How should Cloud Security Statement look?

Hi everyone,

we are developing an add-on with atlassian connect for Confluence Cloud and we will be releasing it soon. In the App approval guidelines there is a mention about the obligation to publish the Cloud Security Statement with the example from Atlassian. We tried to find more examples from existing apps but found none. There is only information whether particular vendor participates or not in Self-assessment Program with link to the requirements with deadline on 28th February 2020.

Please could anyone help us answering these questions?

1. What should Cloud Security Statement consist of?
2. Where can we find another example of the Cloud Security Statement from a real vendor?
3. Does participation in Self-assessment program replace the need for Cloud Security Statement publishing?
4. Is the deadline for participating in the program final?
5. Should we also update our Privacy Policy statement related with our first cloud app release?

Thank you for any help!