Hooks

OpenTrust intentionally has a small filter surface. Most extensibility lives in:

The four catalog filters (subprocessors, data practices, certifications, FAQs).
Two filters governing the wp.org review prompt.
The public Repository API for read access (see Programmatic API).

There are no plugin-fired do_action hooks. OpenTrust consumes WordPress core actions and re-fires apply_filters('the_content', ...) on policy bodies, but does not emit opentrust_* actions.

All hooks are prefixed opentrust_. Add-ons should use the same prefix.

Catalogs

The bundled catalogs are pure-PHP arrays loaded once per request and cached in-memory for that request. The four catalog filters let you extend or replace them.

`opentrust_subprocessor_catalog`

Add or replace entries in the bundled subprocessor catalog (~200 vendors). The filter receives the raw catalog array.

add_filter( 'opentrust_subprocessor_catalog', function ( $catalog ) {
    $catalog[] = [
        'name'     => 'Acme Email API',
        'aliases'  => [ 'Acme Mail', 'AcmeMail' ],
        'fields'   => [
            'purpose'        => 'Transactional email delivery.',
            'data_processed' => 'Email address, message body.',
            'country'        => 'United States',
            'website'        => 'https://example.com',
            'dpa_signed'     => true,
        ],
    ];
    return $catalog;
} );

`opentrust_data_practice_catalog`

Same shape, for the data-practice catalog.

add_filter( 'opentrust_data_practice_catalog', function ( $catalog ) {
    $catalog[] = [
        'name'    => 'Customer support transcripts',
        'aliases' => [ 'Support tickets' ],
        'fields'  => [
            'data_items'       => [ 'name', 'email', 'message body' ],
            'purpose'          => 'Resolving customer support requests.',
            'legal_basis'      => 'contract',
            'retention_period' => '24 months',
            'shared_with'      => [ 'Helpdesk SaaS provider' ],
            'collected'        => true,
            'stored'           => true,
            'shared'           => true,
            'sold'             => false,
            'encrypted'        => true,
        ],
    ];
    return $catalog;
} );

`opentrust_certification_catalog`

Same shape, for the certification catalog (SOC 2, ISO 27001, ISO 27701, HIPAA, PCI-DSS, etc.).

add_filter( 'opentrust_certification_catalog', function ( $catalog ) {
    $catalog[] = [
        'name'    => 'Acme Industry Standard',
        'aliases' => [ 'AIS' ],
        'fields'  => [
            'cert_type'     => 'compliant',
            'issuing_body'  => 'Acme Industry Body',
            'description'   => 'Voluntary industry compliance scheme.',
        ],
    ];
    return $catalog;
} );

Customize the FAQs that get seeded once on first activation. Affects fresh installs only: the seeder is gated by an opentrust_faqs_seeded flag option, so this filter is a no-op on existing installs.

add_filter( 'opentrust_faq_catalog', function ( $catalog ) {
    $catalog[] = [
        'title'   => 'Where is your data hosted?',
        'content' => '<p>Our primary infrastructure runs in EU-West-1.</p>',
        'related_policy_slug' => 'data-hosting-policy',
    ];
    return $catalog;
} );

The related_policy_slug is optional. If the matching ot_policy post exists at seed time, the seeder wires the FAQ-to-policy link.

Catalog entry shape (full reference)

Every catalog entry is an array with up to three keys.

Key	Type	Purpose
`name`	string	The display title. The typeahead matches against this and the `aliases`.
`aliases`	string[]	Optional alternative names. Useful for vendor brand changes ("Twilio" / "SendGrid") or common abbreviations.
`fields`	array	Auto-fill values for the meta box on the Add-New screen. Keys correspond to the postmeta keys for that CPT, minus the `_ot_` prefix.

Catalog entries do not write to the database. The autofill fires on the Add-New screen only and pre-populates form fields; the user can still override before save.

wp.org review prompt

Two filters govern the one-time review prompt that nudges admins to leave a wp.org review after a milestone usage threshold.

`opentrust_show_review_notice`

Suppress the review notice entirely.

add_filter( 'opentrust_show_review_notice', '__return_false' );

Useful on staging or single-tenant installs where the review prompt is noise.

`opentrust_review_url`

Override the destination URL of the review CTA.

add_filter( 'opentrust_review_url', function ( $url ) {
    return 'https://example.com/feedback';
} );

What's not a hook

Templates. OpenTrust has no locate_template-style template-override filter. Templates load via hard require / include. See Developers / Index → Templates are not overridable.
REST routes. Only one route exists (POST /wp-json/opentrust/v1/chat) and it is not extension-friendly. If you want a different chat backend, fork the plugin or build a parallel route in your own plugin.
Render-time hooks. There are no opentrust_before_* / opentrust_after_* actions on the public trust center page. Section ordering is fixed in v1.x.

Cache-invalidation events

Internal but useful to know. OpenTrust wires every CPT save / delete / trash / status-transition event to a single cache-invalidation callback via OpenTrust_CPT::register_invalidator(). The callback bumps opentrust_cache_version, which is included in every transient cache key, so all locale variants of the corpus and the rendered page go stale atomically.

If you write code that mutates an OpenTrust CPT post directly (e.g. wp_update_post() calls in a migration script), the standard WordPress hooks fire and OpenTrust's invalidator runs automatically. You don't need to bump the cache version manually.