120+
Slack-native · Zero context-switching
Autonomous completion
No upload-and-wait dashboard. Forward a questionnaire in Slack and get a completed, source-cited file back.
Connects to Vanta, Google Drive & 3,000+ sources
Your DDQs, completed in minutes
FillBase auto-fills your DDQs, SIGs, and CAIQs with source-cited answers from Vanta, Google Drive, and 3,000+ other sources.
AC
🏠
💬
+
Acme SaaS✎
Jump to...
Channels
# vendor-security
# sales-deals
# engineering
Direct messages
James
Fili
Christina
# vendor-securityStripe DDQ · due Friday
👥 4📌⋯
FiliAPP10:58 AM
@Christina Couldn't find specific info on this: "How do you encrypt your data?". Can you provide some info?
FiliAPP11:31 AM
Here is the DDQ — 248/265 questions answered.
@Christina@James please approve your categories here:
Stripe DDQ 2026 — Questionnaire
Review and approve category answers before submission.
app.fillbase.ai
Message #vendor-security
+😊@📎
←Stripe DDQ 2026Questionnaire
FB
▼📁Stripe — Vendor Security Assessment 2026DDQ_2026_Stripe.xlsx 265
#
Category
Requirement
Description
Status
Answer ✦
Evidence
Assignee
⋮⋮
1
Security
How do you encrypt data at rest?
Describe encryption algorithms, key management, and storage controls for customer data at rest.
Ongoing
We use AES-256 at rest via AWS KMS. Key rotation is automatic every 90 days. SOC 2 Type II covers encryption controls.
📄 1
C
⋮⋮
2
Security
How do you encrypt data in transit?
TLS versions, certificate management, and internal service-to-service encryption.
Answered
All external traffic uses TLS 1.2+. Internal APIs use mTLS between services. Certificates are managed via AWS ACM with auto-rotation.
📄 2
F
⋮⋮
3
Security
Do you have a documented incident response plan?
IR plan scope, roles, communication procedures, and testing frequency.
Answered
Yes. Our IR plan is reviewed annually and tested via tabletop exercises every 6 months. SOC 2 Type II covers incident management controls.
📄 3
J
⋮⋮
4
Security
Describe your access control model for production systems.
RBAC, least privilege, MFA requirements, and privileged access management.
Answered
Production access is RBAC via Okta with mandatory MFA. Privileged access requires approval workflow and is logged in Datadog.
📄 1
C
⋮⋮
5
Compliance
How often are vulnerability scans performed?
External and internal scanning frequency, remediation SLAs.
Answered
Weekly automated scans via Snyk and quarterly external penetration tests. Critical findings remediated within 7 days.
📄 2
—
⋮⋮
6
Compliance
List all subprocessors that process customer data.
Subprocessor name, purpose, location, and data types processed.
Ongoing
Click to add...
—
F
⋮⋮
7
Compliance
Do you maintain SOC 2 Type II certification?
Certification status, scope, and most recent audit report availability.
Answered
Yes. SOC 2 Type II report available under NDA. Scope includes Security, Availability, and Confidentiality trust criteria.
📄 4
J
⋮⋮
8
Operational
Describe your employee security training program.
Onboarding training, annual refreshers, and phishing simulations.
Pending
Click to add...
—
J
⋮⋮
9
Security
Is multi-factor authentication enforced for all users?
MFA coverage for workforce, contractors, and privileged accounts.
Answered
MFA is required for all users via Okta. Hardware keys enforced for production access.
📄 2
C
⋮⋮
10
Security
How is customer data logically segregated in multi-tenant environments?
Tenant isolation model, database separation, and cross-tenant access controls.
Verified
Each tenant has a dedicated schema with row-level security policies. Cross-tenant queries are blocked at the ORM layer.
📄 3
F
⋮⋮
11
Operational
Describe your business continuity and disaster recovery program.
RTO/RPO targets, backup frequency, failover testing, and geographic redundancy.
Answered
RTO 4h / RPO 1h. Daily encrypted backups with cross-region replication. DR tested annually.
📄 2
J
⋮⋮
12
Compliance
Do you perform background checks on employees with data access?
Pre-employment screening scope and periodic re-checks.
Answered
Yes. Background checks for all employees and contractors with production or customer data access.
📄 1
—
⋮⋮
13
Security
How are security patches deployed to production systems?
Patch management process, SLAs by severity, and emergency patching.
Answered
Critical patches within 72 hours. Monthly maintenance window for non-critical updates via automated Ansible playbooks.
📄 1
C
⋮⋮
14
Operational
Is a formal change management process documented and followed?
Change approval workflow, segregation of duties, and audit trail.
No evidence
Click to add...
—
F
⋮⋮
15
Compliance
How long are audit and application logs retained?
Log types, retention periods, immutability, and access controls.
Answered
Application logs retained 13 months. Audit logs 24 months in immutable S3 with Object Lock.
📄 2
—
⋮⋮
16
Compliance
Do you support customer-initiated data deletion requests?
GDPR/CCPA erasure workflow, timelines, and verification.
Ongoing
Yes. Deletion requests fulfilled within 30 days via automated pipeline with confirmation email.
—
J
⋮⋮
17
Security
Describe your secure software development lifecycle (SSDLC).
Code review, SAST/DAST, dependency scanning, and release gates.
Answered
PR reviews required, Snyk + Semgrep in CI, DAST on staging, no deploy without passing security checks.
📄 3
F
⋮⋮
18
Security
Are production environments separated from development and staging?
Network segmentation, account isolation, and data masking in lower environments.
Answered
Fully separate AWS accounts per environment. Production data never copied to lower environments.
📄 2
C
⋮⋮
19
Security
How do you manage third-party API keys and secrets?
Secret storage, rotation, access logging, and revocation procedures.
Pending
Click to add...
—
F
248/265 answered · Auto-fill available
For CTOs closing enterprise deals
You shouldn't be your company's DDQ department
Your prospect sends a 200-question Excel file. You open last quarter's Google Doc, Ctrl+F, copy-paste, then chase engineering, legal, and finance on Slack for days. At seed that's you — the CTO. At Series A–B it's still often you, while your VP of Sales asks when the deal will close. FillBase does the work in Slack; you approve and send.
User type
Your VP of Sales is waiting on the DDQ
Enterprise buyers won't sign until their security team approves you. Each questionnaire takes ~8 hours on average — and the deal sits in limbo until you're done. Loopio and Conveyor are for GRC teams at scale — FillBase is for the CTO or VP Engineering still owning the DDQ at a 20–200 person SaaS company.
Consistency across every DDQ
Knowledge base that learns
Every completed questionnaire trains the knowledge base. 70-80% of questions repeat across formats — train once, answer everything.
Built for how CTOs actually work
When it's stuck on encryption or sub-processors, it @mentions the right engineer or lawyer — not another email thread you have to manage.
Every DDQ format
SIG, CAIQ, VSA, HECVAT, or custom Excel from your buyer's security team — not just the templates big GRC tools expect.
How it works
Three steps. Fifteen minutes. Back to building.
Upload SOC 2 once. Forward the next DDQ from your prospect's security team. Review cited answers and send — while your VP tracks the close.
1
Upload your policies
SOC 2 report, security policies, and 2-3 past DDQ responses. FillBase ingests everything and builds your knowledge base in minutes.
2
Forward a DDQ
Email, Slack, or upload — any format. FillBase parses every question, matches your knowledge base, and auto-completes ~90%.
3
Review & ship
Every answer has a source citation. Approve, export in the original format, and move on. The next DDQ is faster.
Results
8 hours → 30 minutes. Deals move again.
Stop being the bottleneck between security review and signature. Your VP gets a completed DDQ in days, not weeks.
May
June
July
Aug
Sep
Oct
Nov
Dec
10X
30min per DDQ
90%
90% auto-completed
24/7
0 context switches
5+
100% source-cited
Testimonials
What teams say about FillBase
What teams say about FillBase
“I was the CTO filling every DDQ in Google Docs at midnight. Now I forward them in Slack and review in 30 minutes — our first six-figure enterprise deal closed two weeks faster.”
Sarah Chen
CTO & co-founder, seed-stage SaaS
“My VP kept asking when the security review would finish. FillBase turned a two-week DDQ into a same-day review — we finally got the enterprise signature.”
Marcus Webb
VP Sales, Series B SaaS
“Series A with three enterprise deals stuck on DDQs I was rebuilding in spreadsheets. FillBase gave the same sourced answers every time — buyers stopped sending follow-up rounds.”
Emily Locas
VP Engineering, Series A SaaS
Integrations
Works with the stack you already have
Slack, Excel, Word, PDF, OneTrust, ServiceNow, Vanta, Drata — FillBase connects to where your security data already lives.
Pricing
Choose the right plan for you
Less than hiring a junior GRC analyst ($6K/mo). Trivial if it unblocks one enterprise deal your VP has been waiting on.
Free plan
$0 $0 /mo
50 requirements / week
Security
- Slack integration
- Knowledge base
- Source-cited answers
Storage
- 5GB storage
- File versioning
Support
- Support by email only
- Free time tracking
Starter plan
Popular $149 $119 /mo
500 requirements / month
Security
- Enhanced security
- Advanced encryption
- Two-factor authentication
- Data loss prevention
Storage
- 50GB storage
- File versioning
- Backup and restore
Support
- Priority support
- 24/7 priority support
- Email and chat support
Growth plan
$599 $479 /mo
3,000 requirements / month
Security
- Advanced security
- Enterprise encryption
- Two-factor authentication
- Data loss prevention
- Priority onboarding & support
Storage
- 150GB storage
- File versioning
- Backup and restore
Support
- Support by email only
- Free time tracking
FAQ
Frequently asked questions
Quick answers to the most common questions about security questionnaires
