Complete a VSAQ online — Vendor security assessment in minutes

A prospect's procurement team just sent you a VSAQ — a Vendor Security Assessment Questionnaire. It's 80–200 questions about your security posture, and they need it before the deal moves forward.

VSAQs are the gatekeepers of enterprise sales. No completed VSAQ, no signed contract. Here's how to complete it online without blocking your pipeline.

What is a VSAQ?

A VSAQ (Vendor Security Assessment Questionnaire) is a security evaluation that companies send to their vendors and potential vendors before onboarding them. Unlike standardized formats like SIG or CAIQ, VSAQs are typically custom — each company creates their own version based on their risk framework.

What makes VSAQs different:

• Custom format — Every company's VSAQ is slightly different. Some use Excel, some Word, some online portals.
• Risk-tiered — Companies often have different VSAQ versions based on vendor risk level. Handling PII? You get the long version. API-only integration? Short version.
• Practical focus — VSAQs tend to ask about your actual security practices, not just whether you have a policy. "Describe your access review process" rather than "Do you have an access control policy?"
• 50–200 questions — Shorter than a SIG Core but more detailed than a basic DDQ.

Common VSAQ sections

Most VSAQs cover these areas (even though the exact questions vary):

How to complete a VSAQ online

1. Build your knowledge base (10 minutes, one-time)

Upload to FillBase:

• SOC 2 Type II report
• 3–5 core security policies (InfoSec, Access Control, IR, BCP, Privacy)
• Any previously completed VSAQs or DDQs

Previously completed questionnaires are especially valuable for VSAQs because they contain practical, detailed answers that formal policies often don't cover.

2. Submit the VSAQ (1 minute)

Upload the file — Excel, Word, or PDF. FillBase parses the structure regardless of format. Custom layouts, merged cells, multi-column formats — all handled automatically.

3. Review AI answers (10–20 minutes)

Since VSAQs are custom, accuracy depends on how much overlap there is with standard security questions (which is usually a lot). Typical results:

• 70–85% auto-filled with source-cited answers from your knowledge base
• 10–20% need quick review — the AI found relevant info but the question has a company-specific twist
• 5–10% flagged — questions about specific tooling, metrics, or practices not covered by your documents

Focus your time on the flagged items. The rest is review-and-approve.

4. Export and send (1 minute)

Get the completed VSAQ back in the original format. No reformatting needed.

Why vSAQs are harder than standardized questionnaires

With SIG or CAIQ, the questions are predictable — they're the same every time. VSAQs are harder because:

1. Every company's version is different. You can't pre-build a master template that works for all VSAQs.
2. Questions are more specific. Instead of "Do you encrypt data at rest?" you get "Describe the encryption algorithms used for data at rest, including key lengths and key management procedures."
3. Follow-up questions are embedded. Many VSAQ questions have sub-parts: "If yes, describe. If no, explain compensating controls."

This is exactly where AI grounded in your documents outperforms templates. The AI reads the specific question, searches your knowledge base for the relevant details, and constructs an answer that addresses what was actually asked — not what you assume was asked.

VSAQ Volume is increasing

Third-party risk management is tightening across industries. If you sell B2B SaaS:

• Financial services buyers require VSAQs from every vendor, regardless of size
• Healthcare buyers need VSAQ + HIPAA-specific questions
• Government buyers require VSAQs aligned to NIST or FedRAMP
• Enterprise buyers are moving from annual to continuous vendor assessments

If you're completing 3+ VSAQs per month, the time adds up fast. Each one you complete with FillBase strengthens your knowledge base for the next — even though they're all different, 70% of the underlying questions are the same.

Frequently asked questions

Can I complete a VSAQ online for free? Yes. FillBase's free tier covers 200 requirements per month — enough for 1–2 typical VSAQs. No credit card required.

My prospect sent the VSAQ through an online portal (OneTrust, ProcessUnity, etc.). Can I still use FillBase? Export the questionnaire from the portal as Excel or CSV, complete it in FillBase, and re-import. Most vendor risk portals support this workflow.

How is completing a VSAQ different from a DDQ? Functionally, it's the same process — upload, auto-fill, review, export. VSAQs tend to be more detailed in their questions and more varied in format than standard DDQs. FillBase handles both identically.

What if the VSAQ asks about certifications or attestations I don't have? Answer honestly — "Not currently certified" or "In progress, expected completion Q3 2026." FillBase flags questions where your knowledge base doesn't have a matching answer, so you won't accidentally claim a certification you don't hold.

How do I handle the "evidence upload" sections? Many VSAQs ask you to attach supporting documents (SOC 2 report, certificates, policies). FillBase handles the questionnaire answers; you attach the evidence documents separately.

Stop letting vSAQs block your pipeline

Every day a VSAQ sits incomplete is a day your deal isn't closing. Complete your next VSAQ online with FillBase — upload your SOC 2, submit the questionnaire, and get back to selling.

Related: Complete a DDQ online · Fill out a security questionnaire online · The 50 DDQ questions that always appear