Glossary

Quick reference for procurement security jargon. For product positioning, see SecureFlow vs generic AI.

SIG (Standardized Information Gathering)

A structured questionnaire family used in procurement to assess vendors across many domains (security, privacy, resilience). Often delivered as spreadsheets or portal forms.

SIG Lite

A shorter subset of SIG for lower-risk vendors or earlier diligence stages—still often hundreds of rows in practice.

CAIQ (Consensus Assessments Initiative Questionnaire)

A questionnaire aligned with CSA themes and cloud control areas; common in cloud/SaaS vendor reviews.

SIG vs CAIQ

Both probe security posture; SIG is broader procurement-oriented; CAIQ is often cloud-control flavored. Buyers may use either or a hybrid Excel.

VSA / vendor security assessment

Generic term for the security portion of vendor due diligence—may map to SIG-like rows or a custom template.

TPRM (Third-Party Risk Management)

Program to identify, assess, and monitor vendor/partner risk—including questionnaires, contracts, and ongoing monitoring.

Vendor security questionnaire

Spreadsheet or portal capturing security/privacy controls evidence from a vendor; SecureFlow targets drafting these answers with citations.

DDQ (Due Diligence Questionnaire)

Finance and PE contexts use DDQs; security appendices overlap heavily with SIG-style content.

RAG (Retrieval-Augmented Generation)

AI pattern: retrieve relevant chunks from your documents, then generate text grounded in those chunks—reduces blind hallucination vs raw chat.

Trust center / security page

Public-facing summary of security practices; should align with private questionnaire answers to avoid procurement friction.

Subprocessor

Third party that processes data on your behalf; subprocessors lists are frequent questionnaire sections.

Fourth-party risk

Risk from your vendors’ vendors; questionnaires increasingly ask how you oversee critical chains.