Strike a balance when answering customer security questions

We have a free B2B Saas offering - we are young company and still getting established and we get asked questions on a daily basis about security. The questions we get asked almost daily are things like:

• How secure is our data? (Love getting this one as it always then spawns 50 additional questions when replied to...)
• Where is our data stored?
• Does our data ever leave the country?
• How do you back it up?
• How do you ensure Client A cannot access Client B's data?
• How do you ensure users cannot access admin functions etc?
• How do you control and monitor access to the servers?
• How do you control and monitor access to database?
• Do you use encryption? If so, what data is encrypted and using what methods?
• How are passwords and other sensitive information stored?
• How often do you update operating system, applications, databases etc?

Some clients really want to go to extreme depths (which is understandable I guess) and we would love to create a security document answering all these questions and more (or add to our FAQ maybe) as it would free up a lot of email and ticket time but how do we strike a balance between reassuring customers that we take security of their data very seriously whilst not compromising the security of the application by telling people how we have built and secured our application and infrastructure? How have others in B2B addressed this?