Vendor Security Questionnaire

Answer Yes/No and provide supporting evidence.

1. Is data encrypted at rest? Evidence: audit summary or config doc.
2. Is data encrypted in transit? Evidence: TLS configuration.
3. Do you test your business continuity plan annually? Evidence: test report.
4. Is MFA required for privileged users? Evidence: policy or screenshot.
5. Do you conduct code reviews and vulnerability scans? Evidence: CI/CD logs.
6. Are critical vulnerabilities remediated within SLA? Evidence: metrics.
7. Do you conduct annual penetration testing? Evidence: report summary.
8. Are access privileges reviewed quarterly? Evidence: review log.
9. Are logs retained for at least 90 days? Evidence: log retention policy.
10. Are you SOC 2 or ISO 27001 certified? Evidence: certificate or audit report.