TRUST CENTER THESIS · #4

Security Demystified

SOC 2, ISO 27001, trust centers, pen tests — a plain-language guide to what evaluators actually care about and what you actually need.

If you're a founder or CTO at a B2B SaaS company, you've probably had this experience: a prospect's security team sends you a questionnaire, and half the questions reference frameworks you've heard of but never read. SOC 2 Type II. ISO 27001 Annex A. NIST CSF. HIPAA Business Associate Agreements.

The security compliance industry has a jargon problem. It creates an artificial barrier between "companies that understand security" and "companies that do security but can't communicate it." Most B2B startups are in the second category. They encrypt data, they manage access, they have incident response plans — they just can't map their practices to a framework-specific vocabulary.

This guide cuts through the jargon. No certifications required to read it.

The Frameworks, Decoded

SOC 2
Service Organization Control 2
An audit framework that checks whether you handle customer data responsibly. Type I = "you have the right controls at a point in time." Type II = "those controls worked consistently over 6-12 months."
B2B SaaS selling to US companies
ISO 27001
Information Security Management
An international standard for building and operating an information security management system (ISMS). More prescriptive than SOC 2. Required for many EU and APAC enterprise deals.
Companies selling internationally
HIPAA
Health Insurance Portability & Accountability
US healthcare data protection law. If your software touches patient health information (PHI), you need a Business Associate Agreement (BAA) and HIPAA-compliant controls.
Healthtech & healthcare SaaS
GDPR
General Data Protection Regulation
EU privacy law that governs how you collect, process, and store personal data of EU residents. Requires a Data Processing Agreement (DPA) between controllers and processors.
Anyone with EU users or customers
NIST CSF
Cybersecurity Framework
A voluntary US framework organized around five functions: Identify, Protect, Detect, Respond, Recover. Useful as an organizing principle even if you don't pursue formal certification.
US companies, especially government-adjacent
SCF
Secure Controls Framework
A meta-framework that maps controls across SOC 2, ISO, NIST, HIPAA, GDPR, and 100+ other frameworks simultaneously. Answer once, map everywhere.
Companies facing multiple frameworks

The Jargon Decoder

Security evaluators use specific terms that mean specific things. Here's a translation table:

Pen test
Someone you hired tried to hack your system and wrote a report about what they found. Annual pen tests are expected by most enterprise evaluators. The report shows findings and remediation status.
Encryption at rest
Your stored data is encrypted on disk. In practice, this usually means AES-256 encryption on your database (most cloud providers do this by default). Yes, your AWS RDS is probably already encrypted.
Encryption in transit
Data moving between systems is encrypted. If your site uses HTTPS (TLS), you already do this. Nearly every modern SaaS does.
MFA / 2FA
Multi-factor or two-factor authentication. Users prove identity with something beyond a password (phone code, hardware key). Evaluators check whether your team uses it and whether you offer it to customers.
Subprocessors
Third-party services that process your customers' data. AWS, Stripe, Twilio — if they touch customer data, they're subprocessors. You need a list of them with data types and locations.
DPA
Data Processing Agreement. A legal contract that defines how you handle a customer's data. Required by GDPR. Many evaluators want one even outside the EU now.
BAA
Business Associate Agreement. HIPAA's version of a DPA. If you handle health data, you need one with every vendor in the chain.
Incident response plan
A written document describing what you do when something goes wrong. Who gets paged. How you communicate to customers. How you preserve evidence. Having one matters more than it being perfect.
RBAC
Role-Based Access Control. Users get permissions based on their role, not individually. "Engineers can access staging. Only admins can access production." Most modern apps have this built in.
SSO
Single Sign-On. Employees log in with their company identity provider (Okta, Azure AD) instead of separate passwords. Enterprise evaluators expect it. It's also a common upgrade trigger for SaaS pricing.

What Evaluators Actually Care About

When a security team evaluates your company, they're not reading every control in order. They're checking a mental hierarchy:

Security Evaluation Priority Stack

Data handling
Where's my data? Who can access it?
95%
Certifications
SOC 2? ISO? Current or expired?
85%
Incident response
What happens when something breaks?
80%
Access controls
Who has access to what? How is it managed?
75%
Vendor management
Who are your subprocessors?
65%
Business continuity
Backups? DR plan? Uptime SLA?
55%
Employee security
Background checks? Training? Device mgmt?
45%

The percentages represent how often each category is the first thing an evaluator checks. Data handling and certifications are near-universal. Employee security training, while important, is rarely the deciding factor.

"I evaluate 15-20 vendors per quarter. I spend about 20 minutes on each initial review. If I can't find the SOC 2 status, data residency, and subprocessor list within 5 minutes, that vendor moves to the bottom of the pile."

— Security Analyst, Fortune 500 (anonymized)

Trust Center vs. SOC 2 vs. Questionnaire

These three things are often confused. They're different tools that serve different functions:

Attribute Trust Center SOC 2 Report Security Questionnaire
Format Public web page Private PDF (auditor-generated) Spreadsheet / form
Who creates it The vendor An independent auditor The evaluator sends questions
Update frequency Continuous (if maintained) Annual Per-deal (one-off)
Audience Anyone (public or gated) Specific evaluators (NDA often required) One evaluator per instance
Cost to maintain $150-$350/mo (or free) $30K-$100K/year (audit fees) 4-8 hours per response
What it proves Current posture + evidence links Controls were tested by a third party Vendor can answer specific questions

A trust center doesn't replace a SOC 2 report. It complements it. The trust center answers the 80% of questions that don't require auditor verification. The SOC 2 provides the independent assurance. Together, they reduce questionnaire volume by 60-80% because evaluators can self-serve the answers they need.

The Minimum Viable Security Posture

If you're a B2B SaaS company and you're not sure where to start, here's the minimum viable security posture that will satisfy most evaluators:

1

Encrypt everything

TLS for data in transit. AES-256 for data at rest. If you're on AWS, GCP, or Azure, most of this is enabled by default. Document it.

2

Enforce MFA internally

Every employee account — email, cloud console, code repos — should require multi-factor authentication. This is the single highest-impact security control you can implement.

3

Write an incident response plan

One page is enough. Who gets notified. How you communicate to customers. What you do first. Having a plan — even an imperfect one — puts you ahead of 70% of startups.

4

Maintain a subprocessor list

A spreadsheet listing every third-party service that touches customer data: name, purpose, data types, location. Update it when you add a new service. Evaluators always ask for this.

5

Publish a trust center

Make all of the above visible. A public page that shows your security controls, links to your policies, and displays verification dates. Evaluators who can self-serve won't need to send questionnaires.

The Pattern

Notice that most startups already do steps 1-4. They encrypt data. They use MFA. They have some incident process. They know their subprocessors. The gap is step 5 — making it visible. The security posture exists; the documentation infrastructure doesn't. That's a legibility problem, not a security problem.

Why the Jargon Exists

Security jargon isn't arbitrary. It exists because precision matters in security — "encryption" could mean five different things, and the wrong one could be a compliance violation. The problem isn't the vocabulary itself. It's that the industry has created a priesthood around the vocabulary that gatekeeps participation.

If you need SOC 2 to do business, the audit firms benefit from the process being complex. If you need ISO 27001, the consultants benefit from the certification being expensive. If you need a trust center, the vendors benefit from enterprise-only pricing.

The structural incentive at every level is to make security compliance harder than it needs to be. Not because the underlying concepts are hard — a 10-person startup can have excellent security practices. But because complexity creates consulting revenue.

"The best security teams I've evaluated are at 15-person startups where the CTO personally owns the security posture. They lack the vocabulary but they have the practices. The worst are at 500-person companies that outsourced everything to a GRC tool and can't explain their own controls."

— Former security evaluator (anonymized)

The Thesis

Trust is proven, not claimed. Security demystified means making the proof accessible to everyone — not just companies that can afford $50K/year in consulting and tooling. The practices exist at every company size. The infrastructure to make them visible doesn't. That's the gap.

Next in the series: how AI is reshaping enterprise security — honestly.

Next: AI in Enterprise Security →
By Anton Lissone · Trust Center Thesis #4 · INeedTrust 2026