Site Integration Plan

Audience: Whoever next updates the hailbytes-static Hugo site to surface the trust package.

Purpose: Propose how to integrate the trust-package artifacts into the existing hailbytes.com information architecture, respecting the conventions already in place rather than imposing a new IA.

Status as of 2026-05-11: the integration described below is built and live. Trust Center page at hugo-site/content/pages/trust.html (route /trust/); trust-package documents at hugo-site/content/partners/trust-package/*.md (routes /partners/trust-package/...); navigation entry in hugo-site/layouts/partials/header.html under “Learn”. This file is retained for historical context and as the basis of future site-IA decisions (e.g., when SOC 2 attestation lands and the Trust Center adds a badge widget).

1. Existing IA, what we already have

Three audience-relevant top-level pages already exist:

• hugo-site/content/pages/compliance.html, framework mapping (PCI DSS 4.0, SOC 2 CC7.x, NIST CSF 2.0, ISO 27001:2022, HIPAA, CIS v8 IG1/IG2, GDPR Art. 32, FedRAMP Moderate, NYDFS 23 NYCRR 500). Status currently positioned as “Framework Aligned” rather than “Certified.”
• hugo-site/content/pages/security.html, security architecture, vulnerability disclosure, encryption, access controls, monitoring, incident response, vendor management.
• hugo-site/content/pages/privacy.html, GDPR/CCPA language, self-hosted/data-minimization framing.

Two audience-relevant partner-facing surfaces exist:

• hugo-site/content/pages/partners.html, partner program landing.
• hugo-site/content/pages/for-mssps.html, channel-specific pitch.
• hugo-site/content/pages/for-pentest-firms.html, pentest-firm audience.

Partner-document source lives in /partner-docs/ (markdown originals D1–D8) and is served at hugo-site/static/partner-docs/.

The site does not currently surface a “Trust Center” hub page that aggregates security + compliance + privacy + per-release evidence into a single procurement-reviewer landing surface.

2. Proposed integration, three audiences

Audience A: procurement reviewers landing from a deal

When an enterprise security architect or procurement lead clicks a link in a sales email or in a Marketplace listing, the most efficient landing surface is a single “Trust Center” index.

Proposed:

• A new page at hugo-site/content/pages/trust.html (route /trust/) that mirrors the README.md of the trust package as a Hugo page. It links out to each trust-package artifact and to compliance.html, security.html, privacy.html.
• The trust-package markdown files in partners/trust-package/ are rendered as Hugo pages under the URL prefix /partners/trust-package/. Existing partner-docs precedent (under /partner-docs/) suggests creating a Hugo content section so each file becomes its own URL. Specifically:
  • Add a partners/trust-package/_index.md content file that renders README.md content at /partners/trust-package/.
  • Each file in the directory becomes /partners/trust-package/<filename>/ automatically via Hugo’s default routing once the section is wired into hugo-site/content/partners/trust-package/ (a sibling to hugo-site/content/pages/, or as a section under hugo-site/content/).
• Navigation: add a “Trust Center” link in the existing “Learn” dropdown in hugo-site/layouts/partials/header.html, pointing at /trust/. The trust-package URLs are accessed transitively from the Trust Center landing.

Audience B: co-sellers and channel partners

A partner rep landing from the AWS or Azure co-sell portal, or from the partner-program page, needs the marketplace-hub content in §1 of marketplace-hub-content.md plus links to the same trust artifacts.

Proposed:

• Add a “Procurement-grade trust package” section to hugo-site/content/pages/partners.html linking to /trust/ and quoting the “Why enterprise buyers choose HailBytes” paragraph from marketplace-hub-content.md §1.
• Update hugo-site/content/pages/for-mssps.html to reference the trust package where it currently mentions “SOC 2, HIPAA, and cyber-insurance compliance bundles.”
• Add a parallel reference to hugo-site/content/pages/for-pentest-firms.html.
• marketplace-hub-content.md itself remains in /partners/trust-package/ rather than getting a separate site page; channel partners cite it as the canonical source for approved language.

Audience C: independent security-curious visitors landing from organic search

A visitor who lands from a search like “HailBytes SBOM” or “HailBytes BYOC architecture” lands directly on the specific artifact. The discoverability requirement is:

• Each trust-package page has its own <title>, <meta description>, and JSON-LD WebPage structured-data block consistent with the existing compliance.html / security.html patterns.
• The Trust Center landing at /trust/ carries a JSON-LD Organization block similar to the one on partners.html, and links to each artifact under it.

3. Concrete file changes

Once this plan is approved, the implementation diff is roughly:

+ hugo-site/content/pages/trust.html                       (new, Trust Center landing)
+ hugo-site/content/partners/trust-package/_index.md       (new, section index, renders README.md content)
+ hugo-site/content/partners/trust-package/byoc-architecture.md         (mirrored or symlinked)
+ hugo-site/content/partners/trust-package/security-evidence-package.md
+ hugo-site/content/partners/trust-package/subprocessor-list.md
+ hugo-site/content/partners/trust-package/lgpd-compliance.md
+ hugo-site/content/partners/trust-package/bcp-dr-plan.md
+ hugo-site/content/partners/trust-package/key-person-succession.md
+ hugo-site/content/partners/trust-package/caiq-lite.md
+ hugo-site/content/partners/trust-package/insurance-coverage.md
+ hugo-site/content/partners/trust-package/compliance-roadmap.md
+ hugo-site/content/partners/trust-package/references-and-evidence.md
+ hugo-site/content/partners/trust-package/marketplace-hub-content.md
~ hugo-site/layouts/partials/header.html                   (add /trust/ to Learn dropdown)
~ hugo-site/content/pages/partners.html                    (add procurement-grade trust-package section)
~ hugo-site/content/pages/for-mssps.html                   (cross-link)
~ hugo-site/content/pages/for-pentest-firms.html           (cross-link)
~ hugo-site/content/pages/compliance.html                  (cross-link to /trust/ for per-release evidence)
~ hugo-site/content/pages/security.html                    (cross-link to /trust/)

Whether the per-page mirroring is by symlink (one source of truth in partners/trust-package/) or by content copy depends on Hugo’s preferred pattern for the codebase. The existing partner-docs are served as static files under hugo-site/static/partner-docs/; the trust-package files would benefit from being Hugo-rendered (so they get the site chrome and JSON-LD), so the content path is the cleaner choice. The build step can use a small script in Makefile to keep the two trees in sync, or content-engineering can decide that partners/trust-package/ is the source and the static-root copy is removed.

Recommendation: keep partners/trust-package/ as the canonical source, render via Hugo at /partners/trust-package/, and skip the hugo-site/static/ copy.

4. Diagram convention

byoc-architecture.md §4 references an SVG diagram at /images/diagrams/byoc-data-boundary.svg. The existing site uses pre-rendered SVGs (asm-scan-pipeline.svg, sat-campaign-lifecycle.svg, defense-in-depth.svg, compliance-mapping.svg). The new diagram should be authored in the same convention by HailBytes’ designer and committed alongside the rest.

The ASCII placeholder in byoc-architecture.md §4 is functional in the meantime, Hugo will render the fenced code block, and procurement reviewers reading the markdown directly (e.g., from the GitHub repo) will see it without needing the SVG.

5. SEO and structured data

The existing pattern (compliance.html, security.html, partners.html) carries inline <script type="application/ld+json"> blocks with Organization and WebPage schemas. Apply the same pattern to:

• The Trust Center landing (/trust/), WebPage with about linking to HailBytes Organization, plus mainEntity enumerating the trust-package items as CreativeWork entries.
• Each trust-package artifact page, WebPage schema with appropriate description mirroring the file’s “Purpose” paragraph.

6. Search / on-site discovery

The marketing site does not currently expose a search box. If future site work adds one, the trust-package content should be in the search index, these documents are high-intent and procurement reviewers will use the search to find specific control answers (e.g., “key rotation,” “encarregado,” “SBOM”).

7. What this plan does not change

• The existing /compliance/, /security/, /privacy/ pages are kept. The Trust Center is additive, it aggregates and links rather than replaces.
• Partner-docs D1–D8 are kept under /partner-docs/. The trust package is a new D9-equivalent (procurement-grade) tier rather than a replacement of the existing partner-docs.
• The marketplace listing copy is not changed by this plan; marketplace-hub-content.md is the source for any future copy updates.

Cross-references: README.md of the trust package (the source for the Trust Center landing content); marketplace-hub-content.md (the source for the partners-page and Marketplace copy updates).