A real questform run — the exact format you receive
This is a real questform run on an illustrative evidence set for a fictional company (Northwind Systems) — the exact format you receive for your own questionnaire. Each answer is drafted only from the submitted evidence, cites the exact passage behind it, carries a confidence score, and is flagged when it would claim more than the evidence proves.
Every answer is drafted only from the evidence you submitted and is substantiated by the passages cited beside it. questform does not independently verify that any control is in place — it checks each drafted claim against your own submitted text. Review every answer, especially those flagged, before sending.
8
Questions
6
Grounded
1
Flagged to verify
2
No evidence
Question 1
Is all customer data encrypted at rest?
Drafted answer
Yes. All customer data is encrypted at rest using AES-256. Encryption keys are managed in a dedicated key-management service and rotated annually.
Grounded in your submitted evidence.
Cited evidence
Policy — Data Protection
All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are managed in a dedicated key-management service and rotated annually.
Question 2
Do you enforce multi-factor authentication for all personnel with access to production systems?
Drafted answer
We require multi-factor authentication for all engineering staff who access production infrastructure, enforced through our identity provider. We do not have evidence to confirm MFA coverage extends to all personnel categories beyond engineering staff.
Grounded in your submitted evidence.
Cited evidence
Prior answer — Authentication
We require multi-factor authentication for all engineering staff who access production infrastructure. MFA is enforced through our identity provider.
Question 3
Do you perform background checks on all employees before hire?
Drafted answer
Your submitted evidence does not cover this question. Draft this answer yourself, then add the supporting evidence.
No matching evidence in your submission — answer this one yourself before sending.
Question 4
Do you maintain a documented incident response plan, and what is your breach notification timeline?
Drafted answer
Yes. We maintain a documented incident response plan that is reviewed annually. In the event of a confirmed breach affecting customer data, we notify affected customers within 72 hours of confirmation.
Grounded in your submitted evidence.
Cited evidence
Policy — Incident Response
We maintain a documented incident response plan that is reviewed annually. In the event of a confirmed breach affecting customer data, we notify affected customers within 72 hours of confirmation.
Question 5
Are you SOC 2 Type II certified?
Drafted answer
Your submitted evidence does not cover this question. Draft this answer yourself, then add the supporting evidence.
No matching evidence in your submission — answer this one yourself before sending.
Question 6
How frequently do you perform third-party penetration testing?
Drafted answer
We engage a third-party security firm to perform a penetration test once per year and remediate findings on a risk-prioritized basis.
Grounded in your submitted evidence.
Cited evidence
Prior answer — Security Testing
We engage a third-party security firm to perform a penetration test once per year, and remediate findings on a risk-prioritized basis.
Question 7
Do you maintain an inventory of subprocessors and make it available to customers?
Drafted answer
We maintain an internal inventory of subprocessors that is reviewed during vendor onboarding. However, we cannot confirm from available evidence that this inventory is made available to customers upon request.
This answer may claim more than your cited evidence proves — verify before sending.
Cited evidence
Policy — Vendor Management
We maintain an inventory of subprocessors internally and review it during vendor onboarding.
Question 8
Is access to production systems reviewed on a periodic basis?
Drafted answer
Yes. Access to production systems is reviewed on a quarterly basis. Access is deprovisioned within 24 hours of a role change or departure.
Grounded in your submitted evidence.
Cited evidence
Policy — Access Management
Access to production systems is reviewed on a quarterly basis. Access is deprovisioned within 24 hours of a role change or departure.