Conveyor automates security questionnaires and RFPs by drafting answers using ConveyorAI. ConveyorAI bases its answers your Documents, Past Answers, External sources, and Knowledge Base question-and-answer ("q&a") pairs.

Of course, that's not the only reason to add content to Conveyor. With Conveyor, you can also share commonly requested artifacts like your SOC 2 directly with customers in a Trust Center..

🥇[Recommended] 5-10 Docs + 400 Q&A's + 2 External Sources

Fortunately, whether you're using Conveyor for Questionnaire/RFP Automation, a Trust Center, or both, we recommend adding similar content.

In our testing, we found that 5-10 common documents paired with roughly 400 Knowledge Base question-and-answer pairs enables ConveyorAI to answer roughly 85-90% of the questions on typical InfoSec questionnaires. Adding 2 external sources boosts accuracy another 5%+. These also give you a great starting point for a customer-facing Trust Center.

Common Assets - Security Questionnaires

Depending on which of these documents you have, we recommend the following. These documents alone enable ConveyorAI to answer 60% of the questions on typical InfoSec questionnaires:

• Your SOC 2 Type II report. This report is by far the most commonly-requested document by customers. Furthermore, in our testing, we found that a good SOC 2 Type II report by itself enables our AI bot to answer 45% of the questions on typical InfoSec questionnaires. If you're using Conveyor as a Trust Center, add any other Audit and Compliance reports you have, too, like your ISO-27001 Cert, PCI compliance, etc!
• Supported Standardized Questionnaires:
  • Your CSA (Cloud Security Alliance) STAR-CAIQ. We've found that a detailed CAIQ by itself answers 24% of most InfoSec questionnaires. As long as the Excel contains a tab with the name "CAIQ" and a version number on it, our Questionnaire Automation will read from it.
  • Your HECVAT (Higher Education Cloud Vendor Assessment). Uploading your completed HECVAT questionnaire (Lite or Full) can help support in answering more detailed InfoSec questions. As long as the HECVAT is of version 2.0 or above and has a tab with name “HECVAT - (Lite/Full)” we will automatically read from it.
  • Your SIG (Shared Assessments Standardized Information Gathering). Uploading a completed SIG (both Lite or Core) provides extensive information for InfoSec questionnaires. As long as the Excel contains a tab with the name “SIG”, our Questionnaire Automation will read from any version of this standard.
• Your Penetration Test Executive Summary and Remediation Letter. Did you know that 40% of questionnaires explicitly ask about penetration testing? Many customers request to see the executive summary, too.
• Your Policies (especially your Business Continuity Plan). A whopping 65% of questionnaires ask directly about your InfoSec policies. Ideally, upload each policy as a separate document to keep things tidier. Here are a few suggestions for specific policies:
  • Business Continuity Plan: Customers love asking "what happens if (and when) there's an outage?"
  • Incident Response Plan: Likewise, customers love asking "what happens if (and when) you get popped?"
  • Acceptable Use Policy: Customers often want to know what governs employee behavior.
  • Data Retention Policy: Customers like knowing there's a process in place for removing data after contracts end.
  • SDLC (Software Development Lifecycle): A common source of answers to questions around how you build products securely.
• A Security Whitepaper and/or FAQ. Lastly, if you or your marketing team has published a security whitepaper or FAQ, upload it!

See Adding New Documents to learn how to add Documents.

Common Assets - RFPs

Depending on which of these assets you have, we recommend the following. These documents alone enable ConveyorAI to answer 65% of the questions on typical RFPs:

• Internal Confluence Pages. Conveyor integrates easily with internal/gated tools like Confluence (and soon Google Drive, OneDrive, Sharepoint, more!) to index all subpages within a workspace. Many enablement, product, marketing, and engineering teams keep specific workspaces current with the latest positioning and messaging information. Just add the Confluence URL in Conveyor and it auto-refreshes weekly.
• Your Company Deck. This deck (which you can download/upload as a PDF from PowerPoint of Google Slides) is by far the most commonly-used document to explain what your company does, the underlying products, and core use cases. It's typically only updated once per year for core positioning and messaging. It can help provide a simple, clear pitch on:
  • The company's mission
  • The core personas served: key problems, common solution use cases, high-level competitive differentiation
  • Customer success examples (by segment, vertical, use case, persona, etc.) with quantitative improvements
• Your First Call and Second Call Deck. These decks often is a bite sized deck for Sales to run a 30min (1st call) and 60min (2nd call) meeting with prospects. It might have lots of permutations in the field (as people customize it) but generally it starts with the landmark value propositions and detailed pitch for "Why Us." It will often includ:
  • Market challenges for a specific persona
  • Feature-level competitive differentiation
  • High-level pricing and packaging
  • Implementation and support options
  • Product roadmap
• New Product Launches. Companies ship lots of product. Generally as "lightning strikes" and "rolling thunder." New product launches are classified as "lightning strikes." They generally get dedicated sales assets (like new slides in the company deck) or their own wiki page - say in Confluence.
• Monthly Feature Releases. Monthly releases look more like "rolling thunder." They are often available as a downloadable PDF (on a public site), data sheets, or email (easily downloaded). Sometimes a feature release can be highly competitive but get lost in the avalanche of marketing. Connecting your Conveyor instance to simple workflows (e.g. Zapier that downloads monthly release, saves as PDF, uploads to File folder) can keep every response accurate, an A+ pitch, and automatically up-to-date!

See Adding New Documents to learn how to add Documents.

Knowledge Base Q&A's

If you've added the Common Docs above, then you should see about 60% accurate answer coverage on typical InfoSec questionnaires. That could be a great starting point - over time, you can push Knowledge Base q&a's to your Conveyor Library to close the gaps.

However, if you want to try to get closer to 85-90% of your InfoSec questions accurately answers right away, we recommend adding an additional 400 Knowledge Base question-and-answer pairs. Some potential sources are:

• ~4 past completed questionnaires. Customer questionnaires are always the best source because you've curated customer-friendly answers (by definition), and the questions tend to overlap with what other customers care about.
• Your Shared Assessments SIG, SIG Lite, or SIG Core. If your answers are "yes/no", you should ideally append longer explanations to the answers before you upload them. But it will still work with "yes/no" answers.
• Your HECVAT Lite or Full. If your answers are "yes/no", you should ideally append longer explanations to the answers before you upload them. But it will still work with "yes/no" answers.

See Adding content to your Knowledge Base to learn how to add Knowledge Base content.

Past Answers

Starting with a smaller number (400 vs. the many thousands some suggest) of Knowledge Base Q&A's surprisingly allows you to decrease maintenance.

That's because Past Answers are an efficient way to fill in the gaps on the less common questions. These responses are always remembered by ConveyorAI - and even show up in one-off searches. Any edits or tweaks are always taken into account for a future response.

The end result is less curated content needed in the Knowledge Base. A few suggestions on best practices:

• Leave defaults as-is. By default, with a few exceptions, ConveyorAI will automatically mark any answer as "reusable" if: a human edits the AI-generated answer or ConveyorAI did not return an answer, and a human answers it.
• Push less common answers to Past Answers. Sort your Curated Q&A's from from least used to most used and you'll quickly identify a cohort of answers that are used in the single digits. For example: "Were you affected by the Log4j vulnerability?" Do not push these answers to the Curated Q&A knowledge base. Answer them one-off, once, and never again!

External Sources

Data across organizational domains - such as marketing, product, or technical documentation - is often the source of truth for many business-level questions. These sources boost accuracy to 90%-95%:

• Company website. For Conveyor it's www.conveyor.com. Use this source for marketing copy around which products are offered, the value propositions or key benefits, and use cases supported.
• Company Help Center.For Conveyor it's docs.conveyor.com. Use this source for nuanced technical answers to specific product questions.
• Company Web Policies.For Conveyor it's conveyor.com/legal. Use this source for things like Terms of Service, Acceptable Use Policy, Data Processing Addendum, Privacy Statement, Responsible Disclosure Policy, Security Policy, Subprocessor Directory, Trademark Policy, Support Policy. Because web refresh happens once a week you're always automatically up to date!

🥈 "I'm starting from scratch": Use our template!

If you don't have any of the documents above, and don't have any past questionnaires to utilize for your Knowledge Base, then answer these Top 200 questions found in our handy template here, and bulk-import them per these instructions: Adding content to your Knowledge Base. You can then run the ConveyorAI on these questions, or make them accessible to customers via your Trust Center!