In recent years, the information security industry has seen an explosion of public-facing Trust Centers from B2B SaaS organizations. Much of this can be attributed to the rise in cumbersome security questionnaires from GRC teams, and an ever increasing number of data breaches. Companies have realized they need a way to communicate about Trust and Security with their customers.
Since launching, SafeBase has helped hundreds of companies launch public Trust Centers to help streamline the sales process and maintain trust with customers. In this post we’ll be highlighting some best practices from a few of our favorite Trust Centers from members of the SafeBase Trust Alliance.
Asana: Improving customer self-service with a public Knowledge Base
Company Description: Founded in 2008, Asana is a leading product and project management tool, allowing organizations to easily collaborate across teams and departments.
Best Practice: Asana’s GRC team has configured certain questions to be visible in their public facing Knowledge Base. Certain questionnaires such as the CAIQ were designed to be public and do not always need to be gated behind an NDA. With Asana’s public Knowledge Base, Asana customers can quickly review CAIQ responses without having to request access. In addition, the team has made specific questions about their API security easily searchable for prospects who may just be casually evaluating the platform. In general, we always recommend making as much of your Trust Center content public as possible to increase a viewer’s ability to self-serve. A win-win for building trust and closing deals faster!
Crossbeam: Leveraging industry standard security questionnaires to save time
Company Description: Founded in 2018, Crossbeam is a partner ecosystem platform that helps companies build more valuable partnerships. It acts as an escrow service for data, allowing companies to find overlapping customers and prospects with their partners, while keeping the rest of their data private and secure.
Best Practice: Crossbeam’s security team has completed several standardized security questionnaires that customers can request access to. In particular, the CAIQ, SIG, and VSA are available. As we detailed in a blog post, standardized questionnaires are a great way to both be transparent with customers and to also reduce the likelihood of customized questionnaires. In fact, there are several questionnaire portals that allow for imports of these standardized formats, as many custom questionnaires are in fact just slightly modified versions of a SIG.
Inductive Automation: Using Trust Center Updates to keep customers informed about the latest developments
Company Description: Founded in 2003, Inductive Automation provides customers with SCADA software and industrial automation solutions.
Best Practice: Inductive Automation’s team uses the Trust Center Updates feature to keep customers up to date on a variety of topics, ranging from new security updates for the Ignition platform to responses to major vulnerabilities such as CVE-2022-3786 that affected OpenSSL last year. These updates can be used to keep your customers up to date on the latest versions of your software, and can be a vital communication tool for when the next Heartbleed/Log4Shell vulnerability is disclosed.
Treasure Data: Showcasing internal security policies to provide assurance around internal controls
Company Description: Founded in 2011, Treasure Data provides customers with powerful and user-friendly tools to manage large data sets and gain meaningful insights.
Best Practice: Being transparent about internal policies helps organizations like Treasure Data build immediate trust with prospective buyers. Treasure Data’s team has made many of their internal security policies available to request by customers. Questions about policies make up a significant amount of the due diligence process in third party risk evaluations. In this author's experience, most GRC teams do not always read a vendor’s policies end to end, but primarily want to verify that they exist and are enforced. Depending on your organization’s risk level, you can also decide to share redacted policies, or even a table of contents listing out all the different policy names. The key here is that customers want to ensure that security controls are documented and agreed upon by third party employees.
Ramp: Adding custom items for comprehensive document sharing
Company Description: Founded in 2019, Ramp is a financial automation platform that helps organizations save time and money through streamlined expense management, corporate cards, and more.
Best Practice: Ramp’s team used our Custom Items feature to upload documents that are not necessarily security related, but are still useful for customers. For example, customers can find an Email Integration Security Brief that is specific to Ramp’s product. You may also want to share supplementary documents like this that can provide more information to your customers as they are considering implementing your solution. Ramp also provides its W-9 Form in its Trust Center. Although this is not a security or privacy document, it is still commonly requested during the evaluation process, further allowing Ramp’s team to speed up the sales process.
Join the SafeBase Trust Alliance for more best practices
These are just some of the great Trust Centers that our team has spotted over the past few months.
If you already have a SafeBase Trust Center, join the SafeBase Trust Alliance! The Trust Alliance is the leading community for trust-minded organizations. Members recognize the importance of maintaining rigorous security programs while also proactively communicating trust updates with stakeholders. Joining is a great way to learn best practices like the ones featured here.
SafeBase is the scalable Trust Center that automates the security review process between buyers and sellers. With a SafeBase Trust Center, companies can seamlessly share sensitive security documentation with buyers and customers, including streamlining the NDA signing process by integrating with your CRM and your data warehouse.