The Osano scoring/rating algorithm is proprietary and confidential. Osano considers many factors, including Ontology, grade-level readability of the documents, and numerous other external indicators.
The scoring algorithm maps closely to NIST and ISO privacy standards, meaning that if a vendor has a low score in Osano, they will generally fair poorly if you evaluated them under either of those standards. If they have a high score, they either collect no data about users or they will generally fair well when evaluated under the NIST or ISO standards.
Scores update nightly. Generally, a vendor will see only minor fluctuations in scores unless they have made modifications to their published practices, however, the Osano rating scale is relative, so changes in one vendor's practices can affect the rating of another vendor. For additional explanation of relative scoring and why it is beneficial to your organization, please review this article.
You can expect to see a bell curve on the scores, with most vendors scoring somewhere in the middle of the range, meaning they have decent practices but room for improvement.
Vendors in the middle of the score range can be perfectly trustworthy, but they do warrant an additional investigation into their practices.
Conversely, vendors on the extreme ends of the score ranges can provide you with very quick insights into whether they are trustworthy. Highly rated vendors make up less than 15% of the data set, if a vendor is rated highly, they are going above and beyond the minimum requirements and are making great efforts to be transparent and earn your trust. If a vendor is rated in the bottom 15%, you should be very wary of engaging them without additional diligence.