Regarding your list on Reddit:
How do we want to verify answers of companies (if they reply at all)?
Do you share data – even “fuzzed” or “anonymized” data – with any of the owners/shareholders or any other company or organization server?
If this is shared in secret, we can’t verify the answer of the company. We have to hope that the answer is true.
Which components of your service are not open source?
Even if the company provides source code there is no guarantee that they actually using it on their servers.
How is data secured (in transit and at rest)?
We could only verify that there is HTTPS/TLS in place. However, it is really hard to check transport encryption in internal networks of companies. It is even harder to see if there is protection for data at rest or data in use.
What customer data is collected, how often, and in what level of identification?
They could claim that they process only some data while actually processing everything they get.
Then, some questions seem to be overly broad.
Have you changed how information is processed and shared in the last year?
Which answer is expected here? A simple “Yes” or “No” is already an answer but do we learn something new in this case?
Please share a diagram showing how information flows when a user interacts with your service.
This could be a very big diagram depending on services offered by a company, so it is unlikely to get any diagram (or a comprehensive one).
Have you had any independent audits in the last three years? Please share the dates of those audits and audit reports.
What kind of audit? A penetration test of the internal infrastructure? A scan of public IP address ranges? A code review of an app? A review of internal business processes? A check of fire safety equipment?
If you require sign-up or account creation, do consumers have easy access to tools to delete their data? Can they delete everything on the servers or just the local cache?
Depending on local laws in effect, companies must store some data even if a consumer wants everything deleted. For instance, data about financial transactions must be stored for 10 years in some countries.
A warrant canary is a very weak form of assurance that something didn’t happen so far. If authorities seize servers, they could simply update warrant canaries if there is no cryptographic proof. However, they could also seize private keys used to sign canaries. Moreover, some organizations failed to update their canary (see https://www.zdnet.com/article/encrypted-email-provider-riseup-misses-warrant-canary-deadline/). This contribute to distrust.
We work for international companies and created several checklists to address different topics. The experience here is that you almost never get what you expected, and oftentimes you have to wait for months to get a reply—even in a B2B environment.
Finally, companies could simply change something covered by such checklists after filling it out. Then, a “seal of approval” could lead to false assumptions.