FillBase auto-fills DDQs, SIGs, and CAIQs with source-cited answers — grounded in your SOC 2, Vanta, and Google Drive.
Channels
Direct messages
James
Christina@Fili pls fill this
@Christina Couldn't find specific info on this: "How do you encrypt your data?". Can you provide some info?
We use AES-256 at rest via AWS KMS — I'll add the SOC 2 excerpt to the knowledge base. Key rotation is automatic every 90 days.
Here is the DDQ — 248/265 questions answered.
@Christina@James please approve your categories here:
Stripe DDQ 2026 — Questionnaire
Review and approve category answers before submission.
app.fillbase.app
| # | Category | Requirement | Description | Status | Answer | Evidence | Assignee | Reviewers | ||
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Security | How do you encrypt data at rest? | Describe encryption algorithms, key management, and storage controls for customer data at rest. | Ongoing | We use AES-256 at rest via AWS KMS. Key rotation is automatic every 90 days. SOC 2 Type II covers encryption controls. | 1 | | — | ||
| 2 | Security | How do you encrypt data in transit? | TLS versions, certificate management, and internal service-to-service encryption. | Answered | All external traffic uses TLS 1.2+. Internal APIs use mTLS between services. Certificates are managed via AWS ACM with auto-rotation. | 2 | F | — | ||
| 3 | Security | Do you have a documented incident response plan? | IR plan scope, roles, communication procedures, and testing frequency. | Answered | Yes. Our IR plan is reviewed annually and tested via tabletop exercises every 6 months. SOC 2 Type II covers incident management controls. | 3 | | — | ||
| 4 | Security | Describe your access control model for production systems. | RBAC, least privilege, MFA requirements, and privileged access management. | Answered | Production access is RBAC via Okta with mandatory MFA. Privileged access requires approval workflow and is logged in Datadog. | 1 | | — | ||
| 5 | Compliance | How often are vulnerability scans performed? | External and internal scanning frequency, remediation SLAs. | Answered | Weekly automated scans via Snyk and quarterly external penetration tests. Critical findings remediated within 7 days. | 2 | — | — | ||
| 6 | Compliance | List all subprocessors that process customer data. | Subprocessor name, purpose, location, and data types processed. | Ongoing | Click to add... | — | F | — | ||
| 7 | Compliance | Do you maintain SOC 2 Type II certification? | Certification status, scope, and most recent audit report availability. | Answered | Yes. SOC 2 Type II report available under NDA. Scope includes Security, Availability, and Confidentiality trust criteria. | 4 | | — | ||
| 8 | Operational | Describe your employee security training program. | Onboarding training, annual refreshers, and phishing simulations. | Pending | Click to add... | — | | — | ||
| 9 | Security | Is multi-factor authentication enforced for all users? | MFA coverage for workforce, contractors, and privileged accounts. | Answered | MFA is required for all users via Okta. Hardware keys enforced for production access. | 2 | | — | ||
| 10 | Security | How is customer data logically segregated in multi-tenant environments? | Tenant isolation model, database separation, and cross-tenant access controls. | Verified | Each tenant has a dedicated schema with row-level security policies. Cross-tenant queries are blocked at the ORM layer. | 3 | F | — | ||
| 11 | Operational | Describe your business continuity and disaster recovery program. | RTO/RPO targets, backup frequency, failover testing, and geographic redundancy. | Answered | RTO 4h / RPO 1h. Daily encrypted backups with cross-region replication. DR tested annually. | 2 | | — | ||
| 12 | Compliance | Do you perform background checks on employees with data access? | Pre-employment screening scope and periodic re-checks. | Answered | Yes. Background checks for all employees and contractors with production or customer data access. | 1 | — | — | ||
| 13 | Security | How are security patches deployed to production systems? | Patch management process, SLAs by severity, and emergency patching. | Answered | Critical patches within 72 hours. Monthly maintenance window for non-critical updates via automated Ansible playbooks. | 1 | | — | ||
| 14 | Operational | Is a formal change management process documented and followed? | Change approval workflow, segregation of duties, and audit trail. | No evidence | Click to add... | — | F | — | ||
| 15 | Compliance | How long are audit and application logs retained? | Log types, retention periods, immutability, and access controls. | Answered | Application logs retained 13 months. Audit logs 24 months in immutable S3 with Object Lock. | 2 | — | — | ||
| 16 | Compliance | Do you support customer-initiated data deletion requests? | GDPR/CCPA erasure workflow, timelines, and verification. | Ongoing | Yes. Deletion requests fulfilled within 30 days via automated pipeline with confirmation email. | — | | — | ||
| 17 | Security | Describe your secure software development lifecycle (SSDLC). | Code review, SAST/DAST, dependency scanning, and release gates. | Answered | PR reviews required, Snyk + Semgrep in CI, DAST on staging, no deploy without passing security checks. | 3 | F | — | ||
| 18 | Security | Are production environments separated from development and staging? | Network segmentation, account isolation, and data masking in lower environments. | Answered | Fully separate AWS accounts per environment. Production data never copied to lower environments. | 2 | | — | ||
| 19 | Security | How do you manage third-party API keys and secrets? | Secret storage, rotation, access logging, and revocation procedures. | Pending | Click to add... | — | F | — |
Your prospect sends a 200-question Excel file. You open last quarter's Google Doc, Ctrl+F, copy-paste, then chase engineering, legal, and finance on Slack for days. At seed that's you — the CTO. At Series A–B it's still often you, while your VP of Sales asks when the deal will close. FillBase does the work in Slack; you approve and send.
Enterprise buyers won't sign until their security team approves you. Each questionnaire takes ~8 hours on average — and the deal sits in limbo until you're done. Loopio and Conveyor are for GRC teams at scale — FillBase is for the CTO or VP Engineering still owning the DDQ at a 20–200 person SaaS company.
@Fili pls fill this
Here is the DDQ — 248/265 questions answered with source citations.
Vendor DDQ — Questionnaire
Review cited answers before you send it back.
app.fillbase.app
No upload-and-wait dashboard. Forward a questionnaire in Slack and get a completed, source-cited file back.
Learn more →| Requirement | Status |
|---|---|
| How do you encrypt data at rest? | In progress |
| How do you encrypt data in transit? | Answered |
| Do you have a documented incident response plan? | Answered |
| Describe your access control model for production systems. | Answered |
Every completed questionnaire trains the knowledge base. 70-80% of questions repeat across formats — train once, answer everything.
Learn more →@Christina Need input on encryption at rest — not in the knowledge base yet.
AES-256 via KMS — I'll add the SOC 2 excerpt to the knowledge base.
@James Can you confirm production TLS minimum version?
When it's stuck on encryption or sub-processors, it @mentions the right engineer or lawyer — not another email thread you have to manage.
Learn more →| # | Requirement | Status | Answer |
|---|---|---|---|
| 1 | How do you encrypt data at rest? | In progress | 1 |
| 2 | How do you encrypt data in transit? | Answered | 2 |
| 3 | Do you have a documented incident response plan? | Answered | 3 |
| 4 | Describe your access control model for production systems. | Answered | 1 |
SIG, CAIQ, VSA, HECVAT, or custom Excel from your buyer's security team — not just the templates big GRC tools expect.
Learn more →Upload SOC 2 once. Forward the next DDQ from your prospect's security team. Review cited answers and send — while your VP tracks the close.
SOC 2 report, security policies, and 2-3 past DDQ responses. FillBase ingests everything and builds your knowledge base in minutes.
Email, Slack, or upload — any format. FillBase parses every question, matches your knowledge base, and auto-completes ~90%.
Every answer has a source citation. Approve, export in the original format, and move on. The next DDQ is faster.
Stop being the bottleneck between security review and signature. Your VP gets a completed DDQ in hours, not weeks.
30min per DDQ
90% auto-completed
0 context switches
100% source-cited
From filling DDQs at midnight to shipping answers the same hour they arrive.
“I was the guy filling DDQs at midnight in Google Sheets so our deals wouldn't stall. After the third 200-question spreadsheet I said enough and built FillBase. Now our DDQs go out the same hour come in.”
Andrei-Dragoș Pătrașcu
CEO @ Tendersight
3,200+ apps via Pipedream — Vanta, Drata, Slack, Confluence, Notion, Okta, Jira, Google Workspace, ServiceNow, Datadog, and everywhere else your SOC 2 evidence lives.
Less than hiring a junior GRC analyst ($6K/mo). Trivial if it unblocks one enterprise deal your VP has been waiting on.
200 requirements / month
500 requirements / month
3,000 requirements / month
Cancel any time, no questions asked
Quick answers to the most common questions about security questionnaires
