Jordan: The email came in at four seventeen on a Wednesday. Subject line: "Vendor Security Assessment — Required for Contract Execution." And attached to it was a forty-eight-page spreadsheet. Forty-eight pages. Column A was the question. Column B was where I was supposed to put my answer. Column C was where I was supposed to paste a link to supporting evidence.
I scrolled through the first ten rows. "Describe your access control policies." "Do you encrypt data at rest and in transit? Provide documentation." "List all subprocessors with access to customer data, their locations, and their security certifications."
And I just... closed the laptop. Because I didn't have any of that. Not in a format I could hand to someone. I had practices — good practices — but nothing documented, nothing linkable, nothing that looked like what a procurement team at a two-hundred-person company expected to see from a vendor.
This was a fourteen-thousand-dollar-a-month engagement. Automation buildout for their entire onboarding pipeline. I'd already done the discovery call. I'd already scoped the project. The hiring manager loved the proposal. And then legal sent this spreadsheet and everything stopped.
Two weeks later I got the "we've decided to go another direction" email. They hired a four-person agency. Not because the agency was better. Because the agency had a security page on their website and I didn't.
That was eleven months ago. I've closed three enterprise deals since then. The last questionnaire took me six hours from inbox to sent — and four of those hours were the first time. The second one took ninety minutes. The third took forty.
Jordan: Imagine you just got off a great discovery call. The prospect is a mid-market SaaS company — eighty employees, real budget, twelve-month engagement. They want you to automate their client reporting pipeline. You nailed the call. And then the next morning, their IT director sends you a vendor security questionnaire and says nothing moves until it's complete. You open the file. A hundred and thirty-eight questions about encryption, access controls, subprocessors, incident response. You don't have a security page. You don't have a DPA template. You don't have a subprocessor list. And the deadline is next Friday.
I'm Jordan. This is Headcount Zero. And today I'm walking you through exactly how I built the system that turns that moment from a deal-killer into a forty-minute task — a public Trust Center in Notion, a reusable answer library mapped to two industry-standard lite questionnaire formats, and a Make flow that autofills most of the answers and routes the rest for my review before I hit send.
Jordan: So after I lost that deal — the fourteen-K-a-month one — I did what I always do when something breaks. I reverse-engineered the problem. I went back to the spreadsheet they'd sent me and I categorized every single question. And here's what I found. About eighty percent of those questions were asking for the same six things. Do you encrypt data? Who are your subprocessors? What's your incident response process? Do you have a data processing agreement? What are your SLAs? And can you show me your access control policies?
That's it. Six categories. Repeated in slightly different language across forty-eight pages. And the thing that hit me was — I actually had answers to most of these. I use MFA everywhere. I encrypt at rest and in transit. I have a subprocessor list — it just lived in my head instead of on a page. The problem wasn't that I was insecure. The problem was that I had zero proof artifacts. Nothing a procurement person could click on, read, and check a box.
So I built a Trust Center. And I want to be specific about what that means, because it sounds more intimidating than it is. Go look at Atlassian's Trust Center — they publish SOC 2 reports, ISO 27001 certificates, DPA links, subprocessor lists, CSA STAR entries. It's comprehensive. ThreadSync does something similar — architecture diagrams, control mappings, subprocessor tables. Even Notion has a dedicated security portal where they disclose AI data handling and compliance reports.
Now — you are not Atlassian. You don't need all of that. But you need the same structure at a lighter scale. And Notion is actually perfect for this because it's free, it's publishable, and procurement people already know how to navigate it.
Here's what mine looks like. One Notion page. Title at the top with a one-liner — "I help companies automate operations. Here's how I protect your data." Then a section with SLA chips — uptime target, support response time, RTO, RPO, data retention. These are just numbers in a callout block. Takes five minutes to write.
Below that, security practices. Authentication method — I use SSO with MFA enforced. Encryption — AES-256 at rest, TLS 1.2 in transit. Backup frequency and region. Monitoring tooling. Incident response window and contact. Again — you already know this stuff about your own setup. You're just writing it down in a place someone else can read it.
Then compliance and reports. If you have a SOC 2 — great, link it under NDA. If you don't — and most solos don't — you can still link a penetration test summary, an information security policy, or a CSA STAR self-assessment. The point is not to have every certification. The point is to have something linkable in every category so the reviewer doesn't see a blank row.
Privacy and DPA section. Link your data processing agreement template. List your data location. Provide a contact for data subject requests. Subprocessor register — and this is the one people skip, but it matters — a live table with every tool that touches customer data. Provider name, purpose, data types, storage location, DPA link, last reviewed date.
And then the piece that changed everything for me — an evidence artifacts index. One section at the bottom of the page with direct links to every document a reviewer might ask for. DPA. Security policy. Access control policy. Incident response plan. Business continuity summary. AI and data handling policy if you use LLMs in your delivery. Status page URL.
The whole page took me about three hours to build the first time. And now when a prospect's IT team sends me a questionnaire, the first thing I do is reply with the Trust Center link. Half the time, that link alone satisfies their initial review and the questionnaire gets shortened or waived entirely.
Jordan: Okay — but the Trust Center is the front door. The real leverage comes from the answer library. And to build that, you need to understand two standards that most solos have never heard of.
The first is CAIQ Lite — that stands for Consensus Assessments Initiative Questionnaire Lite. It's published by the Cloud Security Alliance. They released version 4.1 on January twenty-seventh of this year, and it's a hundred and thirty-eight focused questions across seventeen security domains. The full CAIQ has two hundred and eighty-three questions. The Lite version cuts that roughly in half by selecting the controls most relevant to lower-risk vendor assessments.
The second is SIG Lite — Standardized Information Gathering Lite, from Shared Assessments. Their official scoping guidance says SIG Lite is designed for lower-risk third parties and as a preliminary assessment. The 2023 edition has a hundred and twenty-six questions. It's broad and high-level — exactly what a mid-market buyer uses when they're evaluating a vendor who isn't handling regulated data.
Now — why do these matter to you? Because when a buyer sends you a custom questionnaire, most of those questions map directly to CAIQ Lite or SIG Lite domains. Access control. Encryption. Data governance. Incident management. If you've already written your vetted answer for each of those domains once, you're not starting from scratch every time. You're looking up your own answers and pasting them in.
So here's the build. I created a CSV file — answer library dot CSV — with columns for framework, domain, question ID, a canonical key, the question text, my standard answer, an evidence link back to the Trust Center, and a flag for whether that answer requires my manual approval before it ships. I started with CAIQ Lite domains and added SIG Lite mappings alongside them. Took about a day to populate the first version. Sixty-something rows. And every row links back to an artifact on the Trust Center page.
Jordan: The answer library is useful on its own — you can just search it manually and copy-paste. But the real speed comes from wiring it into a Make scenario that does the matching for you.
Here's the flow. A buyer submits a questionnaire through an intake form — I use Tally, but anything works. The form captures the buyer name, contact email, questionnaire format, due date, and whether an NDA is required. Make picks up the submission, downloads the attached spreadsheet, and parses it into rows — one row per question.
For each question, the scenario generates a canonical key from the question text. That's just a normalized slug — lowercase, stripped punctuation, synonyms collapsed. So "Do you enforce MFA for admin access" and "Is multi-factor authentication required for privileged users" both resolve to the same key: auth-mfa-required. I keep a small mapping dictionary in a JSON file that handles the synonym normalization — MFA and 2FA both map to MFA, pen test and penetration test both map to pentest, and so on.
The scenario looks up each canonical key against the answer library. If it finds a match and the answer doesn't require approval, it drafts the response automatically. If the match confidence is low — or if the answer is flagged for manual review because it touches moderate or high-sensitivity data — it creates a task in a Notion approval queue instead.
And this is the part that surprised me. On the first real questionnaire I ran through this flow, about seventy percent of the questions matched automatically. The remaining thirty percent went to my approval queue — and most of those were just slight variations on questions I'd already answered. I edited maybe five responses by hand. The whole thing went from inbox to sent in under six hours, and that included me building parts of the flow in real time.
The second questionnaire — different buyer, different format, but similar scope — took ninety minutes. Because the answer library had grown. Every new question I answered got added back to the CSV. By the third questionnaire, I was down to forty minutes and only three items needed manual review.
The export step is format-aware. If the buyer sent an Excel file, the scenario writes answers back into the answer column and re-uploads it. If they use a portal, it generates a paste-ready markdown file. Either way, it packages the completed questionnaire with a cover letter and links to the relevant Trust Center artifacts in a delivery folder.
Jordan: Now — I need to be honest about where this breaks down. Because it does break down.
Some buyers will not accept lite formats. If you're handling regulated data — healthcare records, payment card data, anything under HIPAA or PCI — a CAIQ Lite response is not going to cut it. Those buyers need full SIG Core or a bespoke questionnaire, and they need private evidence under NDA. Full SOC 2 Type II reports. Detailed penetration test findings. Custom data flow diagrams specific to their implementation.
And there are procurement teams that insist on their own proprietary questionnaire regardless of what standards you offer. That's real. That happens. Some GRC practitioners will tell you that questionnaires are compliance theater anyway — that they don't actually measure real risk — but the buyer still requires them, and you still have to play the game.
So here's how I handle it. I triage every incoming questionnaire into one of three tiers. Tier one is low risk — no regulated data, standard SaaS use, metadata and basic PII at most. That gets the lite treatment. Trust Center link, CAIQ Lite or SIG Lite answers, autofill flow, done in under two hours.
Tier two is moderate — limited PII, contractual obligations like custom DPA terms. That gets the lite package plus three to five supplemental answers and NDA-gated evidence where needed.
Tier three is high — regulated data, strict compliance requirements, or a buyer whose policy explicitly forbids lite instruments. That's where I escalate. I scope the deeper review, involve counsel if needed, and provide full evidence under NDA. And I charge for it — tier three questionnaire responses are a line item in the contract, not free pre-sales work.
The key insight is that most mid-market deals — the ones solos are actually pursuing — fall into tier one or tier two. The lite approach covers them. You're not pretending to be something you're not. You're showing that you take security seriously, you've documented your practices in a format procurement recognizes, and you can respond fast. That speed alone signals competence. A four-person agency that takes three weeks to return a questionnaire looks worse than a solo who returns it in forty-eight hours with clean formatting and linked evidence.
Jordan: That deal I lost eleven months ago — the fourteen-K-a-month one — I think about it differently now. Not as a failure. As the most expensive Notion page I've ever built. Because the Trust Center I created after that loss has directly contributed to closing over forty thousand dollars in contracts that would have stalled at the same point. Same objection — "we don't work with solos" — different outcome. The difference was a link. One link to a page that said, "Here's everything you need to evaluate me, and here's how fast I can answer whatever else you ask."
If you want to build this yourself, I put together a Trust Center template and a CAIQ Lite slash SIG Lite answer library — the actual CSV schema with sample rows and the Make flow spec for the autofill pipeline. It's on the Resources page. Duplicate the Notion template, fill in your brackets, connect the CSV, and you'll have a working version by end of day.
Here's your one thing for this week. Before your next sales call, publish one page — just the Trust Center. Even without the automation. Even without the answer library. Just the page with your security practices, your subprocessor list, and your evidence links. Because the next time a buyer's IT director sends you that spreadsheet, the difference between losing the deal and closing it might be whether you have something to send back within twenty-four hours.
I'm Jordan. Go build it. I'll see you on Friday.