What content should I add to Conveyor?

Getting the best accuracy from ConveyorAI, and delivering the best Trust Center to your customers, starts with strong content.

Conveyor automates security questionnaires and RFPs by drafting answers using ConveyorAI. ConveyorAI bases its answers your Documents, Past Answers, External sources, and Knowledge Base question-and-answer ("q&a") pairs.

Of course, that's not the only reason to add content to Conveyor. With Conveyor, you can also share commonly requested artifacts like your SOC 2 directly with customers in a Trust Center..

🥇[Recommended] 5-10 Docs + 400 Q&A's + 2 External Sources

Fortunately, whether you're using Conveyor for Questionnaire Automation, a Trust Center, or both, we recommend adding similar content.

In our testing, we found that 5-10 common documents paired with roughly 400 Knowledge Base question-and-answer pairs enables ConveyorAI to answer roughly 85-90% of the questions on typical InfoSec questionnaires. Adding 2 external sources boosts accuracy another 5%+. These also give you a great starting point for a customer-facing Trust Center.

Common Documents

Depending on which of these documents you have, we recommend the following. These documents alone enable ConveyorAI to answer 60% of the questions on typical InfoSec questionnaires:

  • Your SOC 2 Type II report. This report is by far the most commonly-requested document by customers. Furthermore, in our testing, we found that a good SOC 2 Type II report by itself enables our AI bot to answer 45% of the questions on typical InfoSec questionnaires. If you're using Conveyor as a Trust Center, add any other Audit and Compliance reports you have, too, like your ISO-27001 Cert, PCI compliance, etc!
  • Your CSA (Cloud Security Alliance) STAR-CAIQ. We've found that a detailed CAIQ by itself answers 24% of most InfoSec questionnaires. CAIQs are, in fact, the only Excel that our Questionnaire Automation can read from as of today. As long as the Excel contains a tab with the name "CAIQ" and a version number on it, our Questionnaire Automation will read from it. Other Excels can be uploaded as Knowledge Base q&a pairs (see below).
  • Your Penetration Test Executive Summary and Remediation Letter. Did you know that 40% of questionnaires explicitly ask about penetration testing? Many customers request to see the executive summary, too.
  • Your Policies (especially your Business Continuity Plan). A whopping 65% of questionnaires ask directly about your InfoSec policies. Ideally, upload each policy as a separate document to keep things tidier. Here are a few suggestions for specific policies:
    • Business Continuity Plan: Customers love asking "what happens if (and when) there's an outage?"
    • Incident Response Plan: Likewise, customers love asking "what happens if (and when) you get popped?"
    • Acceptable Use Policy: Customers often want to know what governs employee behavior.
    • Data Retention Policy: Customers like knowing there's a process in place for removing data after contracts end.
    • SDLC (Software Development Lifecycle): A common source of answers to questions around how you build products securely.
  • A Security Whitepaper and/or FAQ. Lastly, if you or your marketing team has published a security whitepaper or FAQ, upload it!

See Adding New Documents to learn how to add Documents.

Knowledge Base Q&A's

If you've added the Common Docs above, then you should see about 60% accurate answer coverage on typical InfoSec questionnaires. That could be a great starting point - over time, you can push Knowledge Base q&a's to your Conveyor Library to close the gaps.

However, if you want to try to get closer to 85-90% of your InfoSec questions accurately answers right away, we recommend adding an additional 400 Knowledge Base question-and-answer pairs. Some potential sources are:

  • ~4 past completed questionnaires. Customer questionnaires are always the best source because you've curated customer-friendly answers (by definition), and the questions tend to overlap with what other customers care about.
  • Your Shared Assessments SIG, SIG Lite, or SIG Core. If your answers are "yes/no", you should ideally append longer explanations to the answers before you upload them. But it will still work with "yes/no" answers.
  • Your HECVAT Lite or Full. If your answers are "yes/no", you should ideally append longer explanations to the answers before you upload them. But it will still work with "yes/no" answers.

See Adding content to your Knowledge Base to learn how to add Knowledge Base content.

Past Answers

Starting with a smaller number (400 vs. the many thousands some suggest) of Knowledge Base Q&A's surprisingly allows you to decrease maintenance.

That's because Past Answers are an efficient way to fill in the gaps on the less common questions. These responses are always remembered by ConveyorAI - and even show up in one-off searches. Any edits or tweaks are always taken into account for a future response.

The end result is less curated content needed in the Knowledge Base. A few suggestions on best practices:

  • Leave defaults as-is. By default, with a few exceptions, ConveyorAI will automatically mark any answer as "reusable" if: a human edits the AI-generated answer or ConveyorAI did not return an answer, and a human answers it.
  • Push less common answers to Past Answers. Sort your Curated Q&A's from from least used to most used and you'll quickly identify a cohort of answers that are used in the single digits. For example: "Were you affected by the Log4j vulnerability?" Do not push these answers to the Curated Q&A knowledge base. Answer them one-off, once, and never again!

External Sources

Data across organizational domains - such as marketing, product, or technical documentation - is often the source of truth for many business-level questions. These sources boost accuracy to 90%-95%:

  • Company website. For Conveyor it's www.conveyor.com. Use this source for marketing copy around which products are offered, the value propositions or key benefits, and use cases supported.
  • Company Help Center.For Conveyor it's docs.conveyor.com. Use this source for nuanced technical answers to specific product questions.

🥈 "I'm starting from scratch": Use our template!

If you don't have any of the documents above, and don't have any past questionnaires to utilize for your Knowledge Base, then answer these Top 200 questions found in our handy template here, and bulk-import them per these instructions: Adding content to your Knowledge Base. You can then run the ConveyorAI on these questions, or make them accessible to customers via your Trust Center!

Next Up

Looking for tips and best practices for maintaining your Knowledge Base q&a pairs in particular? See: