Commercial pack index

Use this map before asking for artefacts. Anything signed (MSA/DPA/order form) overrides marketing prose.

Already public (no gate)

• Full SLA · executive summary
• Privacy policy · subprocessors · review cadence
• Terms · Refunds · Abuse
• SOC-style questionnaire stubs — not a SOC 2 attestation unless separately negotiated.
• Vendor pack (PDF)

Typically under bilateral NDA / bespoke order

• Detailed processor entity matrix keyed to questionnaires
• Summaries of penetration tests or tabletop exercises — redacted scopes and dates vary by contract confidentiality
• Custom DPA annexes referencing your DPIA numbering

Route requests with subject prefix [procurement] to [email protected]. Attach your NDA template if mandated.

Not included in retail carts by default

• Dedicated infra-only POP without shared tenancy — requires separate commercial discussion
• Bug bounty payouts — coordinated disclosure welcomes reports; bounty programmes are discretionary when published separately
• ISO/SOC attestations cited as factual only when an engagement completes and contractual exhibits exist