Solo Vendor Trust Center + Lite Questionnaire Answer Library

Paste the outline below into a new Notion page named "[YOUR COMPANY] Trust Center". Keep sections in this order so buyers can skim quickly.

1. Title + Summary

• "[YOUR COMPANY] Trust Center"
• One‑liner: "We help [CUSTOMERS] with [SERVICE]. Here’s how we protect your data."

2. Current Status & SLAs (chips)

• Uptime: [UPTIME_TARGET_%]
• Support First Response: [SLO_FIRST_RESPONSE_HOURS]h (business hours: [SUPPORT_HOURS_TZ])
• RTO: [RTO_HOURS]h • RPO: [RPO_MINUTES]m
• Data Retention: [RETENTION_DAYS] days
• Status page: [STATUS_PAGE_URL]

3. Security Practices

• Auth: [SSO/MFA OPTIONS]
• Encryption: [AT_REST_STANDARD] at rest, [IN_TRANSIT_STANDARD] in transit
• Backups: [BACKUP_FREQUENCY] to [BACKUP_REGION]
• Monitoring: [MONITORING_TOOLING]
• Incident response: [IR_WINDOW_HOURS]h triage, [IR_CONTACT]

4. Compliance & Reports

• SOC 2 Type [I/II]: [AVAILABLE/IN PROGRESS]. Request under NDA: [SOC2_REQUEST_LINK]
• ISO 27001: [CERT/NOT CERTIFIED] • Certificate: [ISO_CERT_LINK]
• Penetration test: [DATE] summary: [PEN_TEST_SUMMARY_LINK]
• CSA STAR/CCM mappings: [STAR_LINK]

5. Privacy & DPA

• DPA: [DPA_LINK]
• Subprocessors: see register below
• Data location: [PRIMARY_REGION/COUNTRY]
• Data subject requests: [DSAR_EMAIL/PORTAL]

6. AI & Data Handling

• AI usage: [MODEL_PROVIDER(S)]
• Training on customer data: [YES/NO]
• Retention of prompts/outputs: [POLICY]

7. Architecture & Data Flows

• High‑level diagram: [ARCHITECTURE_IMAGE_OR_LINK]
• Data flows (ingest→process→store): [ONE‑PARAGRAPH SUMMARY]

8. Subprocessor Register (live table)

• See table template below.

9. Evidence Artifacts Index

• Quick links to PDFs/Notion pages; see template below.

10. Contact & Questionnaire Intake

• Security contact: [SECURITY_EMAIL]
• Questionnaire intake form: [INTAKE_FORM_URL]
• Preferred standards: CAIQ‑Lite v4.1 / SIG Lite

Use this markdown table in Notion (convert to database) to publish and maintain your subprocessors.

Provider	Purpose	Data Types	Storage Location	Transfer Mechanism	Security Page	DPA Link	Last Reviewed	Status
[PROVIDER_NAME]	[WHY USED]	[PII/LOGS/METADATA]	[REGION/COUNTRY]	[SCCs/UK IDTA/NA]	[SECURITY_URL]	[DPA_URL]	[YYYY‑MM‑DD]	[ACTIVE/REMOVED/PENDING]

Change log (append entries):

• [YYYY‑MM‑DD]: Added [PROVIDER_NAME] for [PURPOSE]. Notice posted: [LINK]
• [YYYY‑MM‑DD]: Removed [PROVIDER_NAME]. Data deletion verified: [LINK]

List every artifact buyers commonly ask for. Host files in Notion or your storage with share controls.

• SOC 2 Type [I/II] Report (under NDA): [SOC2_REQUEST_LINK]
• ISO 27001 Certificate: [ISO_CERT_LINK]
• Penetration Test Executive Summary: [PEN_TEST_SUMMARY_LINK]
• Data Processing Addendum (DPA): [DPA_LINK]
• Information Security Policy: [SEC_POLICY_LINK]
• Access Control Policy: [ACCESS_POLICY_LINK]
• Incident Response Plan: [IR_PLAN_LINK]
• Business Continuity/DR Summary: [BCDR_LINK]
• Vulnerability Management Overview: [VULN_MGMT_LINK]
• AI/Data Handling Policy: [AI_POLICY_LINK]
• Uptime/Status: [STATUS_PAGE_URL]
• CSA STAR/CCM Mapping (if applicable): [STAR_LINK]

Label private items clearly: "Available under NDA upon request."

Create a CSV named answer_library.csv with the headers below. Store it in a versioned folder and mirror it in a Notion database for browsing.

CSV headers (copy this line):

framework,domain,question_id,canonical_key,question_text,standard_answer,evidence_link,answer_rationale,data_classification,requires_approval,owner,last_reviewed,version,tags,aliases

Field guidance:

• framework: [CAIQ-Lite v4.1|SIG Lite 2023|Custom]
• domain: [CCM DOMAIN NAME or SIG CATEGORY]
• question_id: e.g., [CAIQL-AC-01] or [SIGL-AC-01]
• canonical_key: slug you’ll match against buyer text, e.g., auth-mfa-required
• standard_answer: your vetted answer text (1–4 sentences)
• evidence_link: URL to supporting artifact in the Trust Center
• answer_rationale: why this is true; control/process reference
• data_classification: [low|moderate|high]
• requires_approval: [Y/N] gate for human review
• aliases: pipe‑separated alternative phrasings to help matching

Sample rows:

CAIQ-Lite v4.1,Access Control,CAIQL-AC-01,auth-mfa-required,"Do you enforce MFA for admin access?","Yes. MFA is enforced for all admin accounts via [IDP_NAME]. End‑user MFA is available as an opt‑in per tenant.",[ACCESS_POLICY_LINK],"IDP policy AC‑3; admin role scope limited.",moderate,N,[OWNER_EMAIL],2026-05-10,1.0,"auth|mfa|admin","MFA for privileged access|administrator MFA required"
SIG Lite 2023,Encryption,SIGL-ENC-02,encryption-at-rest,"Is customer data encrypted at rest?","Yes. All customer data stored using [STORAGE_SERVICE] is encrypted at rest with [AT_REST_STANDARD] (AES‑256).",[SEC_POLICY_LINK],"Storage defaults enforced; KMS managed by provider.",low,N,[OWNER_EMAIL],2026-05-10,1.0,"crypto|at-rest","disk encryption|storage encryption"

Define how you standardize messy buyer questions into your canonical_key so the automation can map answers reliably.

Rules:

• Lowercase, strip punctuation, replace spaces with hyphens.
• Remove stop‑words except security terms (e.g., keep "at‑rest", "in‑transit").
• Normalize synonyms using this small dictionary (extend over time):
  • mfa/2fa → mfa
  • sso/saml/oidc → sso
  • pen test/penetration test → pentest
  • disaster recovery/bcdr → dr
• Prefer control intent over tool names (e.g., backup-frequency-daily not aws-backup).

Store the dictionary in mapping_rules.json and load it in your flow.

Implement as a Make/n8n scenario. Use Notion (or Airtable) as the approval queue. Replace [BRACKETS] with your tool choices.

High‑level flow:

1. Trigger: New intake submitted at [INTAKE_FORM_URL] with fields: [BUYER_NAME], [CONTACT_EMAIL], [QUESTIONNAIRE_TYPE (CAIQ/SIG/Custom)], [FORMAT (XLS/CSV/PORTAL)], [DUE_DATE], [NDA_REQUIRED (Y/N)].
2. Fetch: Download the questionnaire file or capture portal export (CSV/XLS). Store at [QUESTIONNAIRE_BUCKET].
3. Parse: Convert to normalized rows: {source_id, question_text, section, row_ref}. If IDs exist, keep them.
4. Match:
   • Exact: Join on question_id when present.
   • Fuzzy: Generate canonical_key from question_text using mapping_rules.json and a similarity check. Optionally add an LLM similarity step with model [MODEL_NAME] and threshold [CONFIDENCE_THRESHOLD].
5. Draft Answers: For each row, pull standard_answer + evidence_link from answer_library.csv.
6. Gate for Review: Flag rows if any:
   • requires_approval = Y
   • similarity score < [CONFIDENCE_THRESHOLD]
   • data_classification ∈ {moderate, high}
7. Create Approval Tasks: Upsert flagged rows into Notion DB "Question Queue" with properties:
   • [Buyer], [Section], [Question Text], [Proposed Answer], [Evidence], [Risk], [Similarity], [Owner], [Due Date], [Status]
8. Notify: Send Slack/Email to [APPROVER_GROUP_EMAIL] with a link to the queue. Daily digest until cleared.
9. Export: Merge approved + auto‑approved rows back into buyer format:
   • If XLS: write answers to [ANSWER_COLUMN]
   • If CSV: output answers.csv
   • If portal: generate a paste‑ready markdown file
10. Package: Create /deliveries/[BUYER_NAME]/[YYYY‑MM‑DD]/ with:

• answers.[xlsx/csv/md]
• cover-letter.md
• evidence/ (only publicly linkable or NDA‑safe items)

11. Send: Email [CONTACT_EMAIL] with delivery link and Trust Center URL. Log send in CRM/Notion.

Node sketch (pseudocode):

Trigger(FormSubmit) → Router(File vs Portal)
  → Download(File)
  → Parse(XLS/CSV)
  → Map(Generate canonical_key)
  → SimilarityCheck([MODEL_NAME], threshold=[CONFIDENCE_THRESHOLD])
  → Lookup(answer_library.csv)
  → Filter(approval conditions)
  → Notion.CreateOrUpdate(Question Queue)
  → Slack/Email.Notify(Approvers)
  → Wait for approvals (poll or webhook)
  → Assemble Export (format-aware)
  → S3/Drive.Upload(package)
  → Email.Send(cover + link)
  → Notion.Append(Deal Log)

Create a Notion database named "Question Queue" with these properties:

• Buyer (relation/select): [BUYER_NAME]
• Section (text): [QUESTION_SECTION]
• Question Text (rich text)
• Proposed Answer (rich text)
• Evidence (url)
• Risk (select): [low|moderate|high]
• Similarity (number): [0–1]
• Owner (person/email)
• Due Date (date)
• Status (select): [Needs Review|Approved|Edited|Rejected]
• Decision Notes (rich text)

Approval checklist (use in a Notion template button):

• Does the answer reflect current practice? [YES/NO]
• Is evidence link accessible and correct? [YES/NO]
• Any customer‑specific caveats needed? [TEXT]
• Redaction applied where required? [YES/NO]

Notification templates:

• Email subject: "[YOUR COMPANY] — [BUYER_NAME] questionnaire items need review by [DUE_DATE]"
• Slack: "[BUYER_NAME] — [COUNT] items waiting. Queue: [QUEUE_LINK]"

Create a folder per delivery:

/deliveries/[BUYER_NAME]/[YYYY-MM-DD]/
  ├─ answers.[xlsx/csv/md]
  ├─ cover-letter.md
  └─ evidence/
      ├─ dpa.pdf
      ├─ pentest-summary.pdf
      └─ security-policy.pdf

Cover letter (paste into cover-letter.md):

""" Subject: [YOUR COMPANY] — Completed [QUESTIONNAIRE_TYPE] for [BUYER_NAME]

Hi [CONTACT_NAME],

Attached is our completed [QUESTIONNAIRE_TYPE]. Public artifacts are in our Trust Center: [TRUST_CENTER_URL]. Items marked "under NDA" can be shared upon request.

Highlights:

• Uptime target: [UPTIME_TARGET_%]; Status: [STATUS_PAGE_URL]
• Encryption: [AT_REST_STANDARD] at rest, [IN_TRANSIT_STANDARD] in transit
• DR: RTO [RTO_HOURS]h / RPO [RPO_MINUTES]m

Please reply to [SECURITY_EMAIL] for any follow‑ups.

Thanks, [YOUR NAME], [TITLE] """

Build the intake form in your form tool of choice and map fields to your flow.

Required fields:

• Company name: [BUYER_NAME]
• Contact email: [CONTACT_EMAIL]
• Questionnaire type: [CAIQ‑Lite v4.1|SIG Lite|Custom]
• Format: [XLS|CSV|Portal]
• Due date: [YYYY‑MM‑DD]
• NDA required: [Y/N]
• Notes/scope: [FREE TEXT]
• Data sensitivity: [low|moderate|high]

Auto‑reply email (send instantly):

• Subject: "We received your questionnaire — [YOUR COMPANY]"
• Body: "We’ll return your [QUESTIONNAIRE_TYPE] by [DUE_DATE]. Our Trust Center is here: [TRUST_CENTER_URL]. If portal access is needed, whitelist [SECURITY_EMAIL]."

Use this default play and escalate only when risk warrants it.

Tiers:

• Tier 1 (Low): No regulated data; minimal PII/metadata; standard SaaS use. Default: CAIQ‑Lite/SIG Lite + Trust Center.
• Tier 2 (Moderate): Limited PII or contractual obligations (e.g., DPAs with custom terms). Default: Lite + 3–5 supplemental answers; NDA‑gated evidence allowed.
• Tier 3 (High): Regulated data (HIPAA/PCI/GLBA) or high impact. Escalate to SIG Core or bespoke; involve counsel; provide deeper evidence under NDA.

Escalation triggers (any → Tier 3):

• Handles special category data or payment card data
• Contract demands on RTO/RPO exceeding [RTO_HOURS]/[RPO_MINUTES]
• Buyer policy forbids lite instruments

Response when declining bespoke: "Our standard lite package addresses low‑risk evaluations efficiently. If your use case is higher‑risk, we can proceed under NDA with [SIG Core/bespoke] scoped to impacted controls."

Add these defaults where appropriate; replace with your numbers.

• Uptime target: [UPTIME_TARGET_%] (e.g., 99.9%). Status: [STATUS_PAGE_URL]
• Support hours: [SUPPORT_HOURS_TZ]
• Incident triage: acknowledge within [IR_ACK_HOURS]h; customer notification per [IR_POLICY_LINK]
• Backup frequency: [BACKUP_FREQUENCY] to [BACKUP_REGION]
• Data deletion: within [DELETION_SLA_DAYS] days of request/termination
• Access reviews: [REVIEW_CADENCE] (e.g., quarterly)

Note: Publish only what you can consistently meet. If numbers differ per plan, label them clearly.

Add a Notion "Version" callout at the top of your Trust Center and keep a separate CHANGELOG.md in your repo or Notion.

Version callout (paste as a block):

• Version: [MAJOR.MINOR]
• Last updated: [YYYY‑MM‑DD]
• Changes: [ONE‑LINE SUMMARY]

Changelog entries (append newest on top):

## [1.1] — 2026‑05‑29
- Added new subprocessor [PROVIDER_NAME]; posted 30‑day notice.
- Updated encryption at rest to [AT_REST_STANDARD].

## [1.0] — 2026‑05‑15
- Initial Trust Center published with CAIQ‑Lite/SIG Lite answer library.

Review cadence: set a recurring task for [REVIEW_OWNER] every [REVIEW_CADENCE] (e.g., 90 days).

Before sharing any private evidence, apply these rules.

• Redact: mask internal IPs, usernames, and specific rule IDs in reports
• Summaries: share executive summaries; keep raw findings under NDA
• Watermark: "Confidential — [BUYER_NAME] — [DATE]"
• Link expiry: use expiring links for private files: [EXPIRY_DAYS]
• Access list: restrict to [CONTACT_EMAIL] + [NEEDED RECIPIENTS]

Standard disclaimer snippet: "Private evidence is provided solely for evaluation under NDA and must not be redistributed without written consent."

Track process health and prove speed without adding headcount.

• Cycle time: submitted → delivered (target: [CYCLE_TIME_HOURS]h)
• Auto‑fill coverage: answered without human edits / total (target: [COVERAGE_%]%)
• Exception rate: human‑reviewed / total (target: [EXCEPTION_%]%)
• First‑pass acceptance: accepted without rework / total (target: [ACCEPT_%]%)
• Library freshness: % rows reviewed in last [FRESHNESS_DAYS] days (target: 100%)

Use this for portal pages and emails.

Short CTA (Trust Center hero): "Need our security answers fast? Submit your questionnaire here → [INTAKE_FORM_URL]"

Footer contact block: "Security questions? Email [SECURITY_EMAIL]. Media/legal: [MEDIA_OR_LEGAL_EMAIL]."

Status chip legend (use as hover text):

• Operational: All services normal
• Degraded: Minor impact; see status page
• Incident: Active investigation; updates on status page