Security questionnaire response template — SIG-Lite / VSAQ baseline

Updated Apr 24, 2026

Pre-filled answers for the canonical 50-question SIG-Lite + VSAQ security questionnaires. Customize per buyer; never send the raw template — every prospect's questionnaire has tweaks.

How to use

Pre-fill before sending; reply selectively per buyer; track via {{COMPLIANCE_PLATFORM}}.

Template (markdown)

copy-paste, replace {{PLACEHOLDERS}}

# Security Questionnaire Response — {{COMPANY}}
**Last updated:** {{DATE}} · **Contact:** security@{{DOMAIN}}

## A. Organisational
1. **What security framework are you SOC 2 / ISO 27001 / FedRAMP certified to?**
   {{COMPANY}} is SOC 2 Type 2 attested by {{AUDITOR}}; report dated {{AUDIT_DATE}}. Evidence available under NDA.
2. **Do you have a formal information security program?**
   Yes — see attached Information Security Policy + 7 supporting policies (SOC 2 policy bundle).
3. **Do you have a designated security officer?**
   Yes — {{NAME}}, {{ROLE}}, contact {{EMAIL}}.

## B. Personnel
4. **Do all employees undergo background checks?**
   Yes — pre-employment background checks via {{CHECKR_OR_EQUIVALENT}}.
5. **Is security awareness training mandatory?**
   Yes — annual mandatory training; tracked in {{COMPLIANCE_PLATFORM}}.

## C. Access control
6. **Is MFA enforced on all employee accounts?**
   Yes — SSO + MFA on every SaaS account; hardware keys for admin accounts.
7. **How often are access reviews performed?**
   Quarterly; documented in {{COMPLIANCE_PLATFORM}}.
8. **What is your offboarding SLA?**
   Within 4h of departure.

## D. Application security
9. **Do you scan code for vulnerabilities?**
   Yes — Securie scans every PR; sandbox-verified findings only (zero false positives by construction). Static-rules pre-filter + 22 LLM specialists + Firecracker microVM verification.
10. **Do you have a secure SDLC?**
    Yes — every change flows through GitHub PR with at-minimum-one-approver-not-author + Securie security review + Vercel deploy-gate.
11. **Do you use AI coding tools? How do you secure their output?**
    Yes — Cursor / Claude Code / GitHub Copilot are used. Securie's AuthAuthz + Supabase RLS + secret_scanner specialists run on every PR regardless of code authorship (human or AI).

## E. Data protection
12. **Is data encrypted at rest?** Yes — AES-256 (cloud-provider default).
13. **Is data encrypted in transit?** Yes — TLS 1.3 minimum.
14. **Where is customer data stored?** {{CLOUD_REGIONS}} — see DPA Schedule 2 for sub-processor regions.
15. **How long do you retain customer data?** Per /legal/privacy section 5; default 12 months for logs, 90 days for backups.

## F. Incident response
16. **Do you have an IR plan?** Yes — see attached Incident Response Policy.
17. **What's your breach notification SLA?** Within 72h of confirmed breach (GDPR Article 33).
18. **Do you have cyber-insurance?** Yes — {{CARRIER}}, USD {{LIMIT}} aggregate.

## G. Continuity
19. **Do you have a DR plan?** Yes — RTO 4h, RPO 1h; quarterly restore drill.
20. **Are backups tested?** Yes — quarterly restore drill documented in {{COMPLIANCE_PLATFORM}}.

## H. Sub-processors
21. **List your sub-processors.** See /sub-processors page (committed to git, change-controlled).

## I. AI / ML
22. **Do you use AI/ML in your product?** Yes — see /legal/model-card and /ai-bill-of-materials.
23. **Is your AI system high-risk under EU AI Act?** {{YES_OR_NO}} — see Annex III self-classification at {{ARTIFACT_PATH}}.
24. **Do you publish an AIBOM?** Yes — CycloneDX 1.6 emitted on every release; signed via DSSE.

## J. Compliance
25. **GDPR compliant?** Yes — see /legal/privacy + DPA.
26. **CCPA compliant?** Yes.
27. **HIPAA BAA available?** {{YES_NO_OR_NOT_APPLICABLE}}.

[remaining 23 questions follow same shape; customize per buyer's actual questionnaire]