Public Trust Center at /trust
One page for every security-due-diligence question: compliance certifications, encryption practices, subprocessor list, incident response, and vulnerability disclosure.
Procurement teams used to chase down our security answers via long email threads. Now everything lives at /trust — compliance status (HIPAA active, SOC 2 Type II in audit, HITRUST + ISO 27001 roadmapped), six encryption practices (TLS 1.3, AES-256 at rest, field-level PHI encryption in flight, audit-log immutability with S3 Object Lock), seven subprocessors with BAA status and data-category breakdowns, incident-response timelines, and a public vulnerability-disclosure policy.
Editorial principle: be honest about what's active vs in-progress vs roadmapped. Vague claims hurt more than they help when the audience is an IT-security team comparing your trust page against competitors.
Also shipped a /.well-known/security.txt (RFC 9116) so security researchers can find our disclosure address through standard tooling.