Overview
Self-hosted WordPress trust center with policies, subprocessors, certifications, data practices, and an optional AI assistant grounded in your own corpus.
OpenTrust is the open-source, self-hosted alternative to Vanta Trust Center, Drata, and SafeBase. Publish your security policies, list your subprocessors, display your compliance certifications, and document your data practices on a single branded page that lives on your own WordPress site. No SaaS subscription, no vendor lock-in, no "phone home."
Procurement teams want a URL they can read. Buyers want receipts. Auditors want a version trail. OpenTrust gives you all three in a plugin, and lets you optionally bolt on an AI assistant that answers visitor questions from your real, published corpus, with citations.
What it does
- Five content types for security policies, certifications, subprocessors, data practices, and FAQs. Each ships with a curated catalog of common entries (200+ subprocessors, the major certifications, sensible defaults) so the autofill on the Add-New screen does most of the typing.
- Auto-incrementing policy versions. Tick "publish new version" on save and OpenTrust archives the prior text. Past versions stay reachable at stable URLs (
/trust-center/policy/{slug}/version/{n}/) so auditors can cite "as of v4." - Standalone, theme-isolated rendering. OpenTrust intercepts at
template_redirect, outputs a complete HTML document with inlined CSS, and exits. Your theme's stylesheet, header, footer, and JavaScript never load. Zero theme conflicts. - WCAG-aware accent colour. Pick any brand hex; OpenTrust clamps lightness in HSL space until it clears 4.5:1 contrast on white.
- Optional AI chat assistant at
/trust-center/ask/. Anthropic recommended (its native Citations API gives verifiable, source-anchored citations); OpenAI and OpenRouter are supported as fallbacks. Agentic retrieval over your published corpus, with token budgets, rate limits, and Cloudflare Turnstile to keep costs and bots in check. - Privacy-respecting by design. No telemetry, no licence checks, no fonts loaded from Google. With no AI key configured, the plugin makes zero outbound HTTP calls.
- Translation-ready. Ships with a
.pottemplate, an nl_NL translation, andwpml-config.xmldeclarations for WPML and Polylang.
What it does NOT do
- No paid tier, no unlock screens, no "pro add-on."
- No automatic PDF rendering. If you want a PDF download next to a policy, upload your authoritative version via the media library and OpenTrust shows the Download button.
- No multisite-network mode in v1.x. Single-site activations work fine.
- No template-override mechanism. Templates live inside the plugin and are not overridable from your theme. If you need to fork rendering, fork the plugin.
Requirements
- WordPress 6.0 or newer
- PHP 8.1 or newer
- libsodium (bundled with PHP 7.2+) for secret encryption
At a glance
| Latest version | 1.0.0 |
| License | GPL-2.0-or-later |
| Source | github.com/nolderoos/opentrust |
| Author | Ettic |
Where to next
Installation
Install, activate, and pass the pretty-permalinks check.
Configuration
Every settings field across General, Contact, AI Chat, and Import & Export.
Usage
Adding content, policy versioning, catalog autofill, multilingual setup.
AI Chat
Provider choice, key encryption, budgets, Turnstile, and what visitors see.
Privacy & Security
What's sent off-site, libsodium-encrypted secrets, hashed-only logging.
Developers
Filters, REST API, post types and meta, programmatic API.