What content should I add to Conveyor?

Getting the best accuracy from ConveyorAI, and delivering the best Trust Center to your customers, starts with a strong content.

Conveyor automates security questionnaires by drafting answers using ConveyorAI. ConveyorAI bases its answers on both your Documents and your Knowledge Base question-and-answer ("q&a") pairs.

Of course, that's not the only reason to add content to Conveyor. With Conveyor, you can also share commonly requested artifacts like your SOC 2 directly with customers in a Trust Center..

🥇[Recommended] 5-10 Common Docs + 400 q&a's

Fortunately, whether you're using Conveyor for Questionnaire Automation, a Trust Center, or both, we recommend adding similar content.

In our testing, we found that 5-10 common documents paired with roughly 400 Knowledge Base question-and-answer pairs enables ConveyorAI to answer roughly 85-90% of the questions on typical InfoSec questionnaires. These also give you a great starting point for a customer-facing Trust Center.

Common Documents

Depending on which of these documents you have, we recommend the following. These documents alone enable ConveyorAI to answer 60% of the questions on typical InfoSec questionnaires:

  • Your SOC 2 Type II report. This report is by far the most commonly-requested document by customers. Furthermore, in our testing, we found that a good SOC 2 Type II report by itself enables our AI bot to answer 45% of the questions on typical InfoSec questionnaires. If you're using Conveyor as a Trust Center, add any other Audit and Compliance reports you have, too, like your ISO-27001 Cert, PCI compliance, etc!
  • Your CSA (Cloud Security Alliance) STAR-CAIQ. We've found that a detailed CAIQ by itself answers 24% of most InfoSec questionnaires. CAIQs are, in fact, the only Excel that our Questionnaire Automation can read from as of today. As long as the Excel contains a tab with the name "CAIQ" and a version number on it, our Questionnaire Automation will read from it. Other Excels can be uploaded as Knowledge Base q&a pairs (see below).
  • Your Penetration Test Executive Summary and Remediation Letter. Did you know that 40% of questionnaires explicitly ask about penetration testing? Many customers request to see the executive summary, too.
  • Your Policies (especially your Business Continuity Plan). A whopping 65% of questionnaires ask directly about your InfoSec policies. Ideally, upload each policy as a separate document to keep things tidier. Here are a few suggestions for specific policies:
    • Business Continuity Plan: Customers love asking "what happens if (and when) there's an outage?"
    • Incident Response Plan: Likewise, customers love asking "what happens if (and when) you get popped?"
    • Acceptable Use Policy: Customers often want to know what governs employee behavior.
    • Data Retention Policy: Customers like knowing there's a process in place for removing data after contracts end.
    • SDLC (Software Development Lifecycle): A common source of answers to questions around how you build products securely.
  • A Security Whitepaper and/or FAQ. Lastly, if you or your marketing team has published a security whitepaper or FAQ, upload it!

See Adding New Documents to learn how to add Documents.

Knowledge Base Q&A's

If you've added the Common Docs above, then you should se about 60% accurate answer coverage on typical InfoSec questionnaires. That could be a great starting point - over time, you can push Knowledge Base q&a's to your Conveyor Library to close the gaps.

However, if you want to try to get closer to 85-90% of your InfoSec questions accurately answers right away, we recommend adding an additional 400 Knowledge Base question-and-answer pairs. Some potential sources are:

  • ~4 past completed questionnaires. Customer questionnaires are always the best source because you've curated customer-friendly answers (by definition), and the questions tend to overlap with what other customers care about.
  • Your Shared Assessments SIG, SIG Lite, or SIG Core. If your answers are "yes/no", you should ideally append longer explanations to the answers before you upload them. But it will still work with "yes/no" answers.
  • Your HECVAT Lite or Full. If your answers are "yes/no", you should ideally append longer explanations to the answers before you upload them. But it will still work with "yes/no" answers.

See Adding content to your Knowledge Base to learn how to add Knowledge Base content.

🥈 "I'm starting from scratch": Use our template!

If you don't have any of the documents above, and don't have any past questionnaires to utilize for your Knowledge Base, then answer these Top 200 questions found in our handy template here, and bulk-import them per these instructions: Adding content to your Knowledge Base. You can then run the ConveyorAI on these questions, or make them accessible to customers via your Trust Center!

Next Up

Looking for tips and best practices for maintaining your Knowledge Base q&a pairs in particular? See: