10-Step Security Landing Page Best Practices Checklist

Figma security page
It's well-known that trust is one of the biggest factors in conversions and customer loyalty. You could have an excellent product and service, but if people don't trust you, then it's unlikely that they will do business with you. So, customers coming to your site want to know that you are a trusted brand protecting their data and privacy.

That's where a security page steps in. It's one page on your site where customers can see all the steps you've taken to protect their info—compressed and ready to build trust. Here are the steps to creating a well-structured security page following the industry best practices with examples of how other vendors take each step.

Step 1. Share a way to report vulnerabilities

Provide method/s to report vulnerabilities, and inform users about your disclosure policy and vulnerability management program.

GitHub logo
GitHub
Bug bounty program
Cloudflare logo
Cloudflare
Bug bounty program
Atlassian logo
Atlassian
Bug bounty program, support contact page
Zoom logo
Zoom
Third-party solution and email

Step 2. Showcase compliance certifications, attestations, regulations

Display badges of complied security frameworks, attestations, and privacy regulations or highlight significant ones with brief descriptions and links to reports and detail pages.

Slack logo
Slack
ISO, SOC 2 Type 2, SOC 3, APEC, CSA
Webflow logo
Webflow
SOC 2 Type 1 and 2
Auth0 logo
Auth0
ISO, SOC 2 Type 2, HIPAA, PCI DSS, CSA STAR
Canva logo
Canva
GDPR, ISO

Step 3. Highlight access and identity control features

Inform users about access and identity control capabilities such as SAML-based single sign-on and two-factor authentication.

Zapier logo
Zapier
2FA, SAML integration
Synk logo
Synk
Role-based access control, 2FA, SSO
Notion logo
Notion
SSO via SAML, permission controls
Zendesk logo
Zendesk
SSO, 2FA, configurable password policy

Step 4. Provide an overview of data protection efforts

Convey essential data protection measures you take, such as Audit Logging, Backup and Disaster Recovery policy, and data encryption at rest and in transit.

Dropbox logo
Dropbox
Encryption, file recovery, regular security testing
Gremlin logo
Gremlin
Data encryption, password policy, access monitoring
Auth0 logo
Auth0
Data encryption, DDoS protection
Datadog logo
Datadog
Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), data encryption

Step 5. Mention security best practices for your product

In relation to the shared responsibility security model, instruct customers on data and privacy protection measures they can take in addition to the company-side responsibilities.

Zoom logo
Zoom
Encryption, audio signatures, waiting rooms
Webflow logo
Webflow
Strong password, MFA, and SSO
Dropbox logo
Dropbox
Strong password, 2FA, account activity monitoring
Canva logo
Canva
Links to guidelines for protecting accounts, designs, and data

Step 6. Link to additional resources

A single page might not be able to cover all security, compliance, and privacy-related issues. Give links to other resources for users who would like more information. (Whitepapers, Trust Portals, compliance reports, etc.)

PagerDuty logo
PagerDuty
Whitepaper, compliance reports
Shopify logo
Shopify
Compliance reports, transparency report, CCPA, GDPR
Gremlin logo
Gremlin
Security docs, FAQs, and security practices page
Slack logo
Slack
Datasheet, security and compliance partners, security feature page

Step 7. Highlight internal security measures

Internal security measures are the precautions taken against security vulnerabilities and data breaches—these range from physical or corporate security to employee training.

Notion logo
Notion
Employee training, vendor management
Webflow logo
Webflow
Network security, hardware security, security education, physical security
Datadog logo
Datadog
Cloud Service Provider (CSP) physical and environmental security, training
Synk logo
Synk
On-site physical security, vendor management, email protection

Step 8. Mention Cloud & SaaS security capabilities and measures

Due to its nature, cloud computing requires data protection, security measures, and regular assessments.

Zendesk logo
Zendesk
Data center physical security, encryption, disaster recovery
PagerDuty logo
PagerDuty
Incident management, data center security
Cloudflare logo
Cloudflare
Data localization, DDoS mitigation
Splunk logo
Splunk
Incident handling, risk management, encryption, and breach notification

Step 9. Inform about subprocessors and their access to customer data

Subprocessors are third-party platforms or data processors that may access or process data.

Splunk logo
Splunk
Email signup for notifications of subprocessor changes
PagerDuty logo
PagerDuty
Information about third-party payment processor security
Zendesk logo
Zendesk
Vendor security risk minimization
Synk logo
Synk
Security Portal

Step 10. Include Call/s to Action (CTA) Buttons

Security pages build customer trust; therefore, they are perfect for nudging your prospects to sign up for your product, contact sales, or start a free trial. It is common to use CTA buttons to direct users to a whitepaper or a sales engineer.

Slack logo
Slack
CTA button that leads to a security datasheet
Atlassian logo
Atlassian
All Security Practices button that links to Atlassian’s security whitepaper
Figma logo
Figma
Signup button to get started
GitHub logo
GitHub
Two CTA buttons. one for security workshop and one for contacting sales

Want to learn more?

Answer a few questions and get your report