SIFTR Trust Centre
A single source of truth for how SIFTR delivers secure, transparent and defensible CAF evidence mapping.
SIFTR supports cyber security and assurance teams to understand how existing organisational documentation aligns to the UK Cyber Assessment Framework (CAF), using quoted, auditable evidence.
SIFTR is designed to support judgement — not replace it.
What SIFTR does
SIFTR helps organisations to:
- Upload existing governance and assurance artefacts, such as policies, strategies, risk documentation and oversight papers
- Analyse those documents against CAF outcomes (starting with Domain A: Governance)
- Identify where explicit evidence is present, limited, or absent
- Present quote-backed references that can be reviewed, challenged and reused in internal assurance activity
Evidence is surfaced exactly as it appears in the uploaded documents. No additional content is generated or inferred.
Evidence coverage labels
SIFTR reports evidence coverage using the following labels:
- Strong — clear, explicit evidence is present and directly supports the CAF outcome
- Partial — some relevant evidence is present, but gaps or ambiguity remain
- None — no explicit evidence was found in the uploaded documents
These labels reflect evidence presence only. They are not scores, maturity ratings, or compliance judgements.
What SIFTR does not do
To maintain accuracy, proportionality and defensibility, SIFTR does not:
- Assign CAF maturity ratings or Red/Amber/Green (RAG) status
- Score organisational cyber security capability
- Make compliance or assurance decisions
- Claim controls are effective without supporting evidence
- Replace internal governance, risk ownership or audit processes
Where evidence is not present, SIFTR will state this clearly.
How to use this Trust Centre
This Trust Centre explains:
- The scope and limitations of SIFTR’s CAF mapping
- How documents are processed and mapped to CAF outcomes
- How data is protected throughout its lifecycle
- How outputs are logged to support audit and traceability
- How to raise questions, concerns or disclosures
Each section is written to support review by security architects, governance professionals and assurance teams.
Pages
- Scope & limitations — what SIFTR covers today, and what it intentionally does not
- How SIFTR works — how documents are analysed and mapped to CAF outcomes
- Security & data protection — how uploaded information is handled and protected
- Auditability & traceability — what is recorded to support review and accountability
Contact
For trust, documentation or governance enquiries: trust@siftr.so
For security-related disclosures: security@siftr.so
SIFTR is operated by a small founding team. All enquiries are handled directly.
Last updated: January 2026