As the sheer quantity of technology we use daily continues to grow, so does the importance of ensuring that technology is secure. Businesses have taken up this challenge in a variety of ways, from sending out security questionnaires to requiring formal review processes before buying software.
We’re seeing an evolution from security as a cost center to an actual feature of your product, and like all features, customers want to understand how good it is (something we recently discussed in a webinar). As such, companies are publishing high-level information about their security practices on their marketing website, throughout their blog, and beyond, because buyers increasingly want to educate themselves through self-serve content and resources.
The rise of this content has led to the creation of Security Pages & Trust Centers—web pages designed to build trust with customers & prospects, and share InfoSec credentials with those interested in learning more. We reviewed hundreds of these pages and we’re sharing a few of our favorite Trust Centers, so you can get inspired to claim yours & start building.
Centrally locating the details of a security program provides both internal and external team a single source of truth for all security information. Security-driven buyers can self serve relevant information, ultimately saving your team’s time and the buyer’s time.
With some more technical love from the Figma security team, these pages could be transitioned from a marketing-driven security overview into a robust security overview.
It is obvious to our team that Fastly is aiming to be a leader when it comes to security. Easy access, detailed information, and positioning the security program throughout the entire marketing website are some key strengths for Fastly’s security program. The team at Fastly highlights the details of their security program in a Trust link within the footer of their site, including specific details on the Security & Compliance, Privacy, Legal Terms, and Corporate Values at Fastly. With security-focused marketing pages throughout the website, it is obvious that Fastly’s security program is robust and intensive, even including blog posts specifically dedicated to security topics.
While the information Fastly provides was thoroughly dispersed throughout their site, it felt at times like a maze that we were struggling to navigate. Additionally, Fastly’s pages lacked some key details that other security pages we reviewed showed strength in, including a way to contact Fastly regarding their security program, robust FAQs, and a way to securely host and share more detailed resources that could reduce the barriers for prospects.
Calendly is on our list with a link to their Security & Privacy page easily discoverable in their website footer. The page details their security achievements, including SOC 2 Type 2, PCI, GDPR, and CCPA Compliance. The page makes a variety of key security resources easily accessible, including a Security White Paper, Status Page, Sub-Processor List, and the Calendly help center.
Overall, the structure and accessibility of the page is what landed this one on our list. The clearly documented and technically sound content meant a great high-level understanding of Calendly’s policies. While we’d love to see a more dynamic page with searchable content & the ability to request more information, Calendly certainly impressed us!
The only thing we were left wondering on OwnBackup’s site is how we might request a security review so we can sign up and start using the product with our InfoSec team’s approval!
As a data-services company, it was no surprise to us that DataBricks knocked it out of the park with their Trust communication on every page of their site. Their Security & Trust Center is linked clearly and prominently on their product navigation menu. The publicly available information they provide is abundant, detailed, well organized, and interactive with a solid balance of “marketing-speak” without compromising on detailed security information.
We were impressed with their due diligence package, security addendum, and architecture diagram which all highlight outstanding detail and a serious dedication to security. As the Trustpage solution continues to grow, we’ll look to benchmarks like DataBricks to ensure that we’re continuing to accommodate even the most cutting-edge companies’ Trust Center management.
Providing security information on your marketing website is a great first step towards leading with trust. DIY trust pages demonstrate to customers and prospects that your company is dedicated to transparent communication about your security policies and posture. While it is better than no mention of security, we still see a few common issues with DIY pages related to security postures.
Without specific details like links to incident response plans, PenTesting reports, system availability controls, and sub-processors—you aren’t giving customers and prospects a full picture. Highlighting your security program can get folks in the door, but won’t contribute to your ability to pass security review more quickly.
Marketing websites are designed for just that purpose—to market your product to potential customers. Dispersing security information and language throughout the site works wonders in building prospect trust as they browse, but doesn’t provide a single source of truth for someone to reference your security posture or search for answers to their questions.
Your internal teams are often looking for answers to their own questions about your security posture, and prospective customers too are searching for answers to their questions on your site before you even know they exist. Without a centralized location, it can be difficult for internal and external teams to understand & search your security information from the top-down.
Even with the rise of these marketing pages, it is not common that they are sufficient to satisfy technical teams confidence in your products’ security. Security reviews are still occurring for these organizations, and their marketing website is not aiding in the process of speeding up those reviews.
Most DIY security pages don’t allow for self-serve requests, or automate any processes like questionnaire completion or security review management. They provide a static overview of company security postures, and fail to integrate deeply into your sales cycle or workflows.
With a Trustpage Trust Center, security teams gain access to a simple, central hub to build trust and share security docs before, during, and after the sales cycle. Satisfy your marketing team with opportunities for brand customization, but retain control of the language and documentation you’re publishing to represent your security posture.