How to answer security questionnaire questions — without SOC 2
One guide per canonical questionnaire question, written for small SaaS vendors with no certifications. Each shows the honest answer pattern reviewers accept: name your real stack, state what's in place, and mark what isn't as a roadmap item instead of papering over it.
Certifications & compliance
Data protection & privacy
- Is customer data encrypted at rest?
- Is data encrypted in transit?
- Which subprocessors process or have access to customer data?
- How can customers get their data deleted, and what are your retention periods?
- Are you GDPR-ready? How do you handle data-subject requests?
- How are encryption keys managed?
- How do you assess the security of your own vendors?
- Do you classify data, and how is customer data segregated?
- Do you have a published privacy policy?
- Can we export our data if we leave?
- How is your API secured?
- How is our data isolated from other customers'?
Access, identity & devices
- How do you control access to production systems and customer data?
- Is multi-factor authentication enforced for staff?
- Do you support single sign-on (SSO)?
- How are employee devices secured?
- What is your password policy?
- Do you enforce least-privilege access?
- What is your process when an employee leaves?
- Which of your staff can see our data, and when would they?
- What security controls apply to remote work?
Infrastructure, hosting & continuity
- How are backups handled, and what is your disaster-recovery posture?
- Where is customer data stored, and can we choose the region?
- Do you have a business-continuity plan?
- What network-security controls do you have in place?
- How is physical security handled for systems holding customer data?
- What uptime do you commit to? Is there an SLA?
- Do you publish a status page or incident history?
Operations, incidents & development
- Do you have an incident-response process?
- How do you manage software vulnerabilities and dependency updates?
- Do you maintain audit logs, and how long are they retained?
- Have you had a third-party penetration test?
- What is your change-management process?
- Do you follow a secure software development lifecycle?
- How do you manage secrets and credentials?
- Have you experienced a data breach or security incident?
- How quickly will you notify us of a breach affecting our data?
- Do employees receive security-awareness training?
- What monitoring and alerting do you have in production?
Company & contact
Need the whole pack, not one answer?
Trustpack turns your own attested answers into three security policies, a copy-paste answer bank covering these topics, and a live public trust page. Flat $49 — vendor-attested, never claiming certification.