Security Positioning Library
Security as Strategy

Stop Answering Security Questions. Start Winning Deals.

A complete toolkit for transforming your security program from a sales obstacle into a competitive weapon. Templates, checklists, and examples used by the fastest-growing B2B companies.

Built by security practitioners who've been on both sides of enterprise sales.

11
Resources
50+
Audit Criteria
60+
Questionnaire Answers
Core Resources 9 templates
01

Security Positioning Audit Scorecard

50-criteria checklist across 5 maturity levels. Honestly assess where you are and identify highest-impact gaps.

Security Positioning Audit Scorecard

Level 1: Public Presence (Website & Trust Center)

CriteriaY/NLink/EvidencePriority
Dedicated security page exists
Trust center or security portal live
SOC 2 badge/certification displayed
Other certifications listed (ISO 27001, HIPAA, etc.)
Security contact email visible
Status page linked
Privacy policy current and accessible
Terms of service current
DPA template available
Sub-processor list published

Level 2: Sales Enablement Materials

CriteriaY/NLink/EvidencePriority
Security one-pager exists
Security FAQ document maintained
SOC 2 report shareable (under NDA)
Pen test executive summary available
Architecture diagram ready
Encryption whitepaper exists
Sales team trained on security positioning
Security slide deck for enterprise deals
Competitive differentiation documented
Case studies mention security wins

Level 3: Questionnaire Readiness

CriteriaY/NLink/EvidencePriority
Questionnaire response database exists
Database has 100+ pre-written answers
Answers include supporting evidence links
Answers updated within last 6 months
SIG Lite responses prepared
CAIQ responses prepared
HECVAT responses prepared (if applicable)
Average questionnaire turnaround < 5 days
Dedicated owner for questionnaires
Answers positioned offensively (not just defensive)

Level 4: Proactive Marketing

CriteriaY/NLink/EvidencePriority
Security mentioned in marketing materials
Blog posts about security practices
Security certifications in email signatures
Security badges on website footer
Security highlighted in product demos
Security ROI messaging developed
Competitor security comparison available
Press releases for major security milestones
Security leader quoted in content
Webinars or talks about security approach

Level 5: Customer Communications

CriteriaY/NLink/EvidencePriority
Annual security update email template exists
Customers notified of new certifications
Proactive breach notification process documented
Customer-facing security roadmap shared
Security included in QBRs
Customer security portal access provided
Incident communication templates ready
Sub-processor change notifications sent
Policy update notifications process exists
Customer testimonials on security

Quick Wins (Do This Week)

These items take <1 day each and have immediate impact on security reviews:

  • Security contact email: Create security@company.com, add to website (1 hour)
  • Security page: Basic page with your approach, certifications, contact (2-4 hours)
  • Sub-processor list: Simple spreadsheet of vendors that touch customer data (2 hours)
  • DPA template: Adapt a standard template for your company (with legal review)
  • Status page: Set up Statuspage.io or similar (1-2 hours)
  • Security badges in footer: Add SOC 2 / cloud provider badges to website (30 min)
  • Security one-pager: One page PDF with your security posture (2-4 hours)
  • Questionnaire database: Start with top 20 most-asked questions (4 hours)

Medium Effort (This Month)

  • Security FAQ document (20-30 questions)
  • Architecture diagram (sanitized for sharing)
  • Expand questionnaire database to 100+ answers
  • Sales team security training session
  • Trust center page or portal

Longer Term (This Quarter)

  • SOC 2 Type I/II certification
  • First penetration test
  • Dedicated security hire or vCISO
  • Comprehensive policy documentation
  • Customer security portal

Scoring Guide

  • 0-15 Yes: Foundation needed — focus on Quick Wins first
  • 16-30 Yes: Making progress — prioritize questionnaire efficiency
  • 31-40 Yes: Strong position — move to proactive marketing
  • 41-50 Yes: Security leader — optimize and maintain
02

Security Questionnaire Response Database

150+ common questions with answer templates. The highest-ROI asset for enterprise sales.

Questionnaire Response Database Template

Data Protection & Encryption

QuestionAnswer TemplateEvidence
How is data encrypted at rest? All customer data is encrypted at rest using AES-256 encryption with [KMS provider]-managed keys. Encryption keys are rotated [frequency] and are never stored alongside encrypted data. SOC 2 Report §4.2
How is data encrypted in transit? All data in transit is protected via TLS 1.2 at minimum, with TLS 1.3 enforced where supported. We enforce HSTS and use certificate pinning for mobile applications. Pen test report, SSL Labs scan
Where is customer data stored? Customer data is stored in [Cloud Provider] [Region]. EU data residency is available upon request. Data does not leave the designated region without explicit consent. Architecture diagram, DPA
What is your data retention policy? Customer data is retained for the duration of the contract plus [X days]. Upon termination, data is permanently deleted within [X days] from production and [X days] from backups. Deletion certificates available upon request. Data Retention Policy
Do you sell or share customer data? No. We never sell, rent, or share customer data with third parties for their own purposes. Sub-processors are listed in our DPA and process data solely to provide our service. Privacy Policy, Sub-processor list

Access Control & Authentication

QuestionAnswer TemplateEvidence
What authentication methods do you support? We support SAML 2.0 and OIDC for enterprise SSO integration. Native MFA is available via TOTP authenticator apps. Enterprise plans include configurable password policies and session timeouts. SSO documentation
How do you manage employee access to customer data? Employee access follows least-privilege principles. Production access requires just-in-time approval, expires after [X hours], and is fully logged. Quarterly access reviews are conducted by management. Access Control Policy, SOC 2 §5.1
Do you support role-based access control? Yes. Our platform supports granular RBAC with predefined roles (Admin, Editor, Viewer) plus custom roles for Enterprise customers. Permissions are enforced at the API level. RBAC documentation
Can I see who accessed my data? Yes. Comprehensive audit logs capture all access events and are retained for [X months/years]. Logs are available for export in JSON format. Enterprise plans include real-time access alerts. Audit logging documentation
How do you handle privileged access? Privileged access is managed through [PAM tool] with just-in-time provisioning. All privileged sessions are recorded and reviewed. Standing admin access is prohibited. SOC 2 Report §5.2

Security Testing & Vulnerabilities

QuestionAnswer TemplateEvidence
How often do you perform penetration testing? Annual comprehensive penetration testing is performed by [Vendor name], a recognized third-party firm. Most recent test: [Month Year]. All critical findings remediated within [X days]. Executive summaries available under NDA. Pen test executive summary
How do you handle vulnerability management? Continuous vulnerability scanning via [Scanner]. Remediation SLAs: Critical 48-72hrs, High 14 days, Medium 30 days. CI/CD includes automated dependency scanning—builds fail on critical vulnerabilities. Vulnerability Management Policy
Do you have a bug bounty program? We maintain a responsible disclosure program at [URL]. Security reports are acknowledged within 48 hours with updates every 7 days. [Formal bounty program details if applicable] Security policy on website
How quickly do you patch critical vulnerabilities? Critical vulnerabilities affecting customer data are remediated within 48-72 hours. We maintain emergency patching runbooks and can deploy to production within [X hours]. Recent track record: Log4j patched in [X hours]. Incident response records

Compliance & Certifications

QuestionAnswer TemplateEvidence
What compliance certifications do you hold? SOC 2 Type II (Security, Availability, Confidentiality) — audited by [Auditor], most recent: [Month Year]. Also: [List other: GDPR, CCPA, HIPAA, ISO 27001, etc.] SOC 2 Report, certificates
Can you sign a BAA? Yes. We offer HIPAA-compliant configurations and execute BAAs for qualifying customers. HIPAA features include enhanced audit logging, automatic session timeout, and restricted data export. BAA template
Are you GDPR compliant? Yes. We act as a data processor under GDPR. We offer: DPA execution, EU data residency, sub-processor transparency, data export/deletion tools, and DSAR support within 14 days. DPA, Privacy Policy
How do I access your SOC 2 report? Our SOC 2 Type II report is available to prospective and current customers under NDA. Request via [security email]. Typical delivery: 1 business day after NDA execution. NDA template, SOC 2 Report

Incident Response

QuestionAnswer TemplateEvidence
What is your incident response process? Documented Incident Response Plan tested annually via tabletop exercises. Security team leads response with executive involvement for high-severity incidents. Mean time to acknowledge: [X minutes]. IRP summary, tabletop records
How will you notify us of a breach? Confirmed breaches affecting customer data: notification within 72 hours including scope, impact, and remediation steps. Designated security contacts receive direct outreach. Full post-incident report within 30 days. Incident Response Policy
Have you experienced a breach? We have not experienced a breach resulting in unauthorized access to customer data. We have successfully contained security incidents (attempted intrusions) before any impact. Happy to discuss our incident history directly. Incident records (under NDA)

Infrastructure & Business Continuity

QuestionAnswer TemplateEvidence
Where is your infrastructure hosted? 100% cloud-hosted on [AWS/GCP/Azure], primarily in [region] with failover in [region]. No on-premise infrastructure. Environment uses VPC isolation, security groups, and no direct internet access to backend services. Architecture diagram
What is your uptime SLA? [99.9%/99.95%] uptime SLA. Trailing 12-month actual: [X%]. SLA credits apply for missed targets. Real-time status: [status page URL] MSA, Status page
What are your RTO and RPO? RTO: [X hours]. RPO: [X hours]. Tested quarterly via DR drills—most recent: [Month Year]. All targets met in testing. DR Plan, drill records
How do you handle backups? Automated daily backups, encrypted with AES-256, replicated to separate region. Retention: [X days]. Restoration tested quarterly. Point-in-time recovery available. Backup Policy, test records

Network & Application Security

QuestionAnswer TemplateEvidence
How do you segment your network? Production, staging, and development environments are fully isolated in separate [VPCs/accounts]. Within production, we segment by function—web tier, application tier, and data tier operate in separate subnets with security group rules restricting traffic to required paths only. Architecture diagram
Do you use a Web Application Firewall (WAF)? Yes. [AWS WAF/Cloudflare/etc.] is deployed in front of all customer-facing endpoints. We maintain custom rules for OWASP Top 10 protection plus application-specific patterns. WAF logs are retained for [X days] and reviewed for attack patterns. WAF configuration, logs
How do you protect against DDoS attacks? [Cloud provider] DDoS protection is enabled on all public endpoints. Our architecture auto-scales under load. We've successfully mitigated attacks up to [X Gbps] without customer impact. Incident records
Do you perform static/dynamic application security testing? SAST is integrated into our CI/CD pipeline via [tool]—builds fail on high-severity findings. DAST scans run [weekly/before releases]. Results are triaged by engineering and tracked to resolution. CI/CD configuration, scan reports
How do you manage secrets and API keys? Secrets are managed through [AWS Secrets Manager/HashiCorp Vault/etc.]. No secrets in code repositories—we use pre-commit hooks to prevent accidental commits. Secrets are rotated [frequency]. Access is logged and auditable. Secrets management policy

Logging, Monitoring & Detection

QuestionAnswer TemplateEvidence
What do you log and for how long? We log authentication events, API access, admin actions, security events, and system changes. Logs are centralized in [SIEM/logging platform], retained for [X months/years], and immutable. Customer activity logs are available for export. Logging policy, retention schedule
How do you detect security incidents? 24/7 monitoring via [tools] with alerting through [PagerDuty/Opsgenie]. We monitor for anomalous login patterns, privilege escalation attempts, and known attack signatures. Mean time to detect: [X minutes/hours]. Monitoring runbooks, alert configuration
Do you use a SIEM? [Yes, we use X / We centralize logs in X which provides SIEM-like capabilities]. Security-relevant events are correlated and generate alerts based on defined rules. We review and tune detection rules [frequency]. SIEM configuration
How do you handle log integrity? Logs are written to append-only storage. [Describe tamper protection: separate account, WORM storage, cryptographic verification, etc.]. Logs cannot be modified or deleted by application or operations teams. Logging architecture

HR & Physical Security

QuestionAnswer TemplateEvidence
Do you perform background checks on employees? Yes. All employees undergo background checks before starting, including [criminal, employment verification, education, etc.]. Checks are performed by [vendor]. Contractors with access to customer data undergo equivalent screening. HR policy
What security training do employees receive? All employees complete security awareness training at hire and annually thereafter. Engineering receives additional secure coding training. Phishing simulations run [frequency]. Completion is tracked and required for continued access. Training records, completion rates
How do you handle employee offboarding? Access is revoked within [X hours] of termination. Automated workflows disable SSO, revoke VPN/cloud access, and trigger laptop return. Offboarding is verified by IT and HR. We maintain logs of access revocation. Offboarding checklist, access logs
Do you have physical office security? [Describe: badge access, visitor logs, cameras, etc. OR "We are fully remote with no physical office"]. All employees work on company-managed devices with endpoint protection. [If applicable: data center security is handled by cloud provider]. Physical security policy

Change Management & SDLC

QuestionAnswer TemplateEvidence
How do you manage code changes? All code changes require peer review before merge. CI/CD runs automated tests, security scans, and quality checks. Production deployments require [approval process]. We can roll back deployments within [X minutes]. SDLC documentation, CI/CD config
How do you separate development, test, and production environments? Environments are fully isolated in separate [accounts/VPCs]. Production data is never used in dev/test—we use synthetic or anonymized data. Credentials and configurations are environment-specific. Architecture diagram
Do you have a formal change management process? Yes. Changes are tracked in [Jira/ticketing system], require documented approval, and include rollback plans for significant changes. Emergency changes follow an expedited process with post-implementation review. Change management policy
How do you handle third-party libraries and dependencies? Dependencies are scanned via [Snyk/Dependabot/etc.] in CI/CD. Vulnerabilities are prioritized by severity with SLAs matching our vulnerability management policy. We maintain a software bill of materials (SBOM) for production systems. Dependency scanning reports

AI & Machine Learning

QuestionAnswer TemplateEvidence
Do you use AI/ML in your product? [Yes, for X features / No, we do not currently use AI/ML]. [If yes: Describe what AI does, whether it's customer-facing, and what data it uses]. Product documentation
Is customer data used to train AI models? [No, customer data is never used for training / Yes, only with explicit consent and for X purpose]. Training data is [describe: proprietary, licensed, synthetic, etc.]. Customers can [opt out / review what data is used]. AI/ML policy, privacy policy
Do you use third-party AI services (OpenAI, etc.)? [Yes, we use X for Y / No]. [If yes: Data sent to providers is limited to X, providers are listed in our sub-processor list, we use enterprise agreements with data protection provisions]. Sub-processor list, vendor agreements
Can we disable AI features? [Yes, AI features can be disabled at the account/org level / AI is integral to core functionality but can be configured / AI features are optional add-ons]. Contact your account manager to discuss configuration options. Product settings documentation
How do you prevent sensitive data from being sent to AI providers? [We do not send customer data to AI providers / Data is filtered/anonymized before processing / We use on-premise/private AI deployment / We have DPA agreements with zero-retention clauses]. Data flow documentation, vendor DPAs

Database Maintenance Tips

  • Update answers after any certification, audit, or policy change
  • Include specific dates, vendor names, and metrics where possible
  • Link to supporting evidence (even if internal-only references)
  • Review quarterly—stale answers cost deals
  • Track which questions appear most frequently to prioritize updates
03

Competitor Security Teardown Template

Framework for auditing competitor security pages. Know what you're up against.

Competitor Security Teardown

Competitor Overview

FieldCompetitor 1Competitor 2Competitor 3Your Company
Company Name
Security Page URL
Trust Center URL
Last Updated (if visible)

Certifications & Compliance

CertificationCompetitor 1Competitor 2Competitor 3Your Company
SOC 2 Type I
SOC 2 Type II
ISO 27001
HIPAA / BAA Available
GDPR Compliant
CCPA Compliant
FedRAMP
PCI DSS
Other

Trust Center Content

ElementCompetitor 1Competitor 2Competitor 3Your Company
Security Overview / One-Pager
FAQ Section
Privacy Policy
DPA Template
Sub-processor List
Pen Test Summary
Architecture Diagram
Status Page Link
Bug Bounty / VDP

Gating Strategy

DocumentCompetitor 1Competitor 2Competitor 3Your Company
What's public?
What requires email?
What requires NDA?
What requires being a customer?

Messaging & Positioning

AspectCompetitor 1Competitor 2Competitor 3Your Company
Headline / Value Prop
Key Differentiators Claimed
Tone (Enterprise/Friendly/Technical)
Specific Metrics Shared
Customer Logos / Testimonials

Gaps & Opportunities

CategoryNotes
What do competitors have that you lack?
What do you have that competitors don't mention?
Messaging opportunities (things no one is saying)
Quick wins to match/exceed competitors

Action Items

  • Priority 1: _______________
  • Priority 2: _______________
  • Priority 3: _______________
04

Trust Center Content Checklist

What should be on your trust center, what shouldn't, and what requires an NDA.

Trust Center Content Checklist

Public (No Gate)

Available to anyone visiting your website:

ItemHave It?Notes
Security overview pageHigh-level summary of your security program
Certification badges with datesSOC 2, ISO 27001, etc. with expiry/renewal dates
Privacy PolicyCurrent, GDPR/CCPA compliant
Terms of ServiceCurrent version
Acceptable Use PolicyIf applicable
Status page linkReal-time availability
Security contact emailsecurity@company.com
Responsible disclosure policyHow to report vulnerabilities
Sub-processor listWith notification process
Data Processing Agreement (DPA)Template for download
Cookie policyCookie categories and controls

Email-Gated (Lead Capture)

Require business email to access—builds pipeline:

ItemHave It?Notes
Security one-pager / datasheetConcise overview for security reviews
Security FAQ documentCommon questions pre-answered
Architecture overviewHigh-level diagram (not detailed)
Encryption whitepaperHow you protect data
Compliance overviewSummary of compliance posture

NDA-Required

Sensitive documents shared only after NDA execution:

ItemHave It?Notes
SOC 2 Type II Report (full)Complete auditor report
Penetration test executive summaryFindings summary, not raw report
Detailed architecture diagramNetwork topology, components
Incident response plan summaryProcess overview
Business continuity plan summaryDR capabilities
Access control policyHow you manage access
Vendor security assessment resultsIf requested

Customer-Only

Available only to paying customers:

ItemHave It?Notes
Full security policiesComplete policy documents
Audit logs accessSelf-service or on request
Dedicated security contactNamed contact for enterprise
Custom security assessmentsOn-demand reviews
Evidence collection portalFor their audits

Don't Share Without Good Justification

Keep internal—sharing creates risk:

  • Internal security architecture (detailed IP addresses, internal hostnames)
  • Security tool configurations
  • Incident response playbooks (detailed)
  • Employee security training materials
  • Vulnerability scan raw results
  • Internal audit working papers

Trust Center Best Practices

  • Update dates: Show when each document was last updated
  • Version control: Indicate document versions
  • Fast response: NDA requests should be fulfilled < 1 business day
  • Self-service: Reduce friction for public/email-gated content
  • Mobile-friendly: Security reviewers work everywhere
  • Search: Make content findable
  • Analytics: Track what prospects download
05

Security Questionnaire "Offensive Answers"

Transform defensive checkbox answers into competitive positioning statements.

Offensive vs Defensive Answers

The Difference

Defensive answers check the box. They confirm you meet the requirement without adding value.

Offensive answers position you as a leader. They demonstrate maturity, provide context, and create confidence.

Example 1: Encryption

TypeAnswer
Defensive "Yes, we encrypt data at rest using AES-256."
Offensive "All customer data is encrypted at rest using AES-256 with AWS KMS-managed keys that rotate annually. We chose KMS over self-managed keys to eliminate the operational risk of key loss. Encryption is enforced at the infrastructure layer—it cannot be disabled by application code or misconfiguration."

Example 2: Penetration Testing

TypeAnswer
Defensive "Yes, we perform annual penetration testing."
Offensive "We conduct annual penetration testing through [firm] a globally recognized security firm. Our most recent test (October 2026) covered external infrastructure, web application, and API endpoints. All critical findings were remediated within 14 days; high-severity within 30 days. We also perform targeted security assessments before major releases. Executive summaries are available under NDA."

Example 3: SOC 2

TypeAnswer
Defensive "Yes, we are SOC 2 Type II certified."
Offensive "We achieved SOC 2 Type II certification in March 2026, covering Security, Availability, and Confidentiality trust services criteria. Our auditor is [firm], one of the top 10 CPA firms for SOC examinations. Zero exceptions were noted in our most recent report. We chose to include Confidentiality (optional) because customer data protection is core to our business."

Example 4: Employee Access

TypeAnswer
Defensive "Employee access is restricted and logged."
Offensive "No employee has standing access to customer data. Production access requires just-in-time approval through Teleport, automatically expires after 4 hours, and is fully logged with session recording. Only 6 employees (Site Reliability + Security) can request access, and they're prohibited from viewing customer data except for documented support tickets. We conduct quarterly access reviews with management attestation."

Example 5: Incident Response

TypeAnswer
Defensive "We have an incident response plan."
Offensive "Our Incident Response Plan is tested annually through tabletop exercises involving engineering, legal, and executive leadership. Last drill: September 2026. For confirmed breaches affecting customer data, we commit to notification within 72 hours, meeting GDPR requirements. Our mean time to acknowledge security alerts is under 15 minutes. We provide full post-incident reports within 30 days, including root cause analysis and preventive measures."

Example 6: Data Residency

TypeAnswer
Defensive "Data is stored in the US with EU options available."
Offensive "Customer data residency is configured at the account level during onboarding. US customers default to us-east-1 (Virginia) with automatic failover to us-west-2 (Oregon). EU customers are hosted in eu-west-1 (Ireland) with eu-central-1 (Frankfurt) failover. Data does not cross regional boundaries without explicit consent. We do not use CDNs or edge caching that would replicate customer data globally."

Offensive Answer Formula

  1. Confirm the capability — Yes, we do this
  2. Add specifics — Names, dates, numbers, vendors
  3. Explain the why — Your reasoning shows maturity
  4. Exceed expectations — Go beyond the minimum
  5. Offer evidence — Documentation available on request

Questions That Deserve Offensive Answers

Prioritize these—they're often deal-breakers:

  • Encryption (at rest, in transit, key management)
  • Certifications (SOC 2, ISO, HIPAA)
  • Penetration testing frequency and vendor
  • Employee access to customer data
  • Incident response and breach notification
  • Data retention and deletion
  • Sub-processor management
  • Business continuity / disaster recovery
06

Customer Security Update Email

Annual "here's what we did" email template. Proactive communication builds trust.

Annual Security Update Email

Subject Line Options

  • [Company Name] 2026 Security Year in Review
  • Your Annual Security Update from [Company Name]
  • Security Investments We Made for You in 2026

Email Template

Hi [Customer Name / Team],

As we wrap up [Year], I wanted to share an update on what we've done to strengthen security for [Company Name] customers like you.

Compliance & Certifications

  • Renewed our SOC 2 Type II certification ([Month Year]) with zero exceptions
  • [Any new certifications: ISO 27001, HIPAA, etc.]
  • Completed annual penetration testing with [Vendor]—executive summary available on request

Platform Security Improvements

  • [Specific improvement, e.g., "Launched SSO support for SAML 2.0 and OIDC"]
  • [Specific improvement, e.g., "Added configurable session timeouts for Enterprise accounts"]
  • [Specific improvement, e.g., "Implemented IP allowlisting for admin access"]

Infrastructure Investments

  • [e.g., "Migrated to encrypted RDS with automated key rotation"]
  • [e.g., "Deployed WAF rules blocking 50M+ malicious requests monthly"]
  • [e.g., "Achieved 99.98% uptime, exceeding our 99.9% SLA"]

Transparency & Governance

  • Updated our Privacy Policy to reflect [changes]
  • Published sub-processor list with 30-day change notifications
  • [Any governance improvements]

Looking Ahead to [Next Year]

We're investing in [upcoming initiatives, e.g., "ISO 27001 certification", "expanded EU data residency options", "customer security dashboard"]. If there are specific security capabilities that would help your team, I'd love to hear about them.

Questions?

Our security documentation is available at [Trust Center URL]. For specific questions or to request our SOC 2 report, reach out to [security@company.com].

Thank you for trusting us with your [data / business / operations]. Security is never "done," and we're committed to continuous improvement.

Best,
[Name]
[Title, e.g., Head of Security / CISO / Founder]
[Company]

Sending Tips

  • Timing: Send in Q1 (Jan-Feb) covering the prior year
  • Audience: All customers, or segment by tier if needed
  • From: Security leader or CEO adds credibility
  • Reply-to: Use a monitored address (not no-reply)
  • Follow-up: Offer 1:1 security review calls for enterprise customers

Metrics to Include (When Impressive)

  • Uptime percentage
  • Questionnaires completed / average turnaround time
  • Vulnerabilities remediated / SLA performance
  • Security training completion rate
  • Incidents contained (if appropriate to share)
  • Employee background check completion rate
07

Security Positioning for Companies That Aren't Perfect Yet

Pre-SOC 2 templates, "in progress" language, and how to position gaps honestly without losing deals.

Honest Positioning Templates

The Reality

Most growth-stage companies don't have SOC 2 Type II, a dedicated security team, or perfect answers to every question. That's okay. What matters is demonstrating intent, progress, and competence—not perfection.

Pre-SOC 2 Positioning

SituationWhat to Say
No SOC 2 yet, not started "We're scoping SOC 2 Type II certification for [Q# Year]. In the meantime, here's what we do today: [list 3-5 concrete practices]. We're happy to walk through our security controls directly."
SOC 2 audit in progress "We're currently in our SOC 2 Type II audit with [Auditor], with expected completion in [Month Year]. Our readiness assessment showed no critical gaps. We can share our Type I report or provide a detailed controls walkthrough."
SOC 2 Type I only "We achieved SOC 2 Type I in [Month Year]. Type II is in progress—the audit period runs through [Month Year]. Type I validates our control design; Type II will validate operating effectiveness over time."
Customer requires SOC 2 but you don't have it "We understand SOC 2 is important to your evaluation. While we're working toward certification, we can offer: (1) a detailed security questionnaire response, (2) architecture review call with our engineering lead, (3) references from similar customers who completed security reviews, (4) contractual security commitments."

Positioning Gaps as Roadmap

GapWeak AnswerStrong Answer
No dedicated security hire "We don't have a security team." "Security is owned by our [CTO/VP Eng] with support from [external vCISO/consultant]. Our first dedicated security hire is planned for [timeline]. Currently, security reviews are handled by [who]."
No pen test yet "We haven't done a pen test." "Our first third-party penetration test is scheduled for [Q# Year] with [vendor]. We run continuous vulnerability scanning via [tool] and have remediated [X] findings in the past [timeframe]."
No EU data residency "We only have US hosting." "Currently hosted in [US region]. EU data residency is on our roadmap for [timeline]—we're evaluating demand. For EU customers now, we offer a DPA and our sub-processors are GDPR compliant. Happy to discuss your specific requirements."
No SSO yet "We don't support SSO." "SSO (SAML 2.0) is in development, targeted for [Q# Year]. Today we offer MFA via authenticator apps, configurable session timeouts, and password policy controls. We can prioritize SSO if it's blocking—let's discuss."
Limited audit logs "We have basic logging." "We log [authentication, admin actions, etc.] with [X days/months] retention. Enhanced audit logging with export capabilities is on our roadmap for [timeline]. We can provide log access for specific investigations."

Confidence Without Arrogance

The goal isn't to hide gaps—it's to demonstrate:

  • Awareness: You know what good looks like
  • Progress: You're actively improving
  • Competence: You understand the risks and mitigations
  • Transparency: You'll tell them what you can't do

What You Can Offer Instead of Certifications

  • Live security architecture walkthrough with engineering
  • Detailed written responses to their questionnaire
  • References from customers who completed security reviews
  • Contractual security commitments (indemnification, breach notification SLAs)
  • Access to your security documentation (policies, diagrams)
  • Proof of specific controls (encryption config, access logs sample)

Red Lines: When to Walk Away

Some requirements you can't fake or promise. Be honest about:

  • Certifications you don't have and can't get in their timeline
  • Data residency requirements you can't meet
  • Compliance frameworks (HIPAA, FedRAMP) that require significant investment
  • On-premise deployment if you're SaaS-only

Need Help Positioning?

Sometimes the best positioning comes from having someone in your corner who's sat across the table from enterprise security buyers—and knows what actually moves deals forward.

08

Sales Security Battle Card

Quick reference for sales: common objections, when to escalate, and key talking points.

Sales Security Battle Card

Your Security Story (30 Seconds)

Adapt this to your company:

"We're [SOC 2 Type II certified / pursuing SOC 2], hosted on [AWS/GCP/Azure], with encryption everywhere. Our [CTO/Head of Security] owns security, and we do annual pen testing with [vendor]. I can connect you with them for a deeper dive, or send our security one-pager right now."

Common Objections + Responses

ObjectionResponse
"We need SOC 2 Type II" [If you have it] "We have it—I'll send the report under NDA today." [If you don't] "We're in progress, targeting [date]. In the meantime, can we walk through your specific concerns? Most customers find our controls meet their needs."
"We need to complete a security questionnaire" "Absolutely. Send it over—we typically turn these around in [X] business days. We have pre-written responses for SIG, CAIQ, and most custom questionnaires."
"Our security team needs to review you" "Happy to support that. I can schedule a call with our [security lead/CTO], or send our security documentation package first. What works better for your team's process?"
"We had a bad experience with a vendor breach" "I understand—that's why this matters. We haven't had a breach affecting customer data. I can walk you through our incident response process and how we'd handle notification if something did happen."
"Your competitor has [X certification]" "Certifications are one indicator. I'd encourage comparing actual controls—we're happy to do a side-by-side walkthrough. What specific areas are most important to your team?"

When to Loop In Security/Engineering

ScenarioAction
Customer requests a security call Schedule with [security contact]. Send them the opportunity context first.
Questionnaire over 50 questions Route to [security/compliance owner]. Give them [X days] notice.
Customer asks about custom security requirements Don't commit. Say "Let me check with our team" and escalate to [who].
Any question you're not 100% sure about Say "I want to give you an accurate answer—let me confirm with our security team."
Request for BAA, custom DPA, or legal docs Route to [legal/compliance]. Don't negotiate terms yourself.
Customer security team wants peer-level conversation Consider bringing in external security advisors who can speak peer-to-peer with customer security teams.

What You CAN Say (Safe Answers)

  • "We encrypt all data at rest and in transit"
  • "We're hosted on [cloud provider] with [region] data residency"
  • "We have [SOC 2 / annual pen testing / etc.]"
  • "I can send you our security one-pager / FAQ right now"
  • "Let me connect you with our security team for a deeper conversation"

What You Should NOT Say

  • Don't promise specific SLAs or response times without checking
  • Don't claim certifications you don't have
  • Don't say "we've never had any security issues" (everyone has)
  • Don't commit to custom security features or configurations
  • Don't guess at technical architecture questions

Quick Reference: What to Send

  • Initial interest: Security one-pager
  • Deeper evaluation: Security FAQ + architecture overview
  • Formal review: SOC 2 report (under NDA) + pen test summary
  • Legal review: DPA template, sub-processor list
09

How We Manage Our Vendors

Template for explaining your third-party risk management to customers who ask about your supply chain.

Vendor/Third-Party Security Management

Overview

[Company Name] maintains a vendor security program to ensure third parties handling customer data meet our security standards. This document outlines our approach to vendor assessment, monitoring, and management.

Vendor Categories

CategoryDescriptionAssessment Level
Critical Handles customer data, provides core infrastructure, or has broad system access Full security review, annual reassessment
Standard Accesses internal systems or limited data Security questionnaire, periodic review
Low Risk No data access, no system integration Basic due diligence

Our Sub-Processors

The following third parties process customer data on our behalf:

VendorPurposeData ProcessedLocation
[AWS/GCP/Azure] Cloud infrastructure All customer data [Region]
[Stripe/Payment processor] Payment processing Billing information only [Region]
[Support tool] Customer support Support ticket content [Region]
[Add others]

A complete, current list is available in our DPA and at [Trust Center URL].

Vendor Assessment Process

Before onboarding a vendor that will access customer data or critical systems:

  1. Security Review: We require SOC 2 Type II (or equivalent) for critical vendors. For others, we review their security documentation and complete a risk assessment.
  2. Contract Review: Contracts must include data protection terms, breach notification requirements, and right to audit.
  3. Technical Assessment: We evaluate integration security—how data flows, what access is required, and how it's protected.
  4. Approval: [Security lead/CTO] approves critical vendor relationships.

Ongoing Monitoring

  • Annual Reviews: Critical vendors are reassessed annually, including updated SOC 2 reports.
  • Incident Notification: Vendors are contractually required to notify us of security incidents within [24-72 hours].
  • Change Notification: We notify customers [30 days] before adding new sub-processors.

Vendor Offboarding

When we stop using a vendor:

  • Access credentials are revoked immediately
  • Data deletion is confirmed in writing
  • Sub-processor list is updated
  • Customers are notified if required by DPA

What We Require From Critical Vendors

  • SOC 2 Type II or equivalent certification
  • Encryption of data at rest and in transit
  • Data Processing Agreement with GDPR-compliant terms
  • Breach notification within 72 hours
  • Right to audit or third-party audit reports
  • Insurance coverage for security incidents
Bonus

Example Documents

Realistic examples from growth-stage companies. These show honest, confident positioning—not perfection.

10

Security FAQ Example

A comprehensive FAQ covering data security, access control, compliance, incident response, and more.

Security FAQ (Acme SaaS Example)

Note: This is a Realistic Example

This example shows a growth-stage company (~Series A/B) that's actively building their security program. Not everything is perfect—and that's intentional. This is what honest, confident positioning looks like when you're still growing.

Data Security & Privacy

Q: How is my data encrypted?

All customer data is encrypted at rest using AES-256 encryption via AWS's default encryption. Data in transit is protected via TLS 1.2+. We're working toward customer-managed keys (CMK) for enterprise customers—currently on our roadmap for Q3.

Q: Where is my data stored?

Customer data is stored in AWS us-east-1 (N. Virginia). We don't currently offer EU data residency, but it's on our roadmap as we expand internationally. For EU customers today, we offer a DPA and all our infrastructure sub-processors are GDPR compliant.

Q: How long do you retain my data after contract termination?

Upon contract termination, we retain customer data for 30 days to allow for export requests. After this period, data is deleted from production within 14 days. Full purge from backups within 60 days. We can provide deletion confirmation on request.

Access Control & Authentication

Q: What authentication options do you support?

We currently offer email/password with MFA via authenticator apps (TOTP). SSO via SAML 2.0 is in development, targeted for Q2. For now, we can accommodate enterprise customers with strong password policies and required MFA for all users.

Q: How do you manage employee access to customer data?

We follow least-privilege principles. Only our engineering team (5 people) has production access, and it's logged. We're implementing just-in-time access as we grow. Currently, access reviews happen monthly with our CTO. We don't look at customer data without explicit support requests.

Compliance & Certifications

Q: What compliance certifications do you hold?

We're currently in our SOC 2 Type II audit with Prescient Assurance, with expected completion in Q2 2025. We've passed our readiness assessment with no critical gaps. In the meantime, we're happy to walk through our controls directly or share our security documentation. We're also GDPR compliant with a DPA available.

Q: Do you support HIPAA?

Not currently. HIPAA compliance is on our roadmap but not yet implemented. If you have healthcare data requirements, let's discuss your specific needs—there may be architectural approaches that work for both of us, or we can provide a timeline for HIPAA readiness.

Vulnerability Management

Q: How often do you conduct penetration testing?

We completed our first third-party penetration test in Q4 2026. All high/critical findings were remediated within 30 days. We plan to continue annually. Executive summary available under NDA.

Q: How do you handle vulnerability management?

We use Snyk for dependency scanning (integrated into CI/CD) and run infrastructure scans monthly. Remediation targets: Critical within 72 hours, High within 14 days. We're building toward continuous scanning as we grow the team.

Incident Response

Q: What happens if you have a security breach?

We have a documented Incident Response Plan. Our CTO leads response with support from our external security advisor. For confirmed breaches affecting customer data, we commit to notification within 72 hours. We haven't had to use this process for a customer-impacting incident.

Q: Have you experienced any security breaches?

We have not experienced a breach affecting customer data. We've handled routine security events (blocked attacks, phishing attempts on employees) without customer impact. We believe in transparency and are happy to discuss our security history directly.

Business Continuity

Q: What is your uptime SLA?

We offer 99.5% uptime SLA. Our trailing 6-month actual availability is 99.8%. We're a growing company—99.9% SLA is planned once we complete additional redundancy work later this year. Real-time status: status.example.com

Q: What are your RTO and RPO?

Target RTO: 8 hours. Target RPO: 4 hours (daily backups). We've tested backup restoration but haven't done a full DR drill yet—that's planned for this quarter. Backups are encrypted and stored in a separate AWS region.

11

Security One-Pager Example

A concise security overview document. Perfect for initial security conversations and quick reference.

Security One-Pager (Acme SaaS Example)

Note: This is a Realistic Example

This shows a growth-stage company with a strong foundation but honest gaps. Use this as a template—adapt the specifics to your actual state.

GrowthCo — Security Overview

Last Updated: January 2025 | Version: 1.2

Certifications & Compliance

  • SOC 2 Type II — In progress (Expected Q2 2025, Prescient Assurance)
  • GDPR Compliant — DPA available for EU customers
  • CCPA Compliant — California Consumer Privacy Act

Security Testing & Validation

  • Penetration Testing: First test completed Q4 2026 (Cobalt). All critical/high findings remediated within 30 days.
  • Vulnerability Management: Dependency scanning via Snyk in CI/CD. Infrastructure scans monthly. Critical: 72hr, High: 14 days.
  • Dependency Scanning: Automated via Snyk—builds fail on critical vulnerabilities.

Data Protection

  • Encryption at Rest: AES-256 (AWS default encryption)
  • Encryption in Transit: TLS 1.2+ required
  • Data Residency: US (AWS us-east-1); EU residency on roadmap
  • Backup: Daily encrypted backups, 30-day retention
  • DR: 8-hour RTO, 4-hour RPO target; restoration tested, full DR drill planned Q1

Access & Authentication

  • Employee Access: MFA required, role-based access, monthly reviews
  • Production Access: Limited to 5 engineers, logged, no standing access to customer data
  • Customer Auth: MFA available, strong password requirements. SSO in development (Q2)
  • Audit Logging: Authentication and admin actions logged, 90-day retention

Incident Response

  • Monitoring: Datadog + PagerDuty for alerting
  • Response: Documented IRP; CTO-led with external advisor support
  • Notification: Customer notification within 72 hours of confirmed breach
  • Track Record: No breaches affecting customer data

Security Team

  • Ownership: CTO owns security with external vCISO advisory (monthly)
  • Team: 12-person engineering team; dedicated security hire planned this year
  • Training: Security awareness at onboarding; secure coding guidelines documented
  • Background Checks: All employees

Infrastructure

  • Cloud: AWS (us-east-1); no on-premise components
  • Network: VPC isolation, security groups, AWS WAF on public endpoints
  • Containers: Docker on ECS with regular base image updates

Questions? Contact security@growthco.io. We're happy to walk through our security controls directly or schedule a call with our CTO.

Beyond the Templates

Need help positioning your security story? We've helped companies close deals by speaking the buyer's language—because we've been on both sides of that conversation.

Discuss Your Security Goals with Adversis