🔒 Classification: NDA-scoped reviewer documentation

Vendor Security Questionnaire Template

Use this template to send your required questions for review.

Company name: Primary contact: Security contact: Required due date:

1) Company and security program overview

1. Describe your security ownership model and who is responsible for security decisions.
2. Describe your incident response process at a high level.
3. Describe your vulnerability management process.

2) Data handling

1. What customer data categories do you process?
2. Where is customer data stored and processed?
3. How is data encrypted in transit and at rest?
4. What is your retention approach for customer data and operational logs?
5. How can customers request deletion and data access?

3) Access controls

1. How is employee/admin access controlled?
2. How do you enforce least privilege?
3. How do you revoke access on role change or offboarding?

4) Infrastructure and operations

1. Describe your hosting model and deployment control approach.
2. Describe backup and recovery practices.
3. Describe business continuity/disaster recovery approach.

5) Incident and disclosure

1. How are customers notified of material incidents?
2. What is your responsible disclosure process?

6) Third-party risk

1. List subprocessor categories and purpose.
2. Describe how subprocessor changes are managed.

7) Requested artifacts

• Trust Center links
• Completed questionnaire response file
• Additional NDA-gated artifacts

8) NDA and scope

NDA required? (yes/no) Requested restricted scope: