For 1–5-person SaaS vendors holding an enterprise security questionnaire
Answer the security questionnaire credibly — without SOC 2 or a lost weekend.
Answer plain-English questions about how your product actually runs, attest every statement, and get a security policy set, a copy-paste questionnaire answer bank, and a live public trust page — all generated only from what you attested. Flat $49, one time. Your documents are yours to keep.
How it works
- 1. Answer plain questions. Where you host, who can touch production, how backups work, which subprocessors see customer data. Every practice question accepts “not yet” as an honest answer — it becomes a roadmap item, never a claim.
- 2. Review and attest every statement. Before you pay, you see the exact statements your documents will be built from, each traceable to one of your answers. Fix anything, then confirm.
- 3. Get your pack. Three security policies, a questionnaire answer bank phrased the way reviewers ask, and a live trust page at a clean URL you control — publish or unpublish anytime.
Policies that name your actual stack
Access Control & Identity, Incident Response & Breach Notification, Data Protection & Retention — written from your answers, naming your real hosting provider, subprocessors, and retention windows. Print-styled and downloadable as markdown.
A copy-paste answer bank
The canonical questionnaire topics — encryption, access control, MFA, backups, incident response, subprocessors, deletion, vulnerability management and more — answered in procurement language, ready to paste row by row.
A live public trust page
A restrained, dated page at your own URL: identity, hosting, subprocessor list, data handling, and an honest current-posture-and-roadmap section. Send the link instead of a wall of marketing. Unpublish instantly from your dashboard.
What this is — and what it isn't
Trustpack produces vendor-attested security documentation. Every statement comes from your own answers, and every document says so plainly, right under its title: “Based on answers provided by your company on the date you attested. Self-attested by the vendor; not audited or certified by any third party.”
It is not a certification, not an audit, and it won't satisfy every enterprise — some buyers require an actual audit report and nothing else. What it is: the credible way to answer when you don't have an audit. Real policies, real answers, and a public trust page that describes your actual security posture instead of dodging the question.
A real example, fully visible
Generated for Driftnet — This sample was generated by the same pipeline customers use, from a real intake for driftnet — an LLM-eval tool we run ourselves on Vercel, Stripe, OpenRouter, and GitHub. Operational details the public record doesn't establish use the most plausible value for a solo-founder SaaS on that stack. This is the exact pipeline output; nothing staged. Here is how the trust page opens:
Driftnet — Security & Trust
Based on answers provided by Driftnet on 2026-06-11. Self-attested by the vendor; not audited or certified by any third party.
Overview
Driftnet is an LLM-eval tool that catches output drift, built for solo developers. The company is a one-person operation; the founder is the sole engineer, administrator, and security contact. Security controls reflect that scale: direct, hands-on, and limited to what a single operator can maintain reliably.
Infrastructure & Hosting
Driftnet runs on Vercel serverless functions and Vercel Blob storage. All customer data resides in the United States, Vercel region iad1. Order and eval records in Vercel Blob are covered by automated daily snapshots retained for 30 days. A public status page is available at status.forage.bot.
See the full sample — trust page, all three policies, and the answer bank →
Common questions
How does it work?
You answer 29 plain-English questions about how your product actually runs. Then you review the attestation screen: every statement the system will put your name on, each traceable to one of your answers, editable before you confirm. Only after you attest do you pay, and the bundle is generated solely from your attested answers — never from anything we invent.
What data do you store?
Your intake answers and the generated documents — they are the product's content, stored privately against your order and covered by our privacy policy. Your dashboard lives at an unguessable link. The only public artifact is the trust page, and only if you publish it; you can unpublish instantly.
How long does it take?
The intake takes as long as it takes you to describe your own stack honestly — most of the questions are one-liners. After checkout, generation typically finishes in under two minutes; your dashboard shows the live status and you get an email when the pack is ready.
Is this a certification?
No. Nothing Trustpack produces is a certification, an audit, or a compliance attestation by a third party. Every document carries a line saying exactly that. If a buyer requires an audit report, this product does not replace one — it is how you answer credibly while you don't have one.
Can I update it later?
Yes — updating and re-attesting is free, forever. Email trustpack@forage.bot from your order and we'll regenerate your pack from your updated, re-attested answers with a fresh revision date. Your trust page URL stays the same.
Who is this NOT for?
Vendors whose buyer demands an actual audit report and will accept nothing else, and teams that already run a compliance platform. Trustpack is for the small vendor who needs to answer credibly this week, not for replacing an audit.
What's your refund policy?
Two conditions, both checked automatically: verifiable failure— if our validator flagged your generation as failed after retries, you're refunded automatically (and can claim it for 90 days); or verifiable non-use — if our logs show you never opened your dashboard after delivery, refunds are available for 30 days. Anything else, email trustpack@forage.bot.