All Collections
Managing your Trust Center
Trust Center Updates
Trust Center Updates Overview & Example Templates
Trust Center Updates Overview & Example Templates

Easily update your followers about security incidents and new documents

Natalie Novick avatar
Written by Natalie Novick
Updated over a week ago

Trust Center Updates (TCUs) enable an organization to proactively communicate with their subscribers, both customers and prospects, by sharing relevant security-related information. These updates can be sent via email, your Trust Center, or both.

Check out this Blog Post to learn more about the benefits of Trust Center Updates, or this Blog Post to view examples from SafeBase Trust Alliance members.

Types of Trust Center Updates

Compliance

Spotlight new compliance badges or documents uploaded (for example: a new SOC 2, Pentest, GDPR badge, etc.).

Template: Compliance Doc Update - (Short update)

Title: New Compliance Documentation Now Available

Tag: Compliance

Body: We here at [Company] have just completed our latest audit for [ISO / SOC 2] [certification / compliance]! Documentation is now available in our Trust Center at https://trust[.]yourcompany[.]com


Template: SOC 2 Update

Title: New SOC 2 Report Now Available

Tag: Compliance

Body: Our SOC 2 Type 2 report for the period of [date] to [date] is now available through our Trust Center.

Completion of the SOC 2 Type 2 audit demonstrates [Company]’s continued commitment to the security of our [Product name] product and that of our overall security posture.

Template: ISO Certification

Title: New ISO Certification

Tag: Compliance

Body: [Company] has recently achieved certification in ISO 27001, with our most recent certificate available for review in our Trust Center. ISO 27001 demonstrates our commitment to meet and exceed international information security standards.

More information is available here: [link to a public blog post and/or news article about the specific ISO certification, what it means, etc.]

Template: Privacy Notice

Title: Privacy Compliance Update - [Specific privacy law/reg here]

Tag: Compliance

Body: [Company] has conducted a full review of [the specific privacy law or regulation you’re choosing to highlight] and ensured that we are fully compliant.

Full details regarding how [Company] handles customer data are always available through our Privacy Policy at https://www[.]yourcompany[.]com/privacy

Template: SOC 2 In Progress

Title: SOC 2 Audit In Progress

Tag: Compliance

Body: [Company] has just begun our annual SOC 2 Type 2 audit process. SOC 2 Type 2 compliance is an important part of how we attest to our security program’s strength here at [Company].

As we work with [the independent auditing firm] to articulate the various aspects of our security posture, we are happy to provide a bridge letter for any customers conducting vendor reviews during this time.

Vulnerabilities

Inform customers about critical vulnerabilities in your application to encourage them to update as necessary.

Template: Vulnerability Advisory

Title: Vulnerability Advisory - [Company] [Product name]

Tag: Vulnerabilities

Body: [Company] recently discovered, through disclosure, that vulnerabilities exist within the [Product name] product. These vulnerabilities were brought to light through [background on how these were disclosed: bug bounty, hacking competitions, security research, etc.]. Links to additional information are below:

https://www[.]vulnerabilityinfo[.]com/yourinfohere

Action has already been taken by [Company] to remediate and patch these vulnerabilities. The purpose of this advisory is to keep our customers informed and aware of changes to our product, most importantly updates to the security of [Product name]. Additional testing has shown that these vulnerabilities no longer exist.

[Company] appreciates the efforts of those that helped with this responsible disclosure.

Incidents

Impact and remediation after an incident. Companies that are more transparent during incident response are more likely to maintain trust with customers after an incident. This label has also been used to provide statements on external vulnerabilities affecting commonly used software (for example: Log4j, OpenSSL, etc.).

Template: Incident - Company Not Impacted - No Data Compromise

Title: [Company] Not Impacted by [Incident name]

Tag: Incidents

Body: On [exact date Company learned of incident], [Company] became aware of the [Incident name] security incident. Reputable threat intelligence sources have reported that this incident impacts [threat surface details here - link to relevant CVE, if available].

We want our customers to know that [Company] is not impacted by this vulnerability.

We do not leverage this technology/software within our product and therefore the confidentiality, integrity, and availability of our systems remain unharmed.

Template: Incident - Company Impacted - Potential Data Compromise

Title: [Company] Update - [Incident name]

Tag: Incidents

Body: On [exact date Company learned of incident], [Company] became aware of the [Incident name] security incident. Reputable threat intelligence sources have reported that this incident impacts [threat surface details here - link to relevant CVE, if available].

[Company] maintains a number of security measures to monitor, investigate, and immediately respond to any and all incidents which may occur. Such measures allow us to control the impact and triage effectively. In the case of [Incident name], [in bold font - details regarding potential impact of incident against company data].

We will be sharing more updates as soon as they are available and as remediation efforts are ongoing.

[The last paragraph and/or statement should be language regarding next steps to be taken - perhaps when to expect the next update]

Subprocessor

Share new subprocessors that have been added, removed, or updated. Many data processing agreements require vendors to notify customers of changes in subprocessor usage.

Template: New Subprocessor Added

Title: [New Subprocessor name] - Subprocessor Added

Tag: Subprocessors

Body: As we work to continuously improve our product line and streamline our infrastructure, [Company] will now be engaging with [New Subprocessor name] to [describe service delivered here].

This serves as notice that [New Subprocessor name] is now a subprocessor of [Company].

Name: [New Subprocessor name]
Location: [country of service provided]
Website: subprocessorName[.]com
Purpose: [brief description of service to be delivered by new subprocessor]
DPA Signed: [Yes / No]
Third-Party Risk Evaluation Completed: [Yes / No]

This new subprocessor will be live as of [date of future service]. Please contact us with any questions or concerns.

Template: Existing Subprocessor Removed

Title: [Existing Subprocessor name] - Subprocessor Removed

Tag: Subprocessors

Body: In an effort to remain transparent with business partners and customers, [Company] is relaying this subprocessor removal notice to declare in our subprocessor list. We no longer rely on the services of [existing Subprocessor name] as of [past date of removal, if applicable].

This serves as notice that [existing Subprocessor name] is no longer within our subprocessor list.

To see the full list of our subprocessors, please visit the Legal card within our Trust Center (link).

General

These include announcements after a Trust Center goes live, and program promotions (such as for bug bounty programs), among others.

Template: Launch of Trust Center

Title: Welcome to the [your company name] Security Trust Center

Tag: General

Body: As an organization that is security conscious and values security, we are excited to announce the official launch of the [your company name] Security Trust Center. By using this portal, you can request access to our compliance documents, review our standardized questionnaires such as the SIG and gain a general understanding of our security posture.

Over time, our team will be making changes to this portal as we implement new tools and processes in our environment. You can use the Subscribe button to receive email notifications for when our team has an important update, such as if we have an updated compliance report or if we have a status update regarding a major security vulnerability that has been recently discovered.

-The <YOUR COMPANY NAME> Security Team


Helpful Trust Center Update Articles

Did this answer your question?