One‑Page Trust Center (Notion) + DPA Starter + Make/PandaDoc Flow

Paste the block below into a new Notion page. Replace [BRACKETS] with your details. Keep it to one scroll — buyers scan for coverage, clarity, and evidence links.

Title: [COMPANY NAME] Trust Center
Version: [V1.0] • Last updated: [YYYY‑MM‑DD] • Contact: [SECURITY@DOMAIN]

Summary
We help [CUSTOMER TYPE] do [VALUE PROP]. We design for the SOC 2 Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy — and align our disclosures with common vendor questionnaires (e.g., CAIQ, SIG, VSAQ). This page is your quick evidence shelf.

Security Overview

• Access control (IAM): [SSO/MFA POLICY]. Least privilege with [ROLE MODEL]. Quarterly access review.
• Encryption: At rest [E.G., AES‑256 VIA CLOUD PROVIDER]; in transit [TLS 1.2+].
• Secrets: Stored in [SECRETS MANAGER]; rotated every [N] days; production access via [BASTION/APPROVED METHOD].
• Logging & monitoring: [LOG DESTINATION], retention [N DAYS]; alerts via [SYSTEM].
• Change management: Git‑based, CI/CD with required review; emergency change procedure [LINK/BLURB].

Data Location & Retention

• Primary region: [REGION] (failover: [REGION]).
• Backups: [FREQUENCY]; encrypted; retention [N DAYS].
• RPO/RTO targets: [RPO HOURS] / [RTO HOURS].

AI/LLM Data Handling

• Providers: [E.G., OPENAI API (ZDR ENABLED), ANTHROPIC, AZURE OPENAI].
• Training: [WE DO NOT ALLOW PROVIDER TRAINING ON CUSTOMER DATA].
• Retention: Prompts/outputs retained in our systems for [N DAYS] for support; provider‑side retention [0 DAYS (ZDR) OR SPECIFY].
• De‑identification: We mask or remove [PII FIELDS] before transmission.
• Red‑teaming & evals: [FREQUENCY/PROCESS]; governance reference: [ISO/IEC 42001 OR INTERNAL POLICY].

Subprocessors (Snapshot)
See the live register below for vendors, purpose, data categories, region, and change history.

Incident Response & BCP

• Detection: [HOW YOU DETECT].
• Notification: Material incident notice within [72 HOURS] to [CONTACT PATH].
• BCP: We can operate in a reduced mode for [N DAYS]; recovery test cadence [FREQUENCY].

Privacy & DPA
Our plain‑language DPA (with SCCs by reference) is available for e‑sign. See the automation below. Link: [PUBLIC DPA LINK OR ‘REQUEST VIA EMAIL’].

Evidence Shelf (optional)

• Policy index: [LINK]
• Pen test / security review letter: [LINK/DATE]
• Data‑flow diagram: see below
• SOC/ISO/NIST references (if any): [LINKS OR N/A]

Changelog

• [YYYY‑MM‑DD]: [CHANGE SUMMARY]

Create a Notion database named “Subprocessors” with these properties:

• Name (Title)
• Purpose (Text)
• Customer Data? (Checkbox)
• Data Categories (Multi‑select; e.g., Contact, Billing, Usage, Content, Metadata)
• Region (Select; e.g., US, EU, Global)
• Transfer Mechanism (Select; e.g., SCCs 2021/914, In‑Region Only)
• DPA Link (URL)
• Security Page (URL)
• Last Reviewed (Date)
• Status (Select; Active / Planned / Deprecated)
• Change Notice (Text)

Optional display: Group by Status; sort by Name ascending; add a ‘Last 90 days’ filter for recent changes.

Example rows (edit to fit):

Name	Purpose	Customer Data?	Data Categories	Region	Transfer Mechanism	DPA Link	Security Page	Last Reviewed	Status	Change Notice
[PandaDoc]	E‑signature	☑︎	Contact, Content, Metadata	US/EU	SCCs 2021/914	[LINK]	[LINK]	[YYYY‑MM‑DD]	Active	Added as of [DATE] for DPA e‑sign.
[OpenAI API]	AI inference	☐ (by default)	Content (masked), Metadata	US/EU (per provider)	SCCs 2021/914	[LINK]	[LINK]	[YYYY‑MM‑DD]	Active	Zero Data Retention enabled.

Change notification language (paste at top of the DB as a callout):
“We maintain this register and notify customers of material changes at least [30] days in advance. Subscribe to updates: [LINK TO NOTION FOLLOW/CHANGELOG].”

Buyers now expect a simple map of where data flows. Paste the Mermaid code below into your diagram tool of choice (Notion won’t render Mermaid natively). Export a PNG and embed it on the Trust Center.

graph LR
Client[Client] -->|Forms/Email| Intake[Intake System]
Intake -->|Webhook| Make[Make Scenario]
Make -->|PII-masked prompts| LLM[[AI Provider]]
Make -->|Create doc| PD[PandaDoc]
Make -->|Store file| Drive[Google Drive]
Make -->|Write row| NotionDB[Notion DB]
LLM -. no training (ZDR) .-> LLM
PD -->|Signed PDF| Drive
Drive -->|URL| TrustCenter[Trust Center]

Data categories and lawful basis (add as bullets under the image):

• Contact: [NAME, EMAIL] — purpose: contracting; retention: [N DAYS].
• Content: [DOC/DPA TEXT] — purpose: fulfillment; retention: [N YEARS].
• Metadata: [TIMESTAMPS, DOC IDS] — purpose: audit; retention: [N DAYS].

International transfers: [IF APPLICABLE, VIA SCCs 2021/914]; primary region: [REGION].

Use these short, copy‑safe statements in questionnaires or emails.

Subprocessors (example answer):
“We maintain a live subprocessor register listing each vendor, purpose, data categories, region, and change history; customers are notified of material changes at least [30] days in advance.”

AI data flows (example answer):
“When AI is used, prompts and outputs are processed via [PROVIDER] API with Zero Data Retention; personally identifying fields are masked before transmission and outputs are stored in [SYSTEM] under the client’s workspace.”

Additional AI/LLM prompts you can adapt:

• Do you train on our data? — “No, provider training is disabled; we enable [ZERO DATA RETENTION/ZDR] and do not submit customer content for model improvement.”
• What’s retained and for how long? — “In our systems, prompts/outputs are retained for [N DAYS] for troubleshooting, then deleted; provider‑side retention is [0 DAYS] when ZDR is enabled.”
• Which models and regions? — “[PROVIDER & MODEL], hosted in [REGION/DEPLOYMENT]; see our Subprocessor Register for DPAs and transfer mechanisms.”

Paste into a doc/PandaDoc template and fill the brackets. Keep the structure; have counsel review before sending to customers.

[NOT LEGAL ADVICE — DRAFT FOR COUNSEL REVIEW]

Data Processing Addendum (DPA)
Between: [CUSTOMER LEGAL NAME] (Controller) and [YOUR LEGAL NAME] (Processor)
Effective date: [YYYY‑MM‑DD]

1. Subject matter & duration
   We process Customer Personal Data to provide the Services described in the Agreement for the term of the Agreement and the retention periods in Annex A.

2. Roles & instructions
   Customer is Controller; we are Processor. We process only on documented instructions from Customer, including with respect to international transfers and Subprocessors.

3. Confidentiality
   All personnel with access to Customer Personal Data are bound by confidentiality obligations.

4. Security measures
   We implement the technical and organizational measures in Annex C (e.g., encryption at rest/in transit, access controls, logging, backup/restore, vulnerability management).

5. Subprocessors
   Customer authorizes the Subprocessors in Annex B. We impose data‑protection terms no less protective than this DPA and remain responsible for Subprocessors’ performance. We will notify Customer of material changes at least [30] days before they take effect.

6. Data subject rights
   We provide reasonable assistance to respond to requests (access, deletion, portability, etc.).

7. Incident notification
   We will notify Customer without undue delay and no later than [72 HOURS] after becoming aware of a Personal Data Breach, providing details and remediation steps as information becomes available.

8. Return & deletion
   Upon termination, we will delete or return Customer Personal Data within [30] days except where retention is required by law.

9. International transfers
   Where we transfer Customer Personal Data to a country without an adequacy decision, the parties agree the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 apply, as set out in Annex D. For UK transfers, apply the UK IDTA/Addendum as applicable.

10. Audits
    Upon written request no more than [ONCE PER 12 MONTHS] and with [30 DAYS] notice, we will make available information necessary to demonstrate compliance and allow for audits by Customer or its auditor, subject to confidentiality and safety controls.

11. Precedence
    If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict.

Annex A — Data Processing Details

• Categories: [CONTACT, BILLING, USAGE, CONTENT, METADATA]
• Subjects: [CUSTOMER PERSONNEL, END USERS]
• Purpose: [CONTRACTING, SUPPORT, DELIVERY]
• Retention: [N DAYS/MONTHS/YEARS]

Annex B — Authorized Subprocessors
See live register at: [LINK] (incorporated by reference).

Annex C — Technical & Organizational Measures

• Encryption: [AT REST/IN TRANSIT DETAILS]
• Access control: [SSO/MFA/LEAST PRIVILEGE]
• Logging/monitoring: [SYSTEMS, RETENTION]
• Backup/restore: [CADENCE, TESTS]
• Secure development: [REVIEWS/SCANNING]
• Supplier due diligence: [PROCESS]

Annex D — International Transfers (SCCs)

• Modules: [1/2/3 AS APPLICABLE], Annex I–III completed per Annex A–C.
• Transfer impact assessment summary: [ONE‑PARA SUMMARY].

This outlines a Make scenario that sends your DPA for e‑sign, stores the signed PDF, and logs completion in Notion. Create environment variables/secrets for [PANDADOC_API_KEY], [PANDADOC_TEMPLATE_ID], [GOOGLE_DRIVE_FOLDER_ID], [NOTION_DB_ID], [NOTION_TOKEN].

Trigger

• Option A (manual): Make “Webhook” → Custom webhook [DPA_SEND]. Payload: {"client_name":"[CLIENT]","client_email":"[EMAIL]"}
• Option B (Notion): Watch database for new row in “Client Ops” with Status = “DPA: Send”.

Flow (modules)

1. Iterator (safety): Throttle to ≤ [6] PandaDoc calls per minute. Rationale: sandbox is ~10 requests/min/endpoint; production is rate‑limited — stay conservative.
2. PandaDoc — Create document from template
   • Template: [PANDADOC_TEMPLATE_ID]
   • Variables: client_name, effective_date, your_company, etc.
3. PandaDoc — Send document
   • Recipient: [client_email] (role: [Signer])
4. Data store — Upsert doc context
   • Save {doc_id, client, idempotency_key=hash(client+template+date)} to prevent duplicates.
5. Webhook — Catch PandaDoc event (document.completed; built‑in retries with exponential backoff).
6. PandaDoc — Download document (PDF)
7. Google Drive — Upload file
   • Path: /[GOOGLE_DRIVE_FOLDER_ID]/[CLIENT]/DPA‑[YYYYMMDD].pdf
8. Notion — Update page
   • Set Status=“Signed”, Signed URL=[Drive link], PandaDoc ID=[doc_id], Signed At=[timestamp].
9. Notion — Append to “Changelog” (optional)
   • “DPA signed by [CLIENT] on [DATE].”

Error handling & limits

• Idempotency: Check the data store for existing PandaDoc doc_id before creating a new one.
• Rate limits: Keep throttle step; if 429/5xx from PandaDoc, exponential backoff and a dead‑letter Notion view (“DPA: Retry”).
• Webhooks: Make can process up to ~300 req/10s; if bursts occur, rely on queue and replays; logs retain for a few days — export daily if you need longer history.
• Notion embed: Don’t iframe PandaDoc; instead, paste the Drive PDF link or use Notion’s PDF block with the signed file.

Example variable map (JSON block you can paste into PandaDoc variables):

{
  "client_name": "[CLIENT NAME]",
  "client_email": "[CLIENT EMAIL]",
  "effective_date": "[YYYY-MM-DD]",
  "your_company": "[YOUR LEGAL NAME]",
  "notice_email": "[SECURITY@DOMAIN]"
}

Create a Notion database named “Client DPA Log” with these properties:

• Client (Title)
• Status (Select; Draft / Sent / Signed / Retry)
• PandaDoc ID (Text)
• Signer Email (Email)
• Effective Date (Date)
• Signed At (Date/Time)
• Drive File (Files & media or URL)
• Notes (Text)

Recommended views: “Open items” (Status is not Signed), “Signed last 30 days,” and a calendar view by Effective Date.

Paste this block under your Trust Center’s Security Overview to help reviewers orient quickly.

• SOC 2 TSC mapping (self‑attested):

  • Security: IAM, MFA, encryption, logging (see Security Overview).
  • Availability: Backup/restore cadence; RPO [HRS], RTO [HRS].
  • Processing Integrity: CI/CD with required review; change management.
  • Confidentiality: Least privilege, role‑scoped data access; data minimization.
  • Privacy: DPA in place; DSAR support; retention schedule in Annex A.

• Common questionnaire anchors:

  • CAIQ/CCM alignment: Access control, encryption, incident response, supplier management.
  • SIG domains touched: Program governance, AppSec, Infra, Privacy, Resilience.
  • VSAQ modules covered: Program, Web App, Infra, Physical/Datacenter (where applicable).

Use this format and update every time you change a control, subprocessor, or retention policy.

• [YYYY‑MM‑DD] — [CHANGED/ADDED/REMOVED] [SUBPROCESSOR/CONTROL]; impact: [LOW/MED/HIGH]; notice to customers: [SENT/PLANNED DATE].
• [YYYY‑MM‑DD] — Updated AI provider settings: [DETAIL].
• [YYYY‑MM‑DD] — Amended DPA Annex C: [DETAIL].