A security-questionnaire question, answered without certification
What should you send when a prospect asks for your SOC 2 report and you don't have one?
The honest answer pattern
Send a direct sentence stating you hold no SOC 2 report, followed by your actual security documentation: policies, a subprocessor list, and a trust page that names your real stack. Procurement teams route uncertified vendors through a questionnaire path constantly; what stalls deals is evasion, not the absence of the report. Offer to complete their questionnaire promptly — speed and specificity are your substitute signals.
What a credible answer looks like
A credible answer is specific and current-tense only where it's true: it names your actual provider and systems, states what is in place today, and moves anything that isn't into a clearly labelled roadmap item instead of an aspirational “yes”. Reviewers read dozens of these a quarter — vague assurances are what get a vendor flagged, not missing certifications.
You can see this pattern applied end-to-end in the full sample security pack — a real trust page, three policies, and an answer bank generated by the same pipeline a paying customer uses, shown without any email gate.
The facts your answer needs (from the Trustpack intake):
- Do you hold security certifications (SOC 2, ISO 27001)?
- Which email should security questions and disclosures be sent to?
Answer the whole questionnaire, not one row
Trustpack turns your own attested answers into three security policies, a copy-paste answer bank covering the canonical questionnaire topics, and a live public trust page. Every document is vendor-attested and says so plainly — it never claims certification. Flat $49, one time.