Why you need a “Transparency Pack” now
If you sell B2B SaaS or cloud services, you’ve likely seen longer DPAs, deeper questionnaires, direct questions about AI use and cross-border processing, and requests for proof of deletion and retention controls.
Teams often respond by sending too much
- internal architecture diagrams
- security screenshots with sensitive details
- raw vendor contracts
- incident documentation that should never leave your org
Share what buyers need while protecting internal security details.
What ISO 27018 is pushing (plain English)
ISO 27018 is guidance for cloud privacy controls when you process PII as a service provider.
A major theme is transparency being clear about what PII you process, why, where it’s processed, who can access it, how long it’s retained, and how it’s deleted.
You don’t need to disclose every internal control to be transparent.
Disclose what affects customer privacy risk and compliance decisions.
The goal: answer 80% of privacy questionnaires with one pack
A strong Transparency Pack reduces one-off explanations, standardizes your privacy story across sales, legal, and security, shortens procurement cycles, and prevents inconsistent answers.
The ISO 27018 Transparency Pack (what to include)
Think of this as 6–10 short artifacts (mostly 1–2 pages each). Share them under NDA or in a gated trust center.
1) PII Processing Summary (one-page overview)
Include
- plain-language service description
- roles (customer as controller; you as processor, if applicable)
- high-level PII categories (not every field)
- processing purposes (service delivery, support, security, billing)
Avoid
Database tables, internal hostnames, deep architecture.
2) Data Location & Cross-Border Processing Statement
Include
- hosting regions (what’s true)
- whether support/operations may access from other regions
- how cross-border risk is managed (contractual safeguards, vendor controls)
Avoid
“Data never leaves Canada” unless you can guarantee it contractually.
3) Access & Confidentiality Controls Summary (human access)
Include
- high-level RBAC model
- MFA for privileged access (if true)
- approvals for elevated access (if used)
- logging of privileged actions (if true)
- confidentiality obligations for staff/contractors
Avoid
Admin account lists or screenshots showing sensitive configurations.
4) Retention Schedule (buyers love this)
Include
- retention periods by category (account data, content, logs, support)
- deletion timelines after termination/request
- backup retention disclosure (data may remain until backups expire)
- legal hold/contract exceptions (brief)
Avoid
“We retain as long as necessary” with no periods.
5) Deletion & Proof-of-Deletion Overview
Include
- workflow: request → validation → execution → verification → confirmation
- systems in scope for deletion
- what “proof” looks like (ticket/certificate/job log reference)
- backup reality disclosure
Avoid
Raw outputs containing PII or internal logs that reveal infrastructure.
6) Subprocessor List + Change Notification Policy
Include
- list (name + purpose; region if appropriate)
- how you assess subprocessors (high level)
- customer notification timeframe for material changes
- practical objection handling process
Avoid
Full vendor contracts; list only vendors that touch customer data.
7) Incident Notification & Cooperation Statement (privacy-focused)
Include
- notification approach (SLA if you can support it)
- what you provide (scope, mitigation, next steps)
- how updates are communicated
- customer cooperation expectations
Avoid
Full internal incident playbooks and detection content.
8) AI / Analytics Use Disclosure (modern deal blocker)
Include
- clear AI training statement (yes/no + conditions)
- what telemetry is collected
- whether PII is used for product improvement (and safeguards)
- opt-out options (if available)
Avoid
Ambiguous “may use data to improve services” without boundaries.
9) Customer Responsibilities (shared responsibility clarity)
Include
- customer account security (MFA/SSO, admin role management)
- safe configuration options you provide
- acceptable use boundaries (no prohibited data beyond agreed scope)
Avoid
Shifting responsibility in a way that contradicts your product claims.
Keep it balanced and factual.
What not to include (oversharing mistakes that backfire)
Transparency is about privacy and processing risk not giving attackers a map.
Keep these out of the pack unless under strict NDA and explicit request:
- raw security architecture diagrams with internal IP ranges
- admin portal screenshots showing sensitive configurations
- SIEM rules, detection logic, incident forensics
- unredacted contracts/pricing or legal strategy notes
- internal Teams/Slack screenshots
- detailed vulnerability reports
How to package it for fast buyer approvals (the “Trust Center” approach)
Most teams win faster by offering two tiers of information. It keeps deals moving without oversharing.
Tier 1 (public or lightly gated)
- PII Processing Summary
- Subprocessor list
- Data location statement (high level)
- Retention & deletion overview (high level)
- AI use disclosure (clear and short)
Tier 2 (under NDA)
- SOC 2/ISO reports (if applicable)
- deeper retention schedules
- redacted deletion certificate examples
- sanitized incident notification procedures
Want a pack your sales team can send without asking security first?
We’ll help you turn repeat privacy questions into controlled, versioned disclosures that buyers can approve quickly without exposing internal details.
Copy/paste: Transparency Pack table of contents (use on your website)
ISO 27018 Transparency Pack
1. PII Processing Summary
2. Data Location & Cross-Border Processing
3. Access & Confidentiality Controls (High Level)
4. Retention Schedule Summary
5. Deletion & Proof-of-Deletion Overview
6. Subprocessor List + Change Notification Policy
7. Incident Notification & Cooperation
8. AI / Analytics Use Disclosure
9. Customer Responsibilities
Download the ISO 27018 Transparency Pack Template
Want the editable template? Download our ISO 27018 Transparency Pack Template with buyer-ready language and safe disclosure structure.
Template includes:
- one-page PII processing summary
- data location + cross-border statement
- retention schedule table format
- deletion workflow + certificate template
- subprocessor list format + change notification wording
- AI use disclosure language
Follow Canadian Cyber
Practical cybersecurity + compliance guidance:
