FillBase
Back to blog
·Templates & resources

Free DDQ template (Excel) — 2026 edition with 200+ pre-filled questions

Download a free DDQ response template in Excel format. 200+ categorized security questions with example answers, organized by topic. Ready to customize for your company.

Free DDQ template (Excel) — 2026 edition with 200+ pre-filled questions

You've been asked to complete a due diligence questionnaire, but you're starting from scratch. No template, no prior responses, no idea what's coming.

This page gives you a free DDQ template in Excel format — 200+ questions organized by category, with example answer structures you can customize for your company.

What's in the template

The template covers the 12 question categories that appear in virtually every DDQ:

CategoryQuestionsCoverage
Company Overview12Legal entity, size, locations, insurance
Data Security & Encryption18At rest, in transit, key management
Access Control & Authentication20SSO, MFA, RBAC, privileged access
Network Security15Firewalls, segmentation, DDoS protection
Application Security18SDLC, code review, pen testing, SAST/DAST
Incident Response14IRP, SLAs, notification, post-mortems
Business Continuity & DR12BCP, DR plan, RTO/RPO, backup strategy
Compliance & Certifications16SOC 2, ISO 27001, GDPR, HIPAA
Data Handling & Privacy18Classification, retention, deletion, GDPR rights
Vendor & Third-Party Management14Sub-processors, vendor assessments, DPAs
HR & Employee Security12Background checks, training, offboarding
Logging & Monitoring11SIEM, audit logs, alerting, retention
Total180

Each question includes:

  • Category — For filtering and assignment
  • Question — The actual DDQ question as a buyer would phrase it
  • Example answer — A structured response template showing what a good answer looks like
  • Evidence reference — Where to find the supporting documentation
  • Owner — Suggested internal owner (CTO, Security, Legal, HR, Engineering)

How to use this template

Step 1: Download and customize

Download the template and replace the example answers with your company's actual information. Focus on accuracy over polish — buyers care about substance, not formatting.

Step 2: Build your source documents

Good DDQ answers reference real documentation. Before customizing, gather:

  • SOC 2 Type II report (covers 60–70% of questions)
  • Security policies (information security, access control, incident response)
  • Architecture documentation (data flow, infrastructure, encryption)
  • Sub-processor list with DPA status
  • Business continuity and DR plans

Step 3: Assign owners

Not every question should be answered by the same person:

  • CTO / VP Engineering — Architecture, encryption, application security, infrastructure
  • Security / Compliance — Policies, certifications, risk management, vulnerability management
  • Legal — Privacy, GDPR, data handling, DPA terms, insurance
  • HR — Background checks, training, offboarding
  • Engineering — SDLC, code review, CI/CD, monitoring

Step 4: Review and version

After completing the template:

  1. Have someone other than the author review all answers
  2. Check that answers are internally consistent
  3. Verify dates are current (last audit, last pentest, last BCP test)
  4. Save a versioned copy — you'll update this quarterly

Sample questions and answers

Here are examples from each major category:

Data Security & Encryption

Q: Describe your encryption standards for data at rest.

A: "All data at rest is encrypted using AES-256 via [AWS KMS / Azure Key Vault / GCP KMS]. Encryption is enforced at the storage layer — no unencrypted data storage is permitted. Keys are managed by [service], with automatic [annual/quarterly] rotation. Database: [PostgreSQL RDS / Cloud SQL] with encryption enabled by default. Object storage: [S3 / GCS / Azure Blob] with server-side encryption. Ref: Information Security Policy §[X], SOC 2 §CC6.1."

Access Control

Q: How is privileged access managed?

A: "Privileged access follows the principle of least privilege with just-in-time (JIT) provisioning. Admin access requires: (1) manager approval, (2) MFA verification, (3) time-limited access window ([4/8/24] hours). Privileged sessions are logged and reviewed [quarterly]. Access reviews conducted [quarterly] by [engineering management / security team]. Deprovisioning: within [4/24] hours of role change or termination. Ref: Access Control Policy §[X], SOC 2 §CC6.3."

Incident Response

Q: What is your incident response SLA?

A: "Severity-based response SLAs: P1 (critical, data breach): [1] hour response, [4] hour containment. P2 (high, service impact): [4] hour response. P3 (medium, no immediate impact): [24] hour response. Customer notification: within [72] hours for incidents affecting customer data, per DPA terms. Post-incident review completed within [5] business days. Last IRP drill: [date]. Ref: Incident Response Plan §[X], SOC 2 §CC7.3."

Business Continuity

Q: What are your RTO and RPO targets?

A: "RTO (Recovery Time Objective): [4] hours. RPO (Recovery Point Objective): [1] hour. Infrastructure: [multi-region / multi-AZ] deployment on [AWS / Azure / GCP]. Backups: [daily] automated snapshots, [30]-day retention, cross-region replication. Last DR test: [date], achieved failover in [X] hours. BCP reviewed and updated [annually]. Ref: Business Continuity Plan §[X], SOC 2 §A1.2."

The template's limitations

This template covers the most common DDQ questions, but:

  1. Every buyer's DDQ is different. Enterprise buyers often add custom questions about your specific product, architecture, or industry. The template gives you a foundation — not a finished product.

  2. Answers go stale. Certifications expire, policies update, sub-processors change. Review your template quarterly.

  3. Copy-paste doesn't scale. If you're completing 3+ DDQs per month, manually adapting this template for each buyer's format becomes the bottleneck.

When to graduate from a template

A template works for your first 5–10 DDQs. After that, you'll notice:

  • You're copying answers between spreadsheets and reformatting every time
  • Different people give slightly different answers to the same question
  • Tracking which version of an answer is current becomes painful
  • Buyers send questionnaires in their own format, not yours

This is when DDQ automation software pays for itself. FillBase takes your SOC 2, policies, and past responses — including this template — and auto-fills questionnaires in any format with source citations. The template you build here becomes a knowledge source, not a thing you copy-paste from.

Try it free at fillbase.app — upload a DDQ and see how many questions FillBase answers from your existing documentation.

Use the DDQ questionnaire tool to get started. FillBase supports all major formats including Excel, Word, and PDF. Browse all questionnaire types.

Related tools & resources

DDQ Questionnaire Tool Fill DDQs online free with AI Supported DDQ Formats Excel, Word, PDF, and portals All Questionnaire Types Browse all supported formats

Related articles

How to We analyzed 1,000 DDQ questions — Here are the 50 that always appear
We analyzed 1,000 DDQ questions — Here are the 50 that always appear The 50 most common DDQ questions across SIG, CAIQ, and custom questionnaires. Pre-write your answers once, reuse everywhere.
Templates & resources Free security questionnaire response template (Excel + Word)
Free security questionnaire response template (Excel + Word) Free downloadable security questionnaire response template. Pre-written answers for the 50 most common questions. Excel and Word formats.
Guides How to complete a DDQ online in under 15 minutes
How to complete a DDQ online in under 15 minutes Need to complete a DDQ online right now? Upload your questionnaire, get AI-generated answers from your SOC 2 and policies, and export — done in 15 minutes.

Your next enterprise deal shouldn't wait on a spreadsheet

Get started