Security measures you can truthfully describe in a privacy policy
Short answer: Only promise security practices you actually implement—generic “bank-grade encryption” language backfires in complaints and audits.
Accurate, modest descriptions outperform marketing fluff.
Examples of truthful statements
- TLS in transit for web traffic, if enforced sitewide.
- Access controls and MFA for admin accounts, if true.
- Backups and monitoring at the level you maintain.
Avoid overclaiming
Do not state “zero risk” or “fully secure”—no system is. Prefer “we take reasonable steps appropriate to the data”.
Pair policy with operations
When you improve security, update the policy in the same sprint so marketing and reality match.
Frequently asked questions
Should we name our antivirus?
Usually unnecessary—describe categories (malware scanning on servers) unless required.
What if we use a managed host?
Clarify shared responsibility: they patch kernels; you patch CMS users and weak passwords.