Write the agent section of your customer-facing security page

Why this matters

Buyers click your /security page before they talk to sales. They click your /trust page before they renew. The agent subsection of those pages is the first thing modern procurement teams look for, and most of them are written one of two ways, both of which lose deals:

• Overstating. “Enterprise-grade AI security with bank-level encryption.” This sounds impressive until a procurement team asks for the SOC 2 report you do not yet have, or a security lead notices you forgot to name the subprocessors. The deal slows; trust drops.
• Punting. “For details on our AI security, contact your account representative.” This is a sales meeting you did not need to schedule, and a signal that you do not know your own security story.

The honest middle is short: named subprocessors, plain-English data-flow, real retention numbers, named gaps, and one contact path for follow-up. That paragraph closes more deals than the polished one because procurement teams trust specificity.

You already have the inputs. Your subprocessor inventory (Map your subprocessors for procurement) names the vendors. Your SOC 2 mapping (Build a SOC 2 control mapping for your Auxot deployment) names the controls. Your retention playbook (Plan for retention and deletion requests) names the limits. This tutorial assembles those into a paragraph legal can sign off on and marketing can publish.

Nothing reads as honest on its own: you cite specific evidence, you name specific gaps, you route legal review before publish.

Quick start

1. Pull the inputs: subprocessor inventory, SOC 2 mapping (if you have one), retention notes, and any pen-test or adversarial-testing receipts (Red-team your agents against prompt injection).
2. Pick the five subsections: Subprocessors / Data flow / Retention / Customer controls / Certifications and gaps. Most /trust pages have a sixth (Contact); keep it.
3. Draft each subsection in ~3 sentences: specific names, specific limits, no marketing adjectives.
4. Name the gaps explicitly: “SOC 2 Type II audit in progress, expected Q3 2026” beats silence every time.
5. Route legal review: the doc lives in marketing or product, but it ships through legal. Add a footer with Last reviewed: YYYY-MM-DD and a contact email.

Done? A draft section legal can redline without rewriting from scratch, and one that survives a procurement team’s search for “SOC 2,” “subprocessor list,” and “data retention.”

The agent can do that?

1. Draft the section from your evidence sources

Chat → Admin Agent:

Draft the agent subsection of our /trust page using ONLY these inputs:
- Subprocessor inventory: [paste table or context-file title]
- Retention summary: [paste 3 sentences]
- SOC 2 status: [paste current state, e.g. "Type II audit in progress, Q3 2026" or "not pursuing this year"]
- Adversarial testing: [paste cadence, e.g. "quarterly, last completed YYYY-MM-DD" or "not yet established"]

Structure: five subsections (Subprocessors, Data flow, Retention, Customer controls, Certifications and gaps). Three sentences max per subsection. No marketing adjectives. Name specific vendors and specific timeframes. If a subsection lacks evidence, write a one-sentence gap acknowledgment instead of inventing.

Why it’s non-obvious: Marketing-led drafts default to adjectives (“robust,” “enterprise-grade”). Forcing the agent to read named sources keeps the draft to facts. You still verify every sentence against the source before legal sees it.

2. Flag overstatements before legal sees them

After the draft exists, paste it back:

Draft: [paste]. Flag every claim that overshoots the evidence I gave you: promises of certifications we do not hold, vague encryption language, "always" / "never" statements without scope. List one specific edit per flag.

Why it’s non-obvious: Overstatements are how trust pages become liabilities. Procurement teams search these pages with adversarial intent; the line that sounded fine to marketing sounds like fraud to a buyer’s security lead.

3. Executive one-paragraph summary

Summarize the agent section above in one paragraph (4 sentences max) that a CEO can quote verbatim in a sales call: same specificity, no marketing adjectives. Audience: a buyer who has read your full /trust page and wants the elevator-pitch version.

Why it’s non-obvious: Executives need to defend the trust page in calls without rereading it. A pre-approved paragraph stops on-the-fly improvisation that diverges from the published document.

Go deeper

The five subsections, in order of buyer attention

1. Subprocessors. Named vendors, what they process, what region. Reads straight from your subprocessor inventory (Map your subprocessors for procurement). This is the section procurement teams open first.
2. Data flow. One paragraph in plain English: customer data → Auxot → which provider → response back. Name what does NOT leave (your own VPC, your context files in certain configurations).
3. Retention. Real numbers. “Conversation transcripts retained 90 days in Audit Logs; deletion requests honored within 30 days per [DSAR playbook].” Vague retention is a deal-killer (Plan for retention and deletion requests).
4. Customer controls. What the customer can configure (their own API keys, their own tool policies, their own team scoping). Pair with Set up multi-team isolation and Create a shared Team API Key.
5. Certifications and gaps. Current state, no spin. “SOC 2 Type I completed YYYY-MM-DD; Type II in progress, expected Q3 2026. No HIPAA BAA available today.”

The Contact row

Add a single email or form link, owned by a human who actually replies within 48 hours. “For security questions: security@yourcompany.com” beats “Reach out to your account team”; buyers want to skip sales for security questions, and respecting that wins trust.

Marketing voice vs procurement voice

Marketing voice wants emotional adjectives. Procurement voice wants specific nouns. The trust page lives in the second camp. Concretely:

• “Bank-grade encryption” → “TLS 1.3 in transit; AES-256 at rest in [your cloud region].”
• “Enterprise-ready” → “Used by [number] organizations with SOC 2 Type I as of [date].”
• “Industry-leading AI safety” → “Adversarial testing run quarterly; receipts available on request under NDA.”

Refresh cadence

Tie the trust page review to the same quarterly cadence as the subprocessor inventory and SOC 2 mapping. Add a Last reviewed: YYYY-MM-DD footer. Buyers reading a six-month-old page assume the controls are six months old too.

Owner change

The trust page has a named owner whether or not you’ve recorded one. When that person rotates, Hand off the audit narrative when your compliance lead changes covers the same handoff motion: the page and the reasoning behind each specific claim move to the next person without losing the connection to the SOC 2 mapping and subprocessor inventory it’s sourced from.

Troubleshooting

• Legal wants to remove every specific claim. Negotiate. A trust page with zero specifics is a liability of a different kind; it tells buyers you do not know your own security story. Push back with the SOC 2 mapping (Build a SOC 2 control mapping for your Auxot deployment) as backing evidence for each specific claim.
• Marketing wants to add adjectives. Negotiate. Procurement teams read the adjectives as smoke. Cite the questionnaire pain (Answer vendor security questionnaires from your own evidence) to show what buyers actually look for.
• The gap list feels embarrassing. Acknowledged gaps with timelines build trust faster than silence. “HIPAA BAA not currently offered” is a fine sentence; “contact us for HIPAA information” invites an awkward sales call.
• You have a competitor who claims more than they have. Let them. Your buyers who care about security will figure it out within two weeks of signing them. Yours stay because the page held up.

Variations & edge cases

• Consumer-facing product: the agent section may live on a privacy page rather than a /trust page; same structure, different reading level. Drop technical terms a typical consumer would not Google.
• Regulated industries (healthcare, finance, legal): the page needs explicit “not for [regulated category] data” language where you do not have the required certifications. Vague phrasing here causes contract breaches.
• Multi-product company: if Auxot is one product among several, the agent section may need to be repeated per product or scoped explicitly. Buyers should not have to infer which product the agent controls cover.
• Self-hosted customers: add a paragraph distinguishing what controls you operate versus what the self-hosted customer operates (Self-host Auxot stage by stage). The boundary matters legally.

Walkthrough

Step 1: Gather the inputs

Open these in tabs:

• Your subprocessor inventory (context file from Map your subprocessors for procurement).
• Your SOC 2 mapping (context file from Build a SOC 2 control mapping for your Auxot deployment), if you have one.
• Your retention notes (from Plan for retention and deletion requests).
• Any current trust-page copy (so legal can diff old vs new).

Step 2: Draft the five subsections

Use power move 1 to generate a first pass. Three sentences per subsection. No marketing adjectives.

Example for the Subprocessors subsection:

Model inference is processed by named providers we list on our subprocessor page (last updated YYYY-MM-DD). Today: [Anthropic, OpenAI] in US regions. Adding a new subprocessor triggers a notice to customers under our DPA.

Step 3: Run the overstatement check

Use power move 2. Read every flag carefully. The agent will catch the most common failures (“always,” “enterprise-grade,” “industry-leading”); you still need to catch domain-specific overstatements it does not know about (compliance frameworks you do not hold, geographies you do not cover).

Step 4: Add the gaps section

This is the one most teams skip. Examples that work:

Certifications and current gaps:

• SOC 2 Type I: completed YYYY-MM-DD.
• SOC 2 Type II: audit in progress, expected Q3 2026.
• HIPAA: not currently offered. Do not use Auxot for protected health information.
• ISO 27001: not on roadmap for 2026.

The HIPAA sentence is a legal protection, not a marketing weakness.

Step 5: Draft the executive one-paragraph version

Use power move 3. This paragraph goes in two places:

• Top of the trust page as a TL;DR for skimmers.
• Internal sales-enablement doc so reps quote the same words on calls.

Step 6: Legal review and publish

Route to legal with the source documents attached so the redline can be specific. Add the footer:

Last reviewed: YYYY-MM-DD
Owner: [name]
Security questions: security@yourcompany.com

Schedule the quarterly review on the calendar so the next refresh does not miss.

What’s next

• → Answer vendor security questionnaires from your own evidence. Same evidence base, different reader (private procurement vs public web).
• → Map your subprocessors for procurement. The Subprocessors subsection reads from this inventory.
• → Build a SOC 2 control mapping for your Auxot deployment. The Certifications subsection reads from this mapping.
• → Hand off the audit narrative when your compliance lead changes. When the trust-page owner rotates, the page belongs in the same handoff packet as the audit narrative; the new owner needs to inherit the reasoning behind each specific claim, not just the published text.
• → Plan for retention and deletion requests. The Retention subsection reads from this playbook.
• → Set up multi-team isolation. Customer controls subsection references this.
• → Red-team your agents against prompt injection. Adversarial testing receipts feed the agent safety claims.
• → Run a data privacy review before you ship. DPIA framing aligns with the privacy/data-flow subsection.

Reference

• Five subsections of the agent part of /trust: Subprocessors, Data flow, Retention, Customer controls, Certifications and gaps. Plus a Contact row.
• Source evidence files: subprocessor inventory, SOC 2 mapping, retention playbook, adversarial-testing receipts.
• Voice rule: specific nouns, no marketing adjectives.
• Refresh cadence: quarterly minimum; on any subprocessor or certification change.
• Footer fields: Last reviewed, Owner, Security contact email.
• See also: Answer vendor security questionnaires from your own evidence, Map your subprocessors for procurement, Build a SOC 2 control mapping for your Auxot deployment, Plan for retention and deletion requests, Run a data privacy review before you ship