questformSample

A real questform run — the exact format you receive

This is a real questform run on an illustrative evidence set for a fictional company (Northwind Systems) — the exact format you receive for your own questionnaire. Each answer is drafted only from the submitted evidence, cites the exact passage behind it, carries a confidence score, and is flagged when it would claim more than the evidence proves.

Every answer is drafted only from the evidence you submitted and is substantiated by the passages cited beside it. questform does not independently verify that any control is in place — it checks each drafted claim against your own submitted text. Review every answer, especially those flagged, before sending.

8

Questions

6

Grounded

1

Flagged to verify

2

No evidence

Question 1

Is all customer data encrypted at rest?

High confidence

Drafted answer

Yes. All customer data is encrypted at rest using AES-256. Encryption keys are managed in a dedicated key-management service and rotated annually.

Grounded in your submitted evidence.

Cited evidence

Policy — Data Protection

All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are managed in a dedicated key-management service and rotated annually.

Question 2

Do you enforce multi-factor authentication for all personnel with access to production systems?

High confidence

Drafted answer

We require multi-factor authentication for all engineering staff who access production infrastructure, enforced through our identity provider. We do not have evidence to confirm MFA coverage extends to all personnel categories beyond engineering staff.

Grounded in your submitted evidence.

Cited evidence

Prior answer — Authentication

We require multi-factor authentication for all engineering staff who access production infrastructure. MFA is enforced through our identity provider.

Question 3

Do you perform background checks on all employees before hire?

Low confidenceNo evidence — answer this yourself

Drafted answer

Your submitted evidence does not cover this question. Draft this answer yourself, then add the supporting evidence.

No matching evidence in your submission — answer this one yourself before sending.

Question 4

Do you maintain a documented incident response plan, and what is your breach notification timeline?

High confidence

Drafted answer

Yes. We maintain a documented incident response plan that is reviewed annually. In the event of a confirmed breach affecting customer data, we notify affected customers within 72 hours of confirmation.

Grounded in your submitted evidence.

Cited evidence

Policy — Incident Response

We maintain a documented incident response plan that is reviewed annually. In the event of a confirmed breach affecting customer data, we notify affected customers within 72 hours of confirmation.

Question 5

Are you SOC 2 Type II certified?

Low confidenceNo evidence — answer this yourself

Drafted answer

Your submitted evidence does not cover this question. Draft this answer yourself, then add the supporting evidence.

No matching evidence in your submission — answer this one yourself before sending.

Question 6

How frequently do you perform third-party penetration testing?

High confidence

Drafted answer

We engage a third-party security firm to perform a penetration test once per year and remediate findings on a risk-prioritized basis.

Grounded in your submitted evidence.

Cited evidence

Prior answer — Security Testing

We engage a third-party security firm to perform a penetration test once per year, and remediate findings on a risk-prioritized basis.

Question 7

Do you maintain an inventory of subprocessors and make it available to customers?

Medium confidenceMay over-claim — verify

Drafted answer

We maintain an internal inventory of subprocessors that is reviewed during vendor onboarding. However, we cannot confirm from available evidence that this inventory is made available to customers upon request.

This answer may claim more than your cited evidence proves — verify before sending.

Cited evidence

Policy — Vendor Management

We maintain an inventory of subprocessors internally and review it during vendor onboarding.

Question 8

Is access to production systems reviewed on a periodic basis?

High confidence

Drafted answer

Yes. Access to production systems is reviewed on a quarterly basis. Access is deprovisioned within 24 hours of a role change or departure.

Grounded in your submitted evidence.

Cited evidence

Policy — Access Management

Access to production systems is reviewed on a quarterly basis. Access is deprovisioned within 24 hours of a role change or departure.