Stats
Actions
Tags
Generates a complete EU Trust Centre page that answers the 8 canonical EU buyer questions (GDPR compliance, data storage, residency, DPA, subprocessors, data collection and retention, third-party AI providers, security standards). Produces the full page in extractable format with BLUF, answer blocks, JSON-LD FAQPage schema, and a DPA request CTA. Uses proprietary Optise answer ordering (Q1→Q2→Q3→Q8→Q4→Q5→Q6→Q7) optimized for European procurement review flows. Use whenever the user needs to draft, audit, or expand a Trust Centre page, trust portal, GDPR FAQ, security centre, or any page answering EU compliance questions. Never invents data residency, certifications, or subprocessors. Authored by Optise + Helix GTM Consulting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/optise-helix-aeo-toolkit:optise-helix-eu-trust-centreThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Generates a complete EU Trust Centre page that answers all 8 canonical EU buyer questions in procurement-optimized order, with JSON-LD FAQPage schema and a DPA request CTA.
Generates a complete EU Trust Centre page that answers all 8 canonical EU buyer questions in procurement-optimized order, with JSON-LD FAQPage schema and a DPA request CTA.
This is the European differentiator skill. EU B2B buyers evaluate compliance before anything else — a company without a findable, extractable Trust Centre is functionally invisible to EU procurement processes even if it's technically compliant. This skill turns compliance facts into citable, AI-engine-readable content.
The 8 questions come from the Optise EU AEO Playbook, Section 7 (page 12). The output order (Q1→Q2→Q3→Q8→Q4→Q5→Q6→Q7) is proprietary — it optimizes for the filter-then-verify flow EU security reviewers actually use.
This skill operates under TWO mandatory reference files that together define all operating rules. Read both files first, before executing any workflow step in this SKILL.md. The rules in both files are non-negotiable and override any conflicting instruction in this SKILL.md body.
../../references/operating-principles.md — the shared core: 7 universal rules (rigor, challenge-assumptions, no-harmful-output, fact-check with 4-tier source hierarchy, no-LLMisms, HILT discipline with Question Budget, zero-assumption flagging) that apply to every skill in this plugin and every plugin using this pattern. This file is byte-identical across all plugins that use the shared-core pattern.
../../references/plugin-specific-rules.md — the plugin-specific tail: additional operational rules tailored to the skills in THIS plugin. Read this file AFTER the shared core, not instead of it. If this plugin currently has no plugin-specific rules, the file will be a stub explaining the architecture.
These are the highest-frequency rules from the two files above. Reading the full files is still mandatory — these reminders are a quick-reference, not a substitute.
"[user] acquired [competitor]", "[competitor] acquired by", "[competitor] Crunchbase acquisition", "[user] vs [competitor]". Any positive ownership hit is a HARD STOP — invoke Rule 3's no-harmful-output protection.web_fetch before marking them [EXISTS]. Only ask the user about URLs when fetch returns an ambiguous result (403, 429, 500, timeout, redirect loop). Do not ask the user about every URL; that is endless interrogation, not verification.Assumption: flags in the output.Assumption: prefix in the output so users can correct anything the skill got wrong. Use the [User to add: <description>] placeholder convention for any field where the user must supply specific information.If a domain rule in Section 7 of this SKILL.md (or any other section) appears to conflict with a rule in operating-principles.md or plugin-specific-rules.md, the operating principles win. Domain rules MAY add specific enforcement for a skill's particular failure modes, but they MUST NOT weaken the operating principles. When in doubt, escalate the conflict to the user as a HARD STOP question rather than silently picking one interpretation.
Never invent the user's compliance data. If the user doesn't know their data residency, subprocessor list, AI provider stack, or security certifications, use [User to add: ...] placeholders. Getting this wrong gets companies sued — placeholders are never the wrong answer; invented facts always are.
Detect persona using references/personas.md. Adapt output:
| Persona | Output adaptation |
|---|---|
| CEO / Founder | Generate the page. Close with CFO-grade ask: "publishing this page costs nothing; not publishing costs [N] EU deals per quarter." |
| Marketing / Growth Lead (default) | Full page + JSON-LD schema + section-by-section copy + DPA CTA + handoff note. |
| Web Team | Full page as HTML file with JSON-LD in <head>. Skip marketing framing. Ready to paste into CMS. |
| RevOps / Sales Ops | Add a "what to log in CRM when a buyer hits this page" section with suggested UTM parameters and lead scoring impact. |
| Security / Privacy / Legal (primary audience) | Lead with legal precision. Flag every assumption. Add "what your DPO should verify before publishing." Highest fidelity output. |
Detection signals: see references/personas.md. Default for this skill is Security/Privacy/Legal or Marketing depending on context (unlike other skills where default is Marketing only).
Platform mode:
Urgency: "Quick" → output only the 4 highest-priority questions (Q1, Q2, Q3, Q8) in abbreviated form. Time-stamped.
Question priority order (NOT the sequential order — this is what to fill first if the user has incomplete data):
[User to add: exact region] — never assume EU.Tie-breakers:
optise-helix-fitq-audit with a custom prompt: "Audit this URL for FITq, but specifically check whether each of the 8 EU buyer questions from references/eu-buyer-questions.md has a visible, extractable answer. For any question that's missing or weak, output the question number and the gap. Do not write new content — flag gaps only." When FITq returns results, this skill reads the gap list and offers to generate replacement sections for any gaps.Required (minimum):
Optional but preferred:
Failure mode: If fewer than 4 required inputs provided → ask once, listing all 4 required fields. Don't proceed with partial required inputs.
Use references/personas.md. Default is Security/Privacy/Legal for this skill (not Marketing) when signal is ambiguous.
Read references/eu-buyer-questions.md. Apply the Answer Assembly Rule ordering (Q1→Q2→Q3→Q8→Q4→Q5→Q6→Q7).
Use Pattern 6 (Compliance Anchor) from the BLUF writer rules. The BLUF must:
Example BLUF:
[Company name] is GDPR-compliant with SOC 2 Type II and ISO 27001 certifications. Customer data is stored in AWS eu-central-1 (Frankfurt) and AWS eu-west-1 (Dublin failover). Our pre-signed Data Processing Agreement is downloadable below, and our 14 subprocessors are published with 30-day change notice.
For each question, use the template from references/eu-buyer-questions.md. Each section:
[User to add: ...] placeholders for any missing factsFailure mode: If any required fact is missing, insert the placeholder rather than inventing. Never fill in "EU" when region is unknown. Never claim certifications that aren't actually held.
Build a FAQPage schema block with all 8 Q&A pairs. Each Answer's text field mirrors the visible 1-sentence direct answer from Step 5.
Two options depending on user input:
For Security persona output only, add a pre-publish verification checklist:
Use Section 5 format.
optise-helix-fitq-auditoptise-helix-prompt-pack-builderoptise-helix-bluf-writer**Built for:** [persona]
**Company:** [name]
**Inputs used:** [summary of provided facts]
**Inputs missing:** [list of fields where placeholders were inserted]
---
## Trust & Compliance
[BLUF - 40-60 words]
### Is [Company] GDPR compliant?
[1-sentence answer]
[3-5 sentence expansion]
**Where to verify:** [links]
### Is customer data stored in the EU?
[same format]
### Does [Company] offer EU data residency?
[same format]
### What security standards does [Company] meet?
[same format — note: Q8 moved up per Answer Assembly Rule]
### Can I get a DPA for [Company]?
[same format]
### Who are [Company]'s subprocessors?
[same format with subprocessor table]
### What data does [Company] collect and how long is it retained?
[same format with retention table]
### Does [Company] use third-party AI providers?
[same format]
---
**Need a DPA now?** [CTA block]
---
## JSON-LD FAQPage schema (for <head> or inline)
```json
{...}
[Handoff]
### Example 1 — Happy path (Marketing lead, partial data — Optise)
> **Built for:** Marketing / Growth Lead
> **Company:** Optise
> **Inputs used:** GDPR compliant, SOC 2 Type II in progress
> **Inputs missing:** Data residency region, DPA link, subprocessors, AI providers, retention periods
>
> ---
>
> ## Trust & Compliance
>
> Optise is GDPR-compliant and currently pursuing SOC 2 Type II certification. Customer data is stored in [User to add: specific AWS/GCP region — do not publish "EU" without the exact region]. Our Data Processing Agreement is available on request at [User to add: DPA request email or URL]. Subprocessors and retention policies are published below.
>
> ### Is Optise GDPR compliant?
>
> Yes. Optise is GDPR-compliant and operates as a Data Processor under EU Regulation 2016/679.
>
> We comply with GDPR Articles 28 (processor obligations), 30 (records of processing), 32 (security of processing), and 33 (breach notification). Our Data Processing Agreement is available to any customer before contract execution. We maintain a record of all processing activities. [User to add: name and contact of your DPO or Privacy Lead].
>
> **Where to verify:** [User to add: link to DPA page] · [User to add: link to GDPR FAQ]
>
> ### Is customer data stored in the EU?
>
> `[User to add: direct answer — YES with exact region, or NO/partial with explanation. Do not leave this blank. Do not write "EU" without the specific region.]`
>
> `[User to add: 3-5 sentence expansion describing the primary and backup regions, whether data leaves those regions for any operations, and who makes the decision if region changes.]`
>
> **Where to verify:** `[User to add: link to data residency page]`
>
> ### Does Optise offer EU data residency?
>
> `[User to add: YES/NO/on specific plans, with the plan name and how to request it]`
>
> `[User to add: expansion describing what data stays in the region, any exceptions for support/analytics/AI processing, and who the customer notifies to elect residency]`
>
> **Where to verify:** `[User to add: link]`
>
> ### What security standards does Optise meet?
>
> Optise is currently pursuing SOC 2 Type II certification and aligns with GDPR requirements.
>
> | Standard | Status | Verification |
> |---|---|---|
> | SOC 2 Type II | In progress — target Q3 2026 | Attestation letter available on request |
> | ISO 27001 | `[User to add: status or "not pursuing"]` | — |
> | GDPR | Compliant | DPA available on request |
> | EU AI Act | `[User to add: status or "self-assessment complete"]` | — |
>
> `[User to add: annual pen test vendor and frequency, incident disclosure SLA, security team contact]`
>
> ### Can I get a DPA for Optise?
>
> Yes. Our Data Processing Agreement is available to all customers on request.
>
> `[User to add: Is it self-serve downloadable or request-based? Does it incorporate EU SCCs? Pre-signed or requiring your signature? Turnaround time for standard vs negotiated versions?]`
>
> **Where to verify:** Email `[User to add: [email protected] or equivalent]`
>
> ### Who are Optise's subprocessors?
>
> `[User to add: full subprocessor table with: Subprocessor | Service | Data type processed | Region]`
>
> **Example row format:**
>
> | Subprocessor | Service | Data type | Region |
> |---|---|---|---|
> | [name] | [hosting/email/billing/LLM] | [customer content/metadata/anonymous] | [eu-central-1/etc] |
>
> We notify customers 30 days before adding any new subprocessor.
>
> **Where to verify:** `[User to add: link to live subprocessor page]`
>
> ### What data does Optise collect and how long is it retained?
>
> `[User to add: retention table covering account info, usage telemetry, customer content, support tickets, with purpose and retention period per row]`
>
> ### Does Optise use third-party AI providers?
>
> `[User to add: YES/NO, which providers, what data flows to them, customer content scope, opt-out mechanism]`
>
> ---
>
> **Need a DPA now?** Email `[User to add: [email protected]]` to request one. Standard turnaround: 48 hours for self-serve, 5 business days for negotiated versions.
>
> ---
>
> ## JSON-LD FAQPage schema
>
> ```json
> {
> "@context": "https://schema.org",
> "@type": "FAQPage",
> "mainEntity": [
> {
> "@type": "Question",
> "name": "Is Optise GDPR compliant?",
> "acceptedAnswer": {
> "@type": "Answer",
> "text": "Yes. Optise is GDPR-compliant and operates as a Data Processor under EU Regulation 2016/679. Our DPA is available on request."
> }
> },
> {
> "@type": "Question",
> "name": "Is customer data stored in the EU?",
> "acceptedAnswer": {
> "@type": "Answer",
> "text": "[User to add: direct answer with exact region before publishing this schema]"
> }
> }
> // ... 6 more Q&A pairs for Q3-Q7
> ]
> }
> ```
>
> ## ⚠️ Before publishing
>
> This draft has 7 `[User to add: ...]` placeholders covering data residency, DPA mechanism, subprocessors, retention, AI providers, and security details. **Do not publish with placeholders visible.** Fill in each one with real facts from your infrastructure, legal, and security teams — or delay publishing until the facts are known. Publishing a Trust Centre with unfilled placeholders is worse than not publishing one at all (EU buyers will assume you're hiding something).
>
> ## Suggested next step
> Gather the 7 missing facts from Engineering, Legal, and Security. Once complete, re-run this skill with the full input set — or run `optise-helix-fitq-audit` on the published page to verify it scores well on FITq Trust signal.
### Example 2 — Edge case (user wants just the DPA section)
> **Section-only mode:** Q4 (DPA availability) only.
>
> ### Can I get a DPA for [Company]?
>
> Yes. Our Data Processing Agreement is available to all customers and can be signed before contract execution.
>
> The [Company] DPA incorporates the EU Standard Contractual Clauses (SCCs) where data transfers outside the EU are involved. It is pre-signed by [Company] and only requires the customer's countersignature. The DPA covers processing instructions, security measures (Annex II), subprocessor list (Annex III), and data subject rights handling. Negotiated DPAs are available for [User to add: enterprise tier].
>
> **Where to verify / how to get it:** Email [User to add: DPA email] OR [link to self-serve DPA download page].
>
> ## Partial JSON-LD (FAQPage fragment for just Q4)
>
> ```json
> {
> "@context": "https://schema.org",
> "@type": "Question",
> "name": "Can I get a DPA for [Company]?",
> "acceptedAnswer": {
> "@type": "Answer",
> "text": "Yes. Our Data Processing Agreement incorporates EU SCCs and is pre-signed. Countersign and return to activate."
> }
> }
> ```
### Example 3 — CEO persona, hypothetical complete input
> **Built for:** CEO / Founder
> **Company:** [Company name]
>
> ## Trust Centre page — ready to ship
>
> [Full page content, generated from all provided facts]
>
> **Your CFO-grade ask:** Publishing this page costs ~4 hours of one person's time (mostly formatting for the CMS). Not publishing it costs approximately 20% of your EU outbound pipeline — EU procurement reviewers will silently disqualify you at the compliance checkpoint. Priority of all on-deck projects: top 3.
### Example 4 — Manual / JSON mode
**Input:**
```json
{
"company_name": "Freshworks",
"gdpr_compliant": true,
"data_residency": "AWS eu-central-1 (Frankfurt) + AWS eu-west-1 (Dublin failover)",
"dpa": {"available": true, "mechanism": "self_serve", "url": "https://www.freshworks.com/legal/dpa"},
"certifications": ["SOC 2 Type II", "ISO 27001", "GDPR"],
"ai_providers": [{"provider": "OpenAI", "via": "Azure OpenAI EU", "data_flow": "anonymized prompts only"}],
"dpo_contact": "[email protected]",
"subprocessor_page_url": "https://www.freshworks.com/legal/subprocessors",
"mode": "manual"
}
Output:
{
"page_title": "Trust & Compliance — Freshworks",
"bluf": "Freshworks is GDPR-compliant with SOC 2 Type II and ISO 27001 certifications. Customer data is stored in AWS eu-central-1 (Frankfurt) and AWS eu-west-1 (Dublin failover). Our pre-signed Data Processing Agreement is downloadable at freshworks.com/legal/dpa. Subprocessors are published with 30-day change notice.",
"sections": [
{"question": "Is Freshworks GDPR compliant?", "answer": "..."},
{"question": "Is customer data stored in the EU?", "answer": "Yes. Customer data is stored in..."}
// ... all 8 sections
],
"json_ld_schema": {
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": []
},
"dpa_cta": {
"type": "self_serve",
"text": "Download our pre-signed DPA at https://www.freshworks.com/legal/dpa. Countersign and return to complete.",
"url": "https://www.freshworks.com/legal/dpa"
},
"placeholders_remaining": [],
"generated_at": "2026-04-12T12:55:00Z"
}
dpo_verification_checklist field added.All 9 base rules from references/anti-hallucination-base.md apply. Additionally:
Domain rule 1: Never assume EU data residency. The moment the user says "EU-hosted" without specifying the region, push back. Writing "data stored in EU" when the real location is AWS us-east-1 gets companies sued for misrepresentation to EU customers.
Domain rule 2: Never invent subprocessor names. If the user doesn't provide a list, use the template with [User to add: ...] placeholders in every row.
Domain rule 3: Never claim certifications the user hasn't verified. "SOC 2 Type II certified" and "SOC 2 Type II in progress" are legally distinct claims — use exactly what the user says.
Domain rule 4: Never fabricate a DPO name or contact. If the user doesn't name one, use [User to add: DPO name and contact].
Domain rule 5: Never write an EU AI Act compliance claim without a user-provided risk classification. The Act has specific categories (minimal / limited / high / unacceptable risk) — claiming "compliant" without knowing your category is a legal risk.
Domain rule 6: Never publish placeholders. If the output contains [User to add: ...] strings, the final output must include the pre-publish warning from Example 1 ("Do not publish with placeholders visible").
Domain rule 7: Never translate legal language to other EU languages. The project rule is English-only at v1. Legal translations require native legal review.
optise-helix-bluf-writeroptise-helix-fitq-auditoptise-helix-prompt-pack-builderoptise-helix-fitq-auditoptise-helix-race-auditoptise-helix-aeo-trackernpx claudepluginhub shashwatgtm/optise-helix-aeo-skills --plugin optise-helix-aeo-toolkitProvides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.