It's well-known that trust is one of the biggest factors in conversions and customer loyalty. You could have an excellent product and service, but if people don't trust you, then it's unlikely that they will do business with you. So, customers coming to your site want to know that you are a trusted brand protecting their data and privacy.
That's where a security page steps in. It's one page on your site where customers can see all the steps you've taken to protect their info—compressed and ready to build trust. Here are the steps to creating a well-structured security page following the industry best practices with examples of how other vendors take each step.
Step 1. Share a way to report vulnerabilities
Provide method/s to report vulnerabilities, and inform users about your disclosure policy and vulnerability management program.
Bug bounty program
Bug bounty program, support contact page
Third-party solution and email
Step 2. Showcase compliance certifications, attestations, regulations
Display badges of complied security frameworks, attestations, and privacy regulations or highlight significant ones with brief descriptions and links to reports and detail pages.
ISO, SOC 2 Type 2, SOC 3, APEC, CSA
SOC 2 Type 1 and 2
ISO, SOC 2 Type 2, HIPAA, PCI DSS, CSA STAR
Step 3. Highlight access and identity control features
Inform users about access and identity control capabilities such as SAML-based single sign-on and two-factor authentication.
2FA, SAML integration
Role-based access control, 2FA, SSO
SSO via SAML, permission controls
SSO, 2FA, configurable password policy
Step 4. Provide an overview of data protection efforts
Convey essential data protection measures you take, such as Audit Logging, Backup and Disaster Recovery policy, and data encryption at rest and in transit.
Encryption, file recovery, regular security testing
Data encryption, password policy, access monitoring
Data encryption, DDoS protection
Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), data encryption
Step 5. Mention security best practices for your product
In relation to the shared responsibility security model, instruct customers on data and privacy protection measures they can take in addition to the company-side responsibilities.
Encryption, audio signatures, waiting rooms
Strong password, MFA, and SSO
Strong password, 2FA, account activity monitoring
Links to guidelines for protecting accounts, designs, and data
Step 6. Link to additional resources
A single page might not be able to cover all security, compliance, and privacy-related issues. Give links to other resources for users who would like more information. (Whitepapers, Trust Portals, compliance reports, etc.)
Whitepaper, compliance reports
Compliance reports, transparency report, CCPA, GDPR
Security docs, FAQs, and security practices page
Datasheet, security and compliance partners, security feature page
Step 7. Highlight internal security measures
Internal security measures are the precautions taken against security vulnerabilities and data breaches—these range from physical or corporate security to employee training.
Employee training, vendor management
Network security, hardware security, security education, physical security
Cloud Service Provider (CSP) physical and environmental security, training
On-site physical security, vendor management, email protection
Step 8. Mention Cloud & SaaS security capabilities and measures
Due to its nature, cloud computing requires data protection, security measures, and regular assessments.
Data center physical security, encryption, disaster recovery
Incident management, data center security
Data localization, DDoS mitigation
Incident handling, risk management, encryption, and breach notification
Step 9. Inform about subprocessors and their access to customer data
Subprocessors are third-party platforms or data processors that may access or process data.
Email signup for notifications of subprocessor changes
Information about third-party payment processor security
Vendor security risk minimization
Step 10. Include Call/s to Action (CTA) Buttons
Security pages build customer trust; therefore, they are perfect for nudging your prospects to sign up for your product, contact sales, or start a free trial. It is common to use CTA buttons to direct users to a whitepaper or a sales engineer.
CTA button that leads to a security datasheet
All Security Practices button that links to Atlassian’s security whitepaper
Signup button to get started
Two CTA buttons. one for security workshop and one for contacting sales