Editorial chair
What an AICD-grade buyer reads on a vendor's /security/ page
Board-grade procurement scans every vendor /security/ page through a four-axis matrix. We publish each axis explicitly so you don't have to chase email.
1. The four-axis trust matrix
A board director, a company secretary, or any AICD-graduate doing their job will not skim a vendor security page for slogans. They run it through four axes. The page either survives the four-axis read or it ends up in the rejected-vendor folder before the second cup of tea on a Monday.
The four axes are:
- Named controls. Not “we take security seriously.” Specific, numbered control statements that map back to a recognisable framework — SOC 2 Trust Services Criteria, ISO 27001 Annex A, NIST CSF, or the Australian Government Information Security Manual.
- Dated readiness statements. A claim of “SOC 2 Type II ready” without an audit-window date and an audit firm is a weasel. AICD directors learn this in their first GAICD residential. They look for “Q4 2027” or “auditor: a named firm” — actual commitments.
- DPA + subprocessor list available before signup. Not “DPA on request once we’ve sent you a deposit invoice.” Public link, public PDF, public list — readable by procurement, legal, and the prospective customer’s own privacy officer the same hour they shortlisted your vendor.
- Refund and cancellation discipline. A bounded, written refund policy with delivery-state branches is a trust signal. An “all refunds at our sole discretion” line is a vendor reputation tell: they have had refund disputes and the policy is written to win them, not to publish them.
The rest of this post walks each axis and lays out exactly what we publish on the TTPA security page so the four-axis read takes a buyer roughly seven minutes — not a four-week procurement loop.
2. Named controls beat slogans
The single most consistent signal that a vendor is unsuitable for a governance-grade engagement is the absence of named controls on the public security page. Vendors who are confident in their controls publish them. Vendors who are not, publish a “We take security seriously” hero with three icon tiles.
The TTPA published-controls list is C1 through C13, named in the same sequence on every public artefact (the security page, the DPA Annex II, the procurement-FAQ packet, and the audit pack). The naming sequence is intentional: a buyer can quote control C7 in an email to their privacy officer, and the privacy officer can find C7 in the public DPA Annex without a phone call.
Each control names:
- The mechanism. “C4 — All production data processing runs in managed edge infrastructure (Workers, KV, R2) bounded by contractual EU/UK/AU/HK regions selectable per customer.”
- The owner. Toptronic Ltd Operations team for C1-C8; Toptronic Ltd Engineering for C9-C13.
- The change-control surface. “C11 — Subprocessor changes are notified 30 calendar days before activation; customers retain a one-business-day veto.”
Mechanism + owner + change-control is the tripod a procurement officer needs to take the vendor forward to legal review. Two of the three is not enough; one of the three is a slogan.
A side observation worth airing: SOC 2 Type II is not a magic talisman. A SOC 2 Type II report covers a defined audit period, a defined set of controls, and a defined service. A vendor with a SOC 2 report from 2024 covering a different product line is offering governance theatre, not governance evidence. Read the audit-window dates and the in-scope service description — not just the badge.
3. Why “SOC2-ready” without dates is a weasel
The phrase “SOC 2 ready” is the procurement equivalent of a startup’s “working towards profitability.” It is technically not false. It is also not informative. A vendor with serious intent publishes:
- The target audit window — a quarter, not a year.
- The audit firm name — or a statement that the firm has not yet been selected.
- The Type chosen — Type I (point-in-time) versus Type II (operating effectiveness over the audit period).
- A clearly-stated milestone gate — “we will not enrol customers above $X annual contract value until Type II is signed” or “we will publish gap-analysis remediation status quarterly until close”.
We publish ours: TTPA’s stated target is a SOC 2 Type I milestone in Q4 2027 and a SOC 2 Type II close in Q4 2028, with the audit firm to be selected during Q3 2027 following a three-firm RFI. Until then, the security page carries a 7-row Trust Services Criteria self-mapping showing which controls are in place today and which are planned for the audit-window scope.
A board director reading the page can make a decision today: “this vendor is not SOC 2 today, but they have a credible plan, they publish the milestones, and they will accept a contractual right to audit pre-SOC-2.” That is enough to greenlight a procurement loop. Compare to a “SOC 2 ready” vendor with no dates: that decision can’t be made without a phone call, and the phone call usually surfaces that the dates don’t exist.
4. The DPA-after-signup trap
The most common procurement-time tactic that AICD-grade buyers have learned to spot — and reject — is the DPA-after-signup pattern. Vendor sales teams know that a real DPA review takes their target buyer’s privacy officer one to three weeks. So the vendor’s deal-desk strategy is to delay the DPA review until after a deposit has been paid, the kickoff call is booked, and the buyer’s procurement clock is psychologically committed.
The behaviour looks like:
- Vendor publishes a generic “we have a DPA” statement on the security page; no document link.
- Deposit invoice and kickoff call are scheduled for week 1.
- DPA arrives on the buyer’s desk in week 2.
- Privacy officer’s review surfaces unacceptable clauses (no incident notification timeline, no audit right, no data-region binding). Three weeks of review correspondence follow.
- By the time the buyer’s privacy officer recommends rejection, the buyer has invested 4-6 weeks of internal time. The vendor’s deal-desk knows the buyer will accept compromised terms rather than restart the procurement loop.
The defence is simple and structural: the vendor publishes the DPA publicly, before the deposit. The TTPA DPA is one click from the security page — at /legal/dpa/. It is downloadable PDF; it is the same document we will counter-sign at procurement gate; it carries the SCCs Module 2 attached by default for EU processing; it carries the UK Addendum and the Australian APP-aligned overlay. Privacy officers and company secretaries can review it in week 0 — before any commercial commitment is made.
5. Subprocessor-list hygiene
The subprocessor list is the second most-rejected vendor artefact in AICD-grade procurement. Boards have grown wary of the “we use industry-leading partners” line. They have also seen the alternative — a published, dated, named subprocessor list — and know that the overhead of publishing one is a strong signal of operational maturity.
The TTPA published list at /legal/subprocessors/ names exactly five subprocessors at v1: Airwallex (payments), Stripe (payments), Google Workspace (TTPA-internal email + calendar), LastPass (TTPA-internal credential vault), and Plausible (cookie-free aggregate analytics). Each row carries:
- The subprocessor’s legal name and registered jurisdiction.
- The data category the subprocessor receives.
- The data-processing region binding.
- The legal basis (contractual + SCCs Module 2 where relevant).
When we add or remove a subprocessor, the change is announced 30 calendar days before activation; customers retain a written, dated, one-business-day veto window. The veto window is a meaningful contractual surface: a customer can terminate without penalty if a new subprocessor is added that the customer’s internal compliance posture rejects.
That mechanism — 30-day notice + 1-business-day veto + termination without penalty — is what separates a serious B2B subprocessor discipline from a “trust us, we will let you know” posture. Buyers read for it.
6. What we publish on /security/
The TTPA security page at v1 ships:
- C1 through C13 — 13 named controls covering data residency, encryption in transit and at rest, access management, audit logging, change management, incident response, business continuity, vendor management, secure SDLC, vulnerability management, customer data segregation, secure deletion, and personnel security.
- The 7-row Trust Services Criteria self-mapping — what each TSC category looks like today, and what the audit-window-scope target looks like for Q4 2028 close.
- Public DPA + Subprocessors links — both readable in week 0 of a buyer’s procurement loop, both downloadable as PDF.
- The dated SOC 2 milestone statements — Type I Q4 2027, Type II Q4 2028, audit firm to be RFI’d in Q3 2027.
- The incident-response posture — SEV-1 to SEV-4 templates, status page binding, and a stated time-to-acknowledge for affected customers.
- A Refund Policy link — bounded, dated, delivery-state-aware, and reproduced in plain English on the refund policy page.
- A 30-day subprocessor notice + 1-business-day veto clause — named, contractual, and reproduced in the DPA Annex III.
We publish this matrix because the procurement decision shouldn’t be gated on a sales call. AICD-grade buyers make decisions on artefacts they can read. Our job is to make the artefacts good enough that the seven-minute four-axis read returns a yes.
If you have read this post, the next step is the security page itself. If your privacy officer or company secretary needs the DPA before the booking call, the DPA is a click away. The sales call is for the conversation that begins after the four axes have already passed.
Author: Toptronic Ltd. Last reviewed 2026-06-01.