Enterprise Solo Pack: Trust Center + CAIQ‑Lite Answer Library + SSO Add‑On Pricing One‑Pager

• Duplicate this document into your workspace.
• Fill anything in [BRACKETS] before you publish.
• Keep the Trust Center public; keep evidence behind an NDA gate.
• Use the Answer Library for fast questionnaire turnaround; every autofilled answer must pass a human approval gate.
• If a buyer requests a formal registry listing, prepare your escalation pack (see the STAR L1 section).

Use this section as a public page. Keep it concise, link to gated evidence, and show recent proof.

Heading: [PRODUCT_OR_SERVICE_NAME] Trust Center
Tagline: "[ONE_SENTENCE_PROOF]" (e.g., "99.96% 90‑day uptime; SOC 2‑aligned controls; SSO available.")

1. Live Status and SLAs

• Current status: [OPERATING_NORMALLY|DEGRADED|INCIDENT_LINK]
• 90‑day uptime: [UPTIME_90D_PERCENT]%
• SLA targets: [API_SLA_MS] ms p95; [SUPPORT_SLA_HOURS] h first response; [INCIDENT_RTO_HOURS] h RTO; [INCIDENT_RPO_MINUTES] min RPO
• Proof chips (last 30/90 days): [PROOF_CHIP_1], [PROOF_CHIP_2], [PROOF_CHIP_3]
• Evidence: [PUBLIC_STATUS_PAGE_URL]

2. Security Practices

• Authentication: [PASSWORD_POLICY_SUMMARY]; MFA: [ENFORCED_OPTIONAL_DETAILS]
• SSO availability: [YES|NO]; Protocols: [SAML|OIDC]; SCIM provisioning: [YES|NO]
• Access: least‑privilege; reviews every [ACCESS_REVIEW_CADENCE]
• Secrets: [SECRETS_MANAGER|HSM]; rotation every [SECRET_ROTATION_DAYS] days
• Vulnerability mgmt: [SCANNER_TOOL] weekly; patching target [PATCH_SLA_DAYS] days
• Penetration testing: [ANNUAL|SEMIANNUAL] by [VENDOR]; summary: [PEN_TEST_SUMMARY_LINK]

3. Data Handling

• Data classification: [PUBLIC|INTERNAL|CONFIDENTIAL|SENSITIVE]
• Data at rest: [ENCRYPTION_AT_REST_METHOD]
• Data in transit: [TLS_VERSION]
• Data residency/regions: [REGIONS_LIST]
• Subprocessors: see list below
• Data retention: [RETENTION_POLICY_SUMMARY]; deletion within [DELETION_SLA_DAYS] days on request
• Customer audit logs: [AUDIT_LOG_PORTAL_URL] (exportable: [YES|NO])

4. Compliance and Assessments

• Internal baseline: [CCM_LITE|CCM_V4_1] mapped; questionnaire library aligned to [CAIQ_LITE|CAIQ_V4_1]
• External attestations: [SOC2|ISO27001|NONE] (link summaries)
• STAR‑style self‑assessment: [AVAILABLE|ON_REQUEST] (link or note NDA)

5. Incident Response

• 24×7 monitoring: [YES|NO]; on‑call rotation: [YES|NO]
• Notification SLA: [INCIDENT_COMM_SLA_HOURS] hours
• Contact: [SEC_EMAIL] | [SECURITY_TXT_URL]

6. Contact and Reporting

• Security contact: [NAME], [ROLE], [EMAIL]
• DPA & terms: [LINK_TO_DPA], [LINK_TO_TOS]

Subprocessor List (link this table from your Trust Center):

• Vendor: [VENDOR_NAME]
  Service: [WHAT_THEY_DO]
  Data categories: [PII|PAYMENT|LOGS|NONE]
  Region: [REGION]
  Contract/SCCs: [YES|NO] (link)
  Last review: [YYYY‑MM‑DD]

Evidence Library (gated; link items not files):

• [SOC2_REPORT_SUMMARY_LINK] (NDA)
• [PEN_TEST_SUMMARY_LINK] (NDA)
• [VULN_SCAN_LAST_30D_LINK] (NDA)
• [SLA_EXPORT_CSV_90D_LINK] (public or NDA)
• [BCP_DR_PLAYBOOK_LINK] (NDA)

SLA Proof Chip Log (show recent 3):

• [YYYY‑MM‑DD]: p95 latency [MS] ms; uptime [PERCENT]% (source: [MEASUREMENT_SOURCE])
• [YYYY‑MM‑DD]: first‑response time [HOURS] h median (source: [HELPDESK_TOOL])
• [YYYY‑MM‑DD]: backup restore test passed in [MINUTES] min (source: [BACKUP_TOOL])

Create a single source of truth for answers you’ll reuse across questionnaires. You can store it as a CSV, a Notion database, or both.

Recommended fields (CSV headers or Notion properties):

• [QUESTION_ID] (text) — CAIQ‑Lite question ID if applicable
• [CCM_DOMAIN] (select) — e.g., IAM, A&A, IS, DCS, BCR, etc.
• [CONTROL_ID] (text) — CCM control reference if mapped
• [QUESTION_TEXT] (rich text) — the canonical question
• [STANDARD_ANSWER] (rich text) — your approved default answer
• [SCOPE_NOTES] (text) — what’s in/out of scope; exceptions
• [EVIDENCE_URL] (url) — link to gated evidence (NDA)
• [OWNER] (person/text) — accountable reviewer
• [LAST_REVIEWED_AT] (date) — YYYY‑MM‑DD
• [APPROVAL_STATUS] (select) — Draft, Approved, Needs Update
• [AUTOFILL_ALIAS] (multi‑text) — synonyms/short prompts used by bots
• [KEYWORDS] (multi‑text) — aid search and fuzzy match
• [NDA_REQUIRED] (checkbox)
• [TAG_RISK_LEVEL] (select) — Low, Moderate, High
• [REVISION_NOTES] (text)

Sample row (illustrative):

• QUESTION_ID: [CL‑IAM‑Q12]
• CCM_DOMAIN: IAM
• CONTROL_ID: [CCM‑IAM‑12]
• QUESTION_TEXT: "Do you support SSO? Which protocols and IdPs?"
• STANDARD_ANSWER: "Yes — SAML 2.0 and OIDC. We support Okta, Entra ID, and Google Workspace. SCIM 2.0 available for user provisioning on [PLANS]."
• SCOPE_NOTES: "SSO is an add‑on; covers up to [N_APPS] apps in scope; additional apps billed per scope change."
• EVIDENCE_URL: [EVIDENCE_LINK_SSO_GUIDE]
• OWNER: [NAME]
• LAST_REVIEWED_AT: [YYYY‑MM‑DD]
• APPROVAL_STATUS: Approved
• AUTOFILL_ALIAS: ["SSO","SAML","OIDC","Okta","Entra","Google"]
• KEYWORDS: ["identity","login","SSO","SCIM"]
• NDA_REQUIRED: [TRUE|FALSE]
• TAG_RISK_LEVEL: Low
• REVISION_NOTES: "Added SCIM limits and IdP list."

Tip: Keep answers short (3–6 sentences), then link to evidence. Never paste PDFs into forms; link to your portal with context.

Use this to pre‑populate questionnaires and route for human approval before sending back to the buyer.

Flow outline:

1. Intake

• Trigger: inbound email to [QUESTIONNAIRE_ALIAS@DOMAIN] or portal upload form.
• Parse: detect type [CAIQ_LITE|CAIQ_V4_1|SIG_LITE|XLSX_CUSTOM|PORTAL_LINK].
• Create work item: [WORK_ID] with metadata (buyer name, due date, risk level, NDA status).

2. Normalize

• If spreadsheet: convert to CSV; if portal: capture page list/screenshots to [EVIDENCE_BUCKET].
• Extract questions to a table: [EXTRACTED_QS] with columns [Q_ID_GUESS], [Q_TEXT], [SECTION], [BUYER_NOTES].

3. Match

• For each [Q_TEXT], compute fuzzy score against [AUTOFILL_ALIAS] and [QUESTION_TEXT].
• Matching rules: exact alias > 0.92; semantic match > 0.88; otherwise flag as Unmatched.
• If multiple candidates within 0.03, require manual pick.

4. Draft answers

• Pull [STANDARD_ANSWER], append buyer‑specific modifiers from [BUYER_NOTES] where safe.
• Insert links to [EVIDENCE_URL] placeholders.
• Stamp [DRAFTED_AT] and [DRAFTER_BOT_VERSION].

5. Human approval

• Route the drafted table to [REVIEWER_NAME] in Notion or an approval UI with buttons: Approve, Edit, Reject, Needs Evidence.
• Block any answer with [APPROVAL_STATUS != Approved] in library or missing [EVIDENCE_URL] when [NDA_REQUIRED = TRUE].

6. Export and send

• Rehydrate into buyer’s template (CSV/XLSX) or paste answers into portal.
• Send cover note with Trust Center link, SSO scope note, and escalation path.
• Archive full run (inputs, approved outputs, artifacts) to [EVIDENCE_BUCKET]/[WORK_ID].

Make/n8n node sketch:

• Webhook/Ingest → File Parser → Type Classifier → Library Lookup (Notion/CSV) → Fuzzy Match (code) → Draft Composer → Approvals (manual trigger/task) → Exporter (CSV/XLSX/Portal API if available) → Email/Slack Notify → Archive to Storage.

Boundaries and defaults:

• Default turnaround: [24‑48_HOURS]; escalations: [FULL_CAIQ_V4_1_PATH_ON_REQUEST].
• Never auto‑send without human approval.
• Redact secrets; link evidence instead of attaching.
• Log metrics per run: time to first draft, approval cycles, final duration.

Use this section when a buyer asks for a formal registry listing or a full questionnaire variant.

• Artifact to prep: [CAIQ_V4_1_STAR_L1_SHEET_LINK]
• Mapping: maintain a crosswalk table [CAIQ_LITE_Q_ID] → [CAIQ_V4_1_Q_ID_LIST] so you can expand answers quickly.
• Public listing (optional): prepare [STAR_L1_PUBLIC_SUMMARY] and decide whether to list immediately or share privately.
• Evidence pack: [SOC2_SUMMARY|ISO_CERT|PEN_TEST_SUMMARY] links under NDA.
• Owner and SLA: [ESCALATION_OWNER], target [BUSINESS_DAYS] business days to complete.
• Buyer message template: "We publish a Trust Center and a streamlined CAIQ‑Lite library for rapid reviews. If you require a formal STAR Level 1 sheet or full CAIQ v4.1, we can deliver via this escalation path within [BUSINESS_DAYS] business days."

Share this one‑pager during the demo and attach it to proposals. Keep it to one page.

Title: Enterprise Solo Pack — Procurement‑Ready Add‑On
Subtitle: "Clear security fast. Answers in hours, not weeks."

Core (included):

• Trust Center setup and publication
• Questionnaire intake address and workflow
• CAIQ‑Lite mapped answer library (initial load up to [N_QS] answers)
• 1 questionnaire autofill + human approval (≤ [MAX_QS] questions)
• Buyer handoff email + evidence links

Optional Add‑On: SSO Configuration

• Supported IdPs: [OKTA|ENTRA_ID|GOOGLE_WORKSPACE]
• Protocols: [SAML_2_0|OIDC]; Provisioning: [SCIM_2_0]
• In scope: connect up to [N_APPS] applications; map [N_GROUPS] groups/claims; test with [N_TEST_USERS] users
• Out of scope: new IdP procurement, custom SSO for legacy apps without standards, mobile SDK changes
• Customer inputs: admin access (temporary), metadata/XML/JSON, test users, desired claim schema
• Deliverables: configured app(s), IdP‑side config, test plan + results, runbook, rollback notes
• Timeline: [DAYS_TO_DELIVER] business days
• Fixed fee: [PRICE_SSO_ADDON_USD]

SLA Tiers (choose one):

• Standard: responses [BUSINESS_HOURS_STD] h, fixes [BUSINESS_DAYS_STD] d — included
• Priority: responses [BUSINESS_HOURS_PRI] h, fixes [BUSINESS_DAYS_PRI] d — add [PRICE_PRIORITY_USD]
• Premium: responses [BUSINESS_HOURS_PRE] h, fixes [BUSINESS_DAYS_PRE] d — add [PRICE_PREMIUM_USD]

Scope Guardrails (bold these in the doc):

• Changes in number of apps, IdPs, or non‑standard protocols trigger a scope change.
• Evidence remains NDA‑gated; we do not share raw reports via email.
• All questionnaire answers pass human approval before delivery.

Proof chips (swap with your real data):

• "90‑day uptime [UPTIME_90D_PERCENT]%"
• "p95 latency [P95_MS] ms"
• "Questionnaire turnaround [HOURS_TO_DELIVER] h"

Signature block:

• Valid through: [VALID_THROUGH_DATE]
• Contact: [NAME], [ROLE], [EMAIL]

Use this during calls to keep momentum and show you’re procurement‑ready.

Total time: 10 minutes

1. 0:00–1:00 — Outcome first

• "In the last 90 days we’ve met [UPTIME_90D_PERCENT]% uptime and [P95_MS] ms p95. Here’s the public Trust Center."

2. 1:00–3:00 — Trust Center tour

• Live status, SLAs, data flow diagram, subprocessors, evidence index.

3. 3:00–5:00 — Answer Library + Autofill

• Show CAIQ‑Lite‑mapped table and run an intake→draft→approval demo on a sample file.

4. 5:00–7:00 — SSO scope

• Confirm supported IdPs/protocols, show a past runbook (redact), and the scope boundaries.

5. 7:00–9:00 — Pricing one‑pager

• Walk through Core deliverables, SSO add‑on, and SLA tiers. Pause for questions.

6. 9:00–10:00 — Next steps

• Send NDA + data‑sharing link, target delivery dates, and decision checklist.

Send‑after email template:
Subject: "[BUYER_NAME] — trust center + answers + SSO scope"
Body: "Thanks for the time today. Here are the links: [TRUST_CENTER_URL], [ANSWER_LIBRARY_VIEW_URL], [ONE_PAGER_URL]. If you need a formal CAIQ v4.1/STAR sheet, we can deliver within [BUSINESS_DAYS] business days."

• Weekly: review [NEW_QUESTIONS_COUNT], update library, rotate any [APPROVAL_STATUS=Draft].
• Monthly: refresh SLA proof chips and uptime exports.
• Quarterly: subprocessor audit; access reviews; pen test status check.
• Ownership: Trust Center [OWNER_NAME]; Answers [OWNER_NAME]; SSO add‑on [OWNER_NAME].
• Versioning: bump [VERSION_SEMVER] and log changes at the bottom of each page.