Free plan available·25 AI-generated answers per month — no credit card, no setup needed.Start free
SecureFlow logoSecureFlow
← Blog

April 8, 2026

What Is a Vendor Security Questionnaire? Everything B2B SaaS Teams Need to Know

What vendor security questionnaires are, why enterprise buyers send them, common formats (SIG, CAIQ, custom), and how B2B SaaS vendors should respond.

what is a security questionnairevendor security questionnaire definitionSIG questionnaireCAIQvendor risk assessmentB2B SaaS security

If you sell software to mid-market or enterprise buyers, you have probably received a spreadsheet with hundreds of questions about your security practices. That is a vendor security questionnaire — and understanding what it is and why buyers send it makes the whole process less frustrating.

What is a vendor security questionnaire?

A vendor security questionnaire (VSQ) is a structured document sent by a buyer to a vendor asking about the vendor's security controls, compliance certifications, data handling practices, and risk posture. Buyers use them to assess whether a vendor is safe to work with before signing a contract or sharing sensitive data.

They go by many names:

  • Vendor security questionnaire (VSQ)
  • Third-party risk assessment (TPRA)
  • Due diligence questionnaire (DDQ)
  • Vendor risk assessment (VRA)
  • Security review questionnaire

Why do enterprise buyers send them?

Enterprise buyers are required by their own auditors, regulators, or board-level policies to assess the security posture of every vendor they share data with. Under frameworks like SOC 2, ISO 27001, HIPAA, and GDPR, companies must demonstrate that their vendors are not introducing unacceptable risk.

If your product touches customer data, employee data, financial records, or healthcare information — your buyers will likely send you one.

Common questionnaire formats

SIG (Standardised Information Gathering) — created by Shared Assessments. SIG Lite has 120+ questions; full SIG has 850+. Used widely in financial services, insurance, and technology.

CAIQ (Consensus Assessments Initiative Questionnaire) — created by the Cloud Security Alliance (CSA). 260+ questions mapped to the Cloud Controls Matrix (CCM). Common in cloud-native and SaaS buying contexts.

Custom spreadsheets — most enterprise security teams have their own template that mixes elements of SIG, CAIQ, ISO, and their internal policies.

What questions do they ask?

Common themes include:

  • Access control — how do you manage who can access data?
  • Encryption — is data encrypted at rest and in transit?
  • Incident response — what happens if you get breached?
  • Subprocessors — which third parties process your customer data?
  • Certifications — do you have SOC 2, ISO 27001, PCI DSS?
  • Business continuity — what is your uptime SLA and DR plan?
  • Data deletion — how do you delete customer data on request?

How to respond efficiently

The teams that answer fastest keep a knowledge vault of authoritative documents and reusable approved answers. When a new questionnaire arrives, they map each question to a source — policy doc, SOC 2 report, architecture summary — rather than writing answers from scratch.

SecureFlow automates exactly this: upload your documents, import the questionnaire, let AI draft answers grounded in your vault, then review and export.

Start free — no API key, no setup, free tier available.

Not legal or compliance advice.