Section 1: Company & Compliance
- Legal entity name and jurisdiction of incorporation
- Full list of subsidiaries or affiliates that may access our data
- Do you hold SOC 2 Type II? If yes, under which Trust Services Criteria and for what period? Attach current report
- Do you hold ISO 27001:2022? Attach certificate and Statement of Applicability
- Any industry-specific certifications (HITRUST, PCI DSS, FedRAMP, C5, IRAP)?
- When was your most recent penetration test? Can you share an executive summary?
- Describe your compliance program and dedicated security personnel
Section 2: Data Handling
- What categories of our data will you access, store, process, or transmit?
- Where geographically will our data be stored and processed?
- Which subprocessors access our data? Full list with data categories and geographies
- Data retention period for each data category
- Data deletion process and timeframe after contract termination
- Is data segregated per tenant? If shared, what controls prevent cross-tenant access?
- Is data replicated across regions? Which regions?
Section 3: Encryption
- Is data encrypted at rest? What algorithm? What key management?
- Is data encrypted in transit? TLS version and cipher suites?
- Is customer-managed keys (CMK/BYOK) an option?
- Key rotation policy and cadence
- HSM usage and FIPS 140-2 validation
Section 4: Access Control
- Is SSO required for all internal users? Which IdPs supported?
- Is MFA required for all privileged access?
- What authentication standards (FIDO2, TOTP, SAML, OIDC)?
- Are access reviews performed? How often?
- Privileged access management (PAM) solution in use?
- How are service accounts managed and monitored?
- Time-bounded or just-in-time privileged access?
Section 5: Network Security
- Network segmentation between environments (dev/stage/prod)
- Firewall and WAF in place? Vendors?
- DDoS protection approach and provider
- Zero Trust architecture in place for internal access?
- VPN-free or VPN-based remote access for employees?
Section 6: Application Security
- Secure SDLC practices. Describe the process
- Static application security testing (SAST) tools used
- Dynamic application security testing (DAST) frequency
- Software composition analysis (SCA) for dependencies
- Dependency update cadence and vulnerability SLAs
- Code review requirements before production deployment
- Secrets management tool and practices
Section 7: Logging and Monitoring
- Centralized logging solution
- Log retention periods for security-relevant events
- SIEM or equivalent for security event correlation
- 24x7 SOC coverage or on-call rotation
- Customer access to audit logs (via API or portal)
- Anomaly detection for authenticated user behavior
Section 8: Vulnerability Management
- Vulnerability scanning frequency (internal, external)
- Remediation SLAs by severity (critical, high, medium, low)
- Annual penetration testing scope and findings history
- Bug bounty program?
- Process for handling third-party disclosed vulnerabilities
Section 9: Incident Response
- Incident response plan documented? Tested in the last 12 months?
- Customer notification timeline for security incidents (hours, not days)
- Dedicated security incident communication channel
- Forensic capability. Internal or third party?
- Incident history in the last 24 months (redacted details acceptable)
Section 10: Business Continuity and Disaster Recovery
- RTO and RPO commitments
- BCP and DR plans documented? Tested in the last 12 months?
- Backup approach, encryption, and offline/immutable storage
- Regional failover capability
- Uptime SLA commitment
Section 11: Personnel
- Background checks required for personnel with access to customer data
- Security awareness training frequency (required, not just available)
- Phishing simulations and results
- Termination process and access revocation SLA
- Contractors and offshore personnel. How are they controlled?
Section 12: Physical Security
- Data center locations and certifications (SOC 2, ISO 27001, Tier III/IV)
- Office physical security controls
- Remote work security policies (workstation encryption, MDM)
Section 13: Contractual and Legal
- Will you sign a Business Associate Agreement (for healthcare)?
- Will you sign a Data Processing Agreement with SCCs (for GDPR)?
- Right to audit clause in contract?
- Breach notification SLA in contract (hours specified)?
- Cyber insurance coverage amount and carrier
- Subprocessor change notification commitment
Red flag answers
When evaluating responses, these answers are concerning enough to justify follow-up or disqualification:
- "We are SOC 2 ready" (not certified)
- "We plan to have MFA deployed by end of year" (not deployed now)
- "Our penetration test was two years ago" (not annual)
- "We do not provide notification of subprocessor changes"
- "Customer data is shared across all tenants in a single database"
- "We encrypt data but customer-managed keys are not an option" (for high-sensitivity use cases)
- "We cannot share our penetration test executive summary"