We use cookies and similar technologies to improve your experience and analyse usage. By continuing you agree to our Privacy Policy.

    VendorLens
    ← Guides

    What documents should a SaaS trust center include?

    8 min readLast updated

    A trust center is only as useful as the documents inside it. Buyers do not visit your security portal to read marketing copy — they come to verify specific claims about how you handle data, manage risk, and respond to incidents. If the document they need is missing, the review stalls and your sales team spends the next three days chasing an email thread. The good news is that most SaaS companies already own the majority of these documents. They live in compliance folders, insurance binders, and shared drives. The job is to curate them, decide what is public and what is gated, and present them in a format procurement teams can navigate in under five minutes. This guide lists every document buyers expect to find, separates public artefacts from NDA-gated ones, and gives you a checklist you can hand to your security lead today.

    SOC 2 Type 2 report

    The SOC 2 Type 2 report is the most-requested document in B2B vendor reviews. It covers the Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy — over a minimum six-month observation period. Buyers want to see that an independent auditor has validated your controls, not just that you wrote a policy saying you have them.

    If your observation period is still running, publish the SOC 2 Type 1 report plus a bridge letter from your auditor confirming the Type 2 is in progress. Update the trust center immediately when the Type 2 is issued. This should always be NDA-gated because the report contains detailed control descriptions that could help an attacker map your environment.

    ISO 27001 certificate

    ISO 27001 is the global standard for information security management systems. It signals to international buyers — especially in Europe, Asia, and regulated industries — that you operate under a certified risk-management framework. The certificate itself is a short document (usually one or two pages) naming the scope, the certifying body, and the validity period.

    Publish the certificate publicly. It is a marketing asset as much as a compliance one, and buyers often look for it before they even request a demo. Keep the certificate current; an expired ISO certificate is worse than no certificate because it signals neglect.

    Data Processing Agreement (DPA)

    The DPA defines how you process personal data on behalf of customers, including subprocessor authorizations, data residency commitments, deletion obligations, and breach-notification SLAs. GDPR-aware buyers in the EU and privacy-conscious buyers in the US both treat the DPA as a deal-critical document.

    Publish the DPA publicly. Buyers want to review it before they engage legal, and making it self-serve removes a common friction point. If you offer a standard DPA and a GDPR-specific addendum, publish both and label them clearly. Include the effective date and a changelog so returning buyers can spot what changed.

    Subprocessor list

    A subprocessor list names every third party that touches customer data — hosting providers, CDNs, analytics services, email delivery, error trackers, and any AI or ML services with data access. For each subprocessor, include the company name, the purpose (e.g., "hosting infrastructure"), the location of data processing, and whether a DPA is in place.

    Make the subprocessor list public. Enterprise procurement teams run due diligence on subprocessors independently, and hiding the list creates suspicion. Update it within thirty days of adding or removing a subprocessor, and send email notification to existing customers if your contracts require it.

    Security policies and procedures

    Buyers expect to see evidence that security is operational, not theoretical. Publish high-level summaries of your key policies: information security, access control, acceptable use, incident response, business continuity and disaster recovery, vulnerability management, and secure software development.

    Each policy summary should be two to three paragraphs written in plain English. Avoid copying full policy documents verbatim — they are unreadable and often contain internal detail buyers do not need. Gate the full policy PDFs behind an NDA if they contain specific control implementations, role names, or vendor configurations.

    Penetration test summary

    A penetration test summary shows that you hire external security professionals to attack your own systems and that you remediate the findings. The summary should include the test date, the scope (what was tested), the firm that conducted it, the severity breakdown of findings, and a statement that all critical and high findings were remediated.

    Gate the full penetration test report behind an NDA. The full report contains specific vulnerabilities, exploit paths, and timelines that are dangerous in the open. The summary, however, can be public — it answers the buyer's core question ("Do you pen test?") without exposing attack surface. Update the summary after every new test cycle.

    Cyber insurance certificate

    Cyber insurance demonstrates financial resilience in the event of a breach. Buyers — especially in financial services, healthcare, and enterprise SaaS — want to know that a covered incident will not bankrupt your company and leave them without a vendor.

    The certificate should state the policy limits, the coverage period, the insurer, and the categories covered (network security liability, privacy liability, regulatory defence, and crisis management). Gate the certificate behind an NDA if it contains specific policy numbers or premium details, though many teams publish a redacted version publicly. Either way, keep it current; an expired certificate signals the same risk as no certificate.

    Data residency and hosting details

    Data residency is increasingly a first-round question. Buyers in Germany, France, Switzerland, Australia, and Canada often have legal or contractual requirements that customer data never leaves national or regional borders. Even US buyers sometimes require US-only hosting for sensitive workloads.

    Publish a short data-residency statement publicly. State your primary hosting region, any failover regions, whether customers can request a specific region, and how you prevent cross-border replication for restricted data. If you use a multi-tenant architecture, clarify whether data is logically or physically separated. If you offer EU-only hosting, say so explicitly — it is a competitive advantage in GDPR jurisdictions.

    Incident response and security contact

    Every trust center needs a visible security contact. Buyers want to know they can reach a human if they discover a vulnerability, see suspicious activity, or need to report a breach. Publish a security@ email address, a responsible disclosure policy, and (if applicable) a PGP key or encrypted contact form.

    The responsible disclosure policy should be public. It tells researchers how to report issues, what you consider in-scope, your SLA for acknowledgement, and your safe-harbour terms. A clear disclosure policy encourages white-hat reports and reduces the chance of a researcher going public before you have time to patch.

    Public vs NDA-gated: how to decide

    The rule of thumb is simple: if a document contains specific technical controls, risk findings, financial data, or detailed audit evidence, gate it. If it is a certification, a high-level policy summary, a legal addendum, or a contact method, make it public.

    Public documents build trust and accelerate self-serve reviews. NDA-gated documents protect sensitive detail while still showing buyers that you have the evidence. The worst mistake is making everything public (leaking attack surface) or gating everything (looking like you have nothing to share). A balanced trust center has roughly 40% public content and 60% gated content by document count, though the ratio varies by industry and company stage.

    Quick checklist

    • SOC 2 Type 2 report (or Type 1 + bridge letter) — NDA-gated
    • ISO 27001 certificate — public
    • Data Processing Agreement (DPA) and GDPR addendum — public
    • Subprocessor list with names, purposes, locations and DPA status — public
    • Information security policy summary — public; full policy — NDA-gated
    • Access control, acceptable use, and incident response policy summaries — public
    • Business continuity / disaster recovery policy summary — public
    • Vulnerability management and secure SDLC summaries — public
    • Penetration test summary (date, scope, firm, severity breakdown) — public; full report — NDA-gated
    • Cyber insurance certificate or redacted proof of coverage — public or NDA-gated
    • Data residency statement with primary region, failover, and customer choice — public
    • Responsible disclosure policy with scope, SLA, and safe-harbour terms — public
    • Security contact email (security@) and optional PGP key — public
    • All documents dated, versioned, and assigned an owner for quarterly refresh

    Set up your trust portal

    Free to start. Branded portal in an afternoon.

    Related

    Trust center launch checklistHow to create a SaaS trust centerTrust center software