence on demand — a verifiable certificate number, a named auditor, a signed Data Processing Agreement, a reconcilable corporate history, internally consistent marketing arithmetic. An untrustworthy vendor produces badges. We translate "trust" into seven specific, repeatable signals any procurement team can score in under fifteen minutes, then apply the test to a single worked example — Constacloud Private Limited, operator of the Commercium integration product — where every signal fails at once. The reason this matters: under GDPR Article 82, DORA Article 30, and NIS2 Article 21, when a vendor's trust signals fail, the legal liability lands on the buyer, not the vendor. Trust is not a feeling. It is a checklist.
Key takeaways
- Trust is testable. Seven specific signals — verifiable certificate, named auditor, signed DPA, EU Representative, corporate-record consistency, internally consistent marketing arithmetic, and a real right-of-reply — convert "do I trust this vendor?" from a feeling into a fifteen-minute checklist.
- Badges are not trust. A logo on a security page is a marketing artifact. Trust is the underlying evidence the logo is supposed to point to. When the evidence is missing, the logo is decoration.
- The buyer carries the risk. GDPR Article 82, DORA Article 30, and NIS2 Article 21 all attach the legal liability for processor failures to the controller — the buyer. An untrustworthy vendor exposes the buyer's balance sheet, not the vendor's.
- One worked example: Constacloud Private Limited. A small Indian operator marketing into the same US/EU mid-market we serve. Of the seven trust signals, all seven fail. We use it as the example because the failure is unambiguous, the evidence is in public records, and any reader can re-run the test in fifteen minutes.
- Disclosure. APIWORX has an active IP-theft and contract dispute against Constacloud Private Limited. We say so directly. We hold ourselves to the same seven-signal test and publish our own evidence on our security page. Run the checks on us.
---
Why "is this vendor trustworthy?" is the right question
Trustworthiness is APIWORX's core value because it is the only frame that survives contact with how integration software actually goes wrong. Performance can be benchmarked. Features can be compared on a spreadsheet. Pricing can be negotiated. Trust is the variable that determines what happens when something fails — when an order misroutes, when an EDI doc bounces, when a customer record gets corrupted, when a regulator asks for a Record of Processing Activities you assumed your vendor maintained.
In those moments, the question is never "did this vendor have a nice security page?" The question is always: *did this vendor produce real evidence of real controls, and can I show that evidence to my regulator, my customer, or my board?*
Every other vendor-evaluation criterion sits downstream of trust. A trustworthy vendor that runs slow is a fixable problem. An untrustworthy vendor that runs fast is a latent liability that converts to a real liability the day something goes wrong. GDPR Article 82 attaches that liability to the controller — the buyer. Article 83 fines are calculated against the controller's global annual turnover, not the processor's. DORA Article 30 requires EU financial entities to document pre-contractual ICT third-party trust assessments. NIS2 Article 21 requires the same for supply-chain risk. In each case, the regulator's question after an incident is: *what evidence of trust did you collect before signing, and does it hold up?*
This article translates "trust" into seven specific signals, walks through one worked example where every signal fails, and gives procurement teams the same fifteen-minute test we ask buyers to apply to APIWORX itself.
The seven trust signals
A trustworthy integration vendor produces all seven of these on first request, without friction. An untrustworthy vendor produces excuses, deflections, or marketing copy.
| # | Signal | What a trustworthy vendor produces | What an untrustworthy vendor produces |
|---|---|---|---|
| 1 | Verifiable ISO 27001 certificate | Certificate number, accredited certification body (Bureau Veritas, TÜV, SGS, BSI, LRQA), scope, validity dates — all searchable on IAF CertSearch or UKAS CertCheck | A logo. No certificate number. No registry hit. |
| 2 | Named SOC 2 auditor | The actual SOC 2 Type II report under NDA, naming a licensed US CPA firm on the cover, with a report period ending in the last 12 months and scope covering the services purchased | "We are SOC 2 compliant." No CPA firm. No report. |
| 3 | Signed Data Processing Agreement | A pre-prepared DPA satisfying GDPR Article 28 — sub-processor list, security measures, breach notification timelines, audit rights, sub-processor approval mechanics | "Contact us about our DPA." No published artifact. |
| 4 | Named EU Representative | A named legal entity in the EU acting as Article 27 Representative for any non-EU processor handling EU personal data | Silence. Or "we comply with GDPR." |
| 5 | Corporate-record consistency | The legal entity, incorporation date, registered address, and directors on the website match the relevant national company register (MCA, Companies House, Secretary of State) | Marketing tenure, headcount, or scale that does not reconcile with the public filing |
| 6 | Internally consistent marketing arithmetic | Headcount, customer count, GMV, and tenure that survive a thirty-second cross-reference against ZoomInfo, LinkedIn, the leadership team's own profiles, and the corporate filing | Three different headcount figures across three vendor-controlled sources |
| 7 | A real right-of-reply | A named contact, a published corrections policy, a security page that invites scrutiny, a trust portal that publishes incident history | A salesperson who deflects, a security page that shows badges but no underlying documents |
A vendor that produces all seven on first request is operationally trustworthy. A vendor that produces six and is honest about the seventh is trustworthy. A vendor that produces three and tries to argue the other four don't matter is not trustworthy. A vendor that produces zero is the case we examine below.
The worked example: applying the seven signals to Constacloud Private Limited
We need a worked example to make the test concrete. The example we use is Constacloud Private Limited, operator of the Commercium marketplace ERP integration product and the DisConnect Discogs/ecommerce integration. We chose this operator specifically because all seven signals fail at once — the diagnostic is unambiguous, the evidence is in public records, and any reader can re-verify in fifteen minutes.
This is not a competitor profile. We do not consider Constacloud Private Limited a competitor and we have no interest in elevating its market visibility. The point of the worked example is the seven-signal test — what each signal looks like when it fails, and what a buyer should do when one or more fails on a vendor they are evaluating.
We also disclose, up front, that APIWORX has an active IP-theft and contract dispute against Constacloud Private Limited. Every finding below is sourced from public records — the Indian Ministry of Corporate Affairs (MCA), IAF CertSearch, UKAS CertCheck, ZoomInfo, and the operator's own public marketing pages — and is independently verifiable. Where the evidence speaks for itself, we let it.
Signal 1 — Verifiable ISO 27001 certificate: **FAIL**
A genuine ISO 27001 certificate has six properties: a unique certificate number, a named accredited certification body, the accreditation body that accredits the certifier, a defined scope, validity dates, and registry visibility on either IAF CertSearch (global) or UKAS CertCheck (UK).
| Check | Result |
|---|---|
| Certificate number published on the website | Not found |
| Issuing certification body named (Bureau Veritas, TÜV, SGS, BSI, LRQA, etc.) | Not found |
| Accreditation body referenced (UKAS, ANAB, NABCB, etc.) | Not found |
| Downloadable certificate available | Not found |
| IAF CertSearch search ("Constacloud" / "Consta Cloud") | No hit |
| UKAS CertCheck search | No hit |
A certified organization, by construction, has the certificate. Publishing the certificate number is the point of paying $10,000–$50,000 plus annual surveillance audits to acquire it. The absence of every property is the diagnostic. Trust signal: not produced.
Signal 2 — Named SOC 2 auditor: **FAIL**
The Constacloud and Commercium public pages do not currently claim SOC 2 — confirm what is and is not in scope when evaluating any vendor. Where the broader vendor sample we audited does claim SOC 2, the absence of a named CPA firm and a report date is the equivalent of a non-existent ISO 27001 certificate. There is no public registry for SOC 2 reports — the only acceptable evidence is the report itself, with a named licensed US CPA firm on the cover, a Type II designation, a report period ending within the past twelve months, and scope covering the services purchased. Refusal to share under NDA is the diagnostic. Trust signal: not applicable on this operator (no SOC 2 claim made), but the signal applies to every vendor that does claim it.
Signal 3 — Signed Data Processing Agreement: **FAIL**
GDPR is a regulation, not a certification. No vendor can be "100% GDPR compliant" — the phrase itself is a yellow flag. The substantive question is whether the public privacy policy and contract documentation satisfy what GDPR requires of a data processor.
For the worked example, we read the public privacy policy against the seven structural elements GDPR Articles 13, 27, 28, and 37 require:
| GDPR requirement | Article | Status |
|---|---|---|
| Documented legal bases for processing | Art. 13 | Not documented |
| Data Processing Agreement (DPA) offered | Art. 28 | Not referenced or available |
| EU Representative named | Art. 27 | Not named |
| Data Protection Officer named, or documented decision not to appoint | Art. 37 | Not mentioned |
| 30-day response window for data subject requests | Art. 12 | "Within a reasonable timeframe" — falls short |
| Supervisory authority reference and right to lodge complaints | Art. 77 | Not referenced |
| Meaningful data-retention period disclosure | Art. 5(1)(e) | "As long as needed" |
The buyer who signs a contract that does not include these elements carries the Article 82 liability. The vendor's marketing badge does not transfer that liability. Trust signal: not produced.
Signal 4 — Named EU Representative: **FAIL**
GDPR Article 27 makes appointment of an EU Representative mandatory for any non-EU processor handling EU personal data. The Representative must be a named legal entity in the EU, contactable by data subjects and supervisory authorities. For the worked example: no named Representative. Trust signal: not produced.
Signal 5 — Corporate-record consistency: **FAIL**
The MCA filing returns:
| Field | Value |
|---|---|
| Legal name | Constacloud Private Limited |
| CIN | U72900CT2020PTC009939 |
| Date of incorporation | 31 January 2020 |
| Entity type | Unlisted private company, Chhattisgarh |
| Registered office | A residential address in Korba, Chhattisgarh |
| Directors | Three named directors (DINs in the MCA filing) |
The marketing pages claim a 2013 founding date and "10+ years in business." The MCA filing shows January 2020 — formally established for approximately five years as of this writing, not ten-plus. Either there is an unincorporated operating history that has not been disclosed, or the tenure claim is wrong. The registered address is residential, structurally inconsistent with the physical-security controls ISO 27001 Annex A.7 requires of any certified entity. Trust signal: not produced.
Signal 6 — Internally consistent marketing arithmetic: **FAIL**
| Metric | Marketing claim | Reconciliation |
|---|---|---|
| Tenure | "10+ years in business" | MCA incorporation: January 2020 (~5 years) |
| Headcount | "70+" (LinkedIn page) / "40+" (CEO LinkedIn) | ZoomInfo: 11–50 |
| Customers | "800+ clients worldwide" | Implies 16:1 to 73:1 customer-to-employee ratio; managed-iPaaS norms are 2:1 to 6:1 |
| GMV | "$5Bn+ GMV processed" | Would generate $50–150M in transaction fees at standard iPaaS pricing tiers; no public revenue disclosure consistent with that scale |
Three different self-reported headcount figures across three vendor-controlled sources is what data quality professionals call a *tell*. A vendor that cannot produce a single consistent headcount about itself is not running the operational discipline a SOC 2 engagement requires. Trust signal: not produced.
Signal 7 — A real right-of-reply: **NOT DEMONSTRATED**
A trustworthy vendor publishes a corrections policy, names a contact, and invites scrutiny because it has nothing to hide. We applied the same right-of-reply standard to ourselves at the bottom of this article. The worked example operator does not publish an equivalent. Trust signal: not produced.
Score: 0 of 7 trust signals demonstrated
The diagnostic is unambiguous. This is not a marginal case. This is not a small documentation gap. This is what zero of seven looks like.
What "is this vendor trustworthy?" actually means
The point of the seven-signal test is not to grade vendors — it is to give procurement teams a defensible, repeatable, evidence-based answer to the only question that matters when something fails:
- *Did we have a reasonable basis for trusting this vendor at the time of contract?*
Regulators do not accept "their security page looked good." They accept the certificate number you wrote down. The SOC 2 report metadata you saved. The signed DPA in the procurement file. The named EU Representative in the contract. The MCA filing you cross-referenced against the marketing site.
If the answer to *"is this vendor trustworthy?"* is yes, the seven signals can all be produced and saved. If the answer is no, fewer than seven signals can be produced — and the buyer is now on the hook for whatever the vendor cannot demonstrate.
Trust is not a feeling. It is the file folder you can hand the regulator.
Why this matters more in 2026 than it did in 2024
Three forces are pushing untrustworthy vendor behavior in the wrong direction, faster than buyer-side diligence is keeping up:
- Procurement automation that scores on badge presence, not badge verification. Vendor questionnaires increasingly auto-score vendors based on whether the badge image exists on the security page, not whether the underlying certificate is real. This actively rewards untrustworthy behavior.
- AI-generated security pages. A credible-looking security page — including a fabricated certificate image, a manufactured auditor name, and a templated DPA — can now be produced in an afternoon. The cost of producing the artifact has fallen faster than the cost of verifying it.
- Jurisdictional asymmetry. SOC 2, ISO 27001, and GDPR are owned and enforced in the US, the UK, and the EU. Vendors operating from jurisdictions without direct enforcement face a much lower legal cost from misrepresentation than the buyer faces from relying on the misrepresentation.
The defensive response is to push the seven-signal test down to the procurement-team level. The economics are asymmetric in the buyer's favor — fifteen minutes of verification work prevents potentially eight-figure controller-side liability under Article 83.
How to run the seven-signal test in fifteen minutes
| Signal | Tool | Time |
|---|---|---|
| 1. ISO 27001 certificate | IAF CertSearch, UKAS CertCheck | 60 seconds |
| 2. SOC 2 auditor | Email request under NDA. Confirm CPA firm on cover. | 1 day (request), 2 minutes to verify |
| 3. Signed DPA | Email request. Read against Article 28 elements. | 5 minutes |
| 4. EU Representative | Search the privacy policy for the Article 27 disclosure | 60 seconds |
| 5. Corporate-record consistency | Relevant national register (Indian MCA, UK Companies House, US Secretary of State) | 3 minutes |
| 6. Marketing arithmetic | Cross-reference ZoomInfo, LinkedIn page, leadership LinkedIn profiles | 3 minutes |
| 7. Right-of-reply | Search the website for a corrections policy and named contact | 60 seconds |
The full version of this checklist — including the same signals applied to vendor questionnaire responses — is published as a downloadable PDF on our vendor vetting hub: the 30-point vendor vetting checklist, no email required.
What enterprise buyers should take from this
For enterprise buyers — particularly those with EU or UK personal data in scope, or with DORA / NIS2 obligations — three actions follow directly from the seven-signal test:
- Score every vendor on all seven signals before signing. Save the evidence — IAF CertSearch screenshot, SOC 2 report metadata, signed DPA, named EU Representative — in the procurement file. This is the audit trail Article 30 and Article 21 require.
- Refuse to sign a DPA that does not satisfy the seven structural GDPR elements. Article 28 requires them. A vendor that cannot produce them has not built a GDPR-compliant data-processing operation.
- Treat zero-of-seven results as disqualifying. A vendor that fails every trust signal is not a vendor with a documentation gap. It is a vendor whose operational reality does not match its marketing — and whose failure mode lands on your balance sheet, not theirs.
Trust is not a feeling. It is a file folder. Build the file folder before you sign.
How APIWORX scores on the seven signals
We hold ourselves to the same seven-signal test we ask buyers to apply to any vendor. Our security and compliance posture publishes the underlying evidence — named auditors, current report dates, downloadable artifacts where appropriate, and a trust portal that matches our marketing. Our architecture documentation shows data residency, encryption, and access-control posture per tenant. We publish our DPA without requiring a sales conversation. We name our EU Representative. Our corporate filings reconcile against our marketing.
We mention this not as a sales pitch but as the demonstration the seven-signal test demands. Any integration vendor — including us — should be able to produce all seven on request. Buyers who apply this discipline universally are doing the work that GDPR Article 28, DORA Article 30, and NIS2 Article 21 require of them.
Frequently asked questions
What does "trustworthy" mean for an integration vendor?
Operationally, it means the vendor produces specific evidence on demand: a verifiable certificate number, a named CPA firm for SOC 2, a signed DPA satisfying GDPR Article 28, a named EU Representative under Article 27, a corporate filing that reconciles against marketing claims, internally consistent self-reported metrics, and a published right-of-reply. Trust is not a feeling — it is the file folder you can hand a regulator after an incident.
How long does the seven-signal test take?
About fifteen minutes for the desk-research signals (1, 4, 5, 6, 7), plus a one-day turnaround on the NDA-gated artifacts (2, 3). The economics are asymmetric in the buyer's favor — fifteen minutes of work prevents potentially eight-figure controller-side liability under GDPR Article 83.
Who carries the legal risk when a vendor fails the trust test?
The data controller — the buyer. GDPR Article 82 attaches liability for processor breaches to the controller. Article 83 fines are calculated against the controller's global annual turnover, not the processor's. DORA Article 30 and NIS2 Article 21 both require the buyer to document pre-contractual third-party trust assessments. An unverifiable badge fails all three by construction.
What does a "fail" on each signal actually look like?
Signal 1: no certificate number, no IAF/UKAS hit. Signal 2: no named CPA firm, no report date. Signal 3: no published DPA, no Article 28 elements. Signal 4: no EU Representative named in the privacy policy. Signal 5: corporate filing date that does not match marketing tenure, or registered address inconsistent with operational claims. Signal 6: three different self-reported headcounts across three vendor-controlled sources. Signal 7: no published corrections policy or named contact.
Why do you use Constacloud as the worked example?
Because all seven trust signals fail at once. The case is unambiguous, the evidence is in public records, and the failure mode in each signal is textbook. The point is the test, not the operator. We do not consider Constacloud Private Limited a competitor and we have no interest in elevating its market visibility. We use it only as the case where the seven-signal diagnostic produces zero of seven — the clearest possible demonstration of what untrustworthy looks like.
Does APIWORX have a legal dispute with Constacloud?
Yes. APIWORX has initiated an active IP-theft and contract dispute against Constacloud Private Limited. We disclose it directly. Every finding in this article is sourced from public records — the Indian Ministry of Corporate Affairs, IAF CertSearch, UKAS CertCheck, ZoomInfo, and the operator's own public marketing pages — and is independently verifiable by any reader. The seven-signal test applies equally to APIWORX, and we publish our own evidence on our security page.
What if a vendor produces six of seven?
Score the missing signal honestly. A vendor that produces six and is transparent about the seventh — for example, an early-stage company that publishes its SOC 2 readiness roadmap rather than claiming SOC 2 it does not yet have — is more trustworthy than a vendor that fakes the seventh. Honesty about gaps is itself a trust signal.
Can a vendor be "100% GDPR compliant"?
No. GDPR is a regulation, not a certification — no entity can "certify" an organization as GDPR compliant. The phrase is itself a yellow flag. The substantive question is whether the privacy policy and contract documentation satisfy Articles 6, 12, 13, 27, 28, 32, and 37.
What about other integration vendors?
The seven-signal test applies to every vendor in the market. Our March 2026 cross-vendor audit covers six vendors marketing into US/EU mid-market, scored on the same dimensions. The pattern is wider than one operator — but the worked example here is the case where the test produces the cleanest zero.
Sources
This article is sourced from the following primary public records:
- Indian Ministry of Corporate Affairs (MCA) — company master data and directors registry, mca.gov.in
- IAF CertSearch — global database of accredited ISO management-system certifications, iafcertsearch.org
- UKAS CertCheck — UK Accreditation Service certificate verification, certcheck.ukas.com
- AICPA SOC 2 framework and trust services criteria — aicpa-cima.com
- EU GDPR — Articles 6, 12, 13, 27, 28, 32, 37, 77, 82, 83 — gdpr-info.eu
- EU DORA (Digital Operational Resilience Act) — Article 30 ICT third-party risk
- EU NIS2 Directive — Article 21 supply-chain risk management
- ZoomInfo company profile data
- UK Companies House — find-and-update.company-information.service.gov.uk
- Public marketing and privacy pages of the vendors discussed
Right of reply and corrections policy
Every claim in this article is sourced from publicly available documents at the time of writing. If any vendor named in this article — including Constacloud Private Limited — believes any finding is materially inaccurate, including if a previously missing certificate has since been issued and is now searchable on IAF CertSearch or UKAS CertCheck, or if the privacy policy has since been updated to address the structural gaps documented above, we will publish a correction within five business days of receiving the relevant evidence. Contact us at hello@apiworx.com.
We also welcome the same scrutiny applied to APIWORX. Run the seven-signal test on us. We publish the answers in our security documentation and our architecture overview.
