When a customer invites you to complete a Trust Chain assessment, they're asking you to upload evidence of your security practices rather than fill out a questionnaire. This guide walks you through everything you need to know.
What Is Trust Chain?
Trust Chain is Strike Graph's third-party risk management solution. Your customers use it to request security documentation from you directly. Instead of a static questionnaire, they assign you specific evidence requests, and you upload the relevant documents.
Your documents are analyzed by Verify AI, Strike Graph's built-in AI tool, which checks each submission against your customer's requirements. Your customer does not have access to your documents by default, you control what they can see.
How to Respond to Evidence Requests
Log in to your Strike Graph account and navigate to Evidence Requests.
You'll see each customer who has assigned you requests, along with the number of items assigned. Click a customer's name to begin.
Click into an individual request to review what's being asked and upload your documentation.
You have three ways to attach evidence:
Upload directly — browse your desktop or pull from a connected integration.
Automated collection — have the system pull documents from an integrated tool on a schedule.
Link from your Trust Asset Library — reuse documents you've already uploaded to Strike Graph.
To connect Office 365 or Google Drive, click the Integrations tab and follow the setup steps. Once connected, those sources will be available when you select Attach Directly or Automated Collection.
Understanding Verify AI Results
Once you upload a document, Verify AI immediately analyzes it against your customer's request description.
The result appears as one of two statuses:
Status | What It Means |
Active or Satisfied | The document meets the customer's requirements. No further action needed. |
Needs Attention | Verify AI couldn't confirm the document fully meets the requirements. Your customer will review and decide next steps. |
To see why a submission was flagged, click Show Details, then Description Check.
If a submission doesn't pass, you can:
Delete the document and upload a revised version.
Leave a comment for your customer with additional context.
Your customer makes the final call on whether a submission satisfies their requirements. They may reach out via comments or request access to your document before deciding.
Tip: If you'd prefer your customer not see the description check details, mark the evidence as Sensitive. They'll need to follow up with you directly for more context.
Note: All processing happens within Strike Graph’s controlled infrastructure to keep your information confidential and your evidence documentation never leaves Strike Graph’s secure environment.
What Your Customer Can See
By default, your customer can see:
The name of the document you uploaded.
The Verify AI verification status (Satisfied/Active or Needs Attention).
The description check explaining Verify AI's assessment.
They cannot see the document itself unless you grant them access.
If you mark evidence as sensitive, the description check details are hidden from your customer.
Granting a Customer Access to Your Documents
If your customer requests access to a document, you'll receive an email notification. To respond:
Click the link in the email, or navigate directly to the relevant evidence request in Strike Graph.
In the Attachments section, click the Request Pending badge on the document card.
Click Approve to grant access or Deny Access to decline.
Your customer will be notified of your decision by email. If you approve, they'll be able to preview or download the document from the evidence request.
Reusing Documents Across Multiple Customers
If you receive evidence requests from more than one customer, you don't need to upload the same document multiple times. Use your Trust Asset Library to store documents and link them to any request.
To add a document to your Trust Asset Library:
Click Trust Asset Library, then Add Trust Asset.
Enter a name, optional description, document type, and effective date.
Once saved, click Link Trust Asset on any evidence request to attach it.
To save a document you've already uploaded to an evidence request:
Find the file on the evidence request.
Click the kebab menu (⋮) on the document card and select Save to Trust Asset Library.
What to Do If You Don't Have a Requested Document
If you don't have a document a customer is asking for, tag them in a comment on the evidence request and explain why.
If you have something that partially covers the request, upload it and add context in the notes section.
Your customer may choose to log this as a risk, ask for an alternate document, or unassign the request.
Strike Graph also provides best-in-class security policy templates — reach out to our support team if you'd like help strengthening your compliance posture.
Evidence Expiration
Each evidence request has an expiration date that tells Strike Graph how often to request updated documentation. You'll receive an email 20 days before a request expires, prompting you to upload a new document or confirm the existing one is still current.
To stay ahead of expirations, connect Office 365 or Google Drive and use automated collection to pull updated documents before they expire.
Notifications and Communications
Strike Graph will notify you by email when:
A customer invites you to an assessment.
Verify AI flags a submission that needs attention.
An evidence request is approaching its expiration date.
A customer leaves a comment on one of your evidence requests.
When leaving comments for your customer, use the @ symbol to tag them so they receive a notification.
What Happens After You've Completed Your Requests?
Once all your evidence requests are satisfied, you're done — until an item expires or your customer adds new requests. You'll receive an email if either happens.
A few other things you can do with your evidence in Strike Graph:
Answer questionnaires faster — use your uploaded evidence to automatically generate responses to customer questionnaires. Ask us to enable the Questionnaire feature for your account.
Check your compliance readiness — curious how your current evidence maps to SOC 2, CMMC, or other frameworks? Schedule time with our team for an analysis.
How Secure Are My Documents?
Strike Graph applies zero-trust principles across the entire platform. Your documents are never sent outside of Strike Graph, and Verify AI runs within Strike Graph's own infrastructure — your data is never used to train third-party AI models.