Feature

Generic questions get generic answers. Evidence-based questions get real conversations.

After a vendor scan, specific questions are generated from the actual findings. Your vendor cannot dismiss these with a checkbox. They have to address what was found.

Check a vendor for freeSee pricing

"Do you encrypt data at rest?" "Do you have a SOC 2 report?" "Do you conduct regular penetration tests?"

Every vendor answers yes. The answers tell you nothing about their actual security posture. You spent an hour writing the questionnaire. Your vendor spent ten minutes ticking boxes. Nobody learned anything.

Generic vs evidence-based

CRITICALSource maps publicly accessible at app.dataprocessor.io

Generic questionnaire

"Do you implement appropriate access controls for your application?"

Generated from scan evidence

"We observed that your application at app.dataprocessor.io serves JavaScript source maps publicly. This exposes your complete application source code, including internal API routes and authentication logic. Can you confirm whether this is intentional and what steps you are taking to restrict access?"

CRITICALPre-consent tracking detected (Google Analytics, HotJar)

Generic questionnaire

"Do you comply with GDPR requirements for data processing?"

Generated from scan evidence

"Our scan detected Google Analytics and HotJar loading on your application 1.2 seconds before any cookie consent interaction. Your privacy policy does not list HotJar as a data processor. Can you clarify your legal basis for this processing and confirm whether HotJar is included in your Article 30 records?"

MEDIUMDMARC policy set to none

Generic questionnaire

"Do you implement email security controls?"

Generated from scan evidence

"Your email domain has a DMARC policy set to "none", which means spoofed emails using your domain are delivered without restriction. Given that you process our customer data and send transactional emails on our behalf, are you planning to enforce a reject or quarantine policy, and what is your timeline?"

What changes when questions are based on evidence

Generic questionnaire

Vendor answers with a checkbox

Response takes 10 minutes

No way to verify the answer

Same questions sent to every vendor

Conversation ends with "yes, we are compliant"

Evidence-based questions

Vendor has to explain a specific finding

Response requires investigation

Evidence is verifiable (you can re-scan)

Questions are unique to each vendor

Conversation starts with "here is what we observed"

Stop asking if they are secure. Show them what you found.

Scan a vendor for free. See the findings. Then ask the right questions.

Check a vendor for free

Questionnaire generator included with buyer plans. See pricing

Cookie information

This site uses strictly-necessary cookies for authentication (Clerk) and bot protection (Cloudflare). No tracking, advertising, or analytics cookies are set, so no consent is required. Details in our privacy policy.