# Example SaaS AI security questionnaire starter bundle

This illustrative bundle shows the public shape of the NoticeKit AI answer workflow before you build your own local draft or buy the paid Starter kit.

## Copy-ready answer block

**AI vendors used:** OpenAI is the primary model provider for a support-drafting workflow used by support agents. Supporting vendors in the workflow include Vercel for application hosting, Supabase for database storage, PostHog for product analytics, and Zendesk for support operations.

**Workflow reviewed:** The workflow helps support agents draft suggested replies before a human sends the final message. The current change under review is a planned rollout for enterprise and EU customer support queues.

**Data categories involved:** Support ticket text, account identifiers, and agent prompts may flow through the workflow. File attachments are not in the first release until the review closes the open attachment-scope question.

**Retention and training stance:** The current operating position is that customer content sent through this workflow is processed under the vendor's business offering and is not used to train public models. The source of truth for this position is the vendor terms link plus internal review notes saved in the packet.

**Customer scope:** The initial release scope is enterprise and EU customers using the support workflow, with extra review for customers on signed DPAs or custom notice language.

**Notice or escalation impact:** The team is confirming whether the workflow changes the public subprocessor page and whether a customer notice or counsel handoff is required before activation. Procurement can review the answer now, but final rollout still depends on that notice decision.

**Proof links:** Public subprocessor page URL, draft internal review packet, vendor terms link, screenshot of the workflow, tracker row, reply owner notes, and the two open review questions on notice timing and attachment scope.

## Common buyer-question pack

- Which vendors are in the workflow? Name the primary model provider and the supporting vendors tied to that exact workflow, not the whole product.
- Is customer data used for model training? State the current operating stance and point to the vendor terms plus internal proof notes behind it.
- Which customers are in scope? Call out the release segment and any DPA or custom-contract review branch explicitly.
- What is still unresolved? Show the live open questions, owner, and next decision instead of hiding the blocker in email.

## Proof checklist

- Vendor terms link saved and reviewed for the current business offering
- Public subprocessor or trust page linked if the workflow is already reflected there
- Owner named for the workflow, answer, and approval path
- Last-reviewed date recorded for the current stance
- Open notice or contract questions recorded instead of implied
- Screenshot, packet draft, or tracker row attached for the next reviewer

## Internal handoff brief

- Reply owner: Privacy ops lead with counsel review
- Decision needed next: Confirm whether the current answer is sufficient for buyer review or whether the workflow needs packet expansion, subprocessor-page updates, or counsel review before rollout.
- Approval path: Privacy ops drafts the response, the product owner confirms the workflow boundaries, and counsel reviews any contract or notice implications before the final answer is reused broadly.
- Open questions: Confirm whether signed enterprise agreements add notice obligations before activation and whether support attachments are in scope for the first release.
- Recheck trigger: Recheck before each enterprise review, after any vendor or workflow change, and whenever contract or retention assumptions change.

## Reviewer workspace export

- Workflow: Customer support drafting assistant for support agents
- Primary vendor: OpenAI
- Supporting vendors: Vercel, Supabase, PostHog, Zendesk
- Customer scope: Enterprise and EU support queues, with DPA review branch
- Proof links: Vendor terms, packet draft, public page URL, workflow screenshot, tracker row
- Next reviewer: Counsel after privacy ops and product-owner confirmation

## Reusable answer-bank draft

- Prompt family: AI vendors used in one support workflow
- Approved core answer: Keep the same named-vendor, scope, stance, and proof pattern as the primary answer block, then trim or expand it by buyer depth.
- Variant notes: Add the DPA branch for enterprise customers, the attachment-scope caveat for security review, and the notice-impact note when counsel asks about rollout gating.
- Proof owner: Privacy ops lead