Commercial procurement artifacts¶

This page lists the security/privacy artifacts commonly requested during commercial procurement.

Document controls¶

Use this list to track what is already public in docs versus what is provided only during commercial contracting.

Status values:

Published: available in the public docs
Published (self-serve plans): published defaults for Commercial Evaluation, Starter, and Growth
Order form: captured only in signed commercial paperwork (Enterprise/custom overrides)

Artifact	Purpose	Status	Canonical location
Security posture overview	Data handling, auth hardening, baseline controls	Published	Security, privacy, compliance
Security posture snapshot	One-page dated summary for questionnaires	Published	Security posture snapshot
Vulnerability disclosure process	Responsible disclosure and contact path	Published	Security policy
Production hardening checklist	Pre-production control checklist	Published	Production readiness checklist
Known limitations/non-goals	Boundaries and operational caveats	Published	Known limitations
Support/escalation model	Incident response expectations by plan	Published	Support
DPA/SCC/privacy annexes	Contractual privacy and transfer terms	Published (self-serve plans)	DPA and SCC terms
Subprocessor/distribution details	Supply-chain and hosting disclosure package	Published (self-serve plans)	Subprocessors and distribution details
SLA schedule (if purchased)	Standard response targets and severity mapping	Published (self-serve plans)	SLA and support schedule
Liability cap and legal riders	Negotiated legal/commercial clauses	Order form	Commercial license + Order form

Link public artifacts from this page in the procurement thread.
Use published self-serve defaults unless Enterprise customization is required.
Record any negotiated Enterprise/custom terms in the Order Form special terms section.