Frequently asked questions

Organisations with visible public digital systems and meaningful trust obligations. NFPs and charities, health and mental health organisations, education providers, membership bodies, and public-interest organisations. Also relevant for digitally visible mid-sized commercial organisations wanting a clear, independent view of their digital trust posture.

The common thread is not sector - it is that the organisation's public digital presence carries real trust weight, and ownership of that presence is often fragmented.

For organisations whose immediate concern is email spoofing or authentication, Email Trust is available as a scoped entry point.

No. NFPs, health, education, and public-interest organisations are the initial focus because they typically have significant public trust obligations with fragmented internal ownership. But the practice is not limited to that sector. Any organisation with public-facing digital systems and a genuine need for clear trust posture interpretation is a potential fit.

Yes, if the digital presence is public-facing and carries real trust obligations. Smaller organisations often have the most fragmented digital ownership and the least visibility over what their systems are signalling. The Review is scoped to the size of the digital estate - a smaller estate means a smaller, faster engagement.

Not in the conventional sense. The Trust Practice is not a penetration testing firm, a compliance consultancy, or a managed security provider. The focus is on observable trust signals your public-facing digital systems emit - how your presence appears to the outside world - and the governance and operational questions behind those signals.

Not by default. The practice is advisory - outputs are findings, interpretation, sequencing, and guidance. Implementation is done by your own teams or other providers. In some engagements, limited advisory support around specific implementation decisions may be appropriate; this is agreed explicitly and not a standard inclusion.

No. The Digital Trust Review does not produce compliance certification or audit evidence. It assesses observable trust posture - what your digital presence signals publicly - and interprets that in operational and governance terms. Compliance frameworks may inform the interpretation, but the output is not an audit report.

Email Trust is a scoped variant of the Digital Trust Review that focuses specifically on email authentication and trust controls - SPF, DKIM, DMARC, MTA-STS, and TLS-RPT. Unlike the full Review which covers all six TrustSurface domains, Email Trust targets the Email Integrity domain and includes hands-on remediation. The core deliverable is a completed Email Trust Runbook.

No. Stewardship arrangements provide ongoing review, interpretation, and advisory guidance, but they are not managed services, support desks, or implementation delivery. The practice is designed to build internal capability and clarity, not to become an external dependency.

All enquiries are reviewed directly. You will receive an acknowledgement and response within 1–2 business days - typically confirming the next step (usually a short discovery call) or asking a small number of clarifying questions.

Most Reviews complete within two to three weeks of scope confirmation. Timing depends on the number of primary surfaces in scope and the complexity of the digital estate. The playback is scheduled before assessment begins so your team knows the delivery window upfront.

Very little to begin. The Review focuses on publicly observable signals - no system access or credentials are required. At scoping, you will be asked to confirm the primary domains and services in scope, identify any known concerns, and flag any planned changes.

A playback session delivers the findings to your team. The most common next steps are either acting on the prioritised action list independently, or commissioning a Roadmap to turn findings into a structured implementation plan. Some clients move directly into Stewardship. None are required - the Review stands on its own as a useful output.

TrustSurface is the framework and methodology - published openly at trustsurface.org. The Trust Practice is the market-facing practice that applies that framework in commercial engagements. The framework informs the method; the practice delivers the work.

The Trust Practice is operated by Bryan Chetcuti through The Vigo Group. Bryan Chetcuti is the practitioner - the author of the TrustSurface framework and the person who delivers the work. The Vigo Group provides the operating, commercial, and support infrastructure. Operator information is available at vigogroup.com.au.

Privacy and terms are maintained by The Vigo Group at vigogroup.com.au/privacy/ and vigogroup.com.au/terms/. Advisory engagements are subject to a specific proposal and Statement of Work, which governs scope, confidentiality, and commercial terms.

For service and support matters, use the Vigo Group support page. For advisory enquiries - new engagements, discussions, or briefings - use the contact page. Service status is available at status.vigogroup.com.