How accurate is FillBase for CAIQ?

With a SOC 2 and 3–4 policies uploaded, expect 85–92% auto-fill accuracy. The CAIQ's standardized format delivers the highest accuracy of any questionnaire type.

Does FillBase support CAIQ v4?

Yes. FillBase parses the CAIQ structure dynamically — it works with v3, v4, and custom-modified versions.

Should I publish to the STAR Registry?

If you sell SaaS to enterprises, yes. It reduces inbound CAIQ requests and signals security maturity. FillBase exports in the format the registry accepts.

CAIQ

Fill CAIQ online free

Upload your CAIQ (Excel, Word, or PDF) plus your company site. We fill up to 50 cloud security questions with cited evidence.

Every answer cites a source from your SOC 2, policies, or past questionnaires
Same FillBase product teams use in Slack for live deals
Free preview uses your file and company site only — no credit card

50 requirements free. Register for the full file · Privacy

Drop your CAIQ fileor click to browse · xlsx, docx, pdf

50 free on this page — we use your file and company site for this fill only. Register for the full CAIQ. Privacy policy

Add Fili to Slack — @mention the CAIQ file in your deal channel. Fili reads your knowledge base and returns cited answers in the thread.

Built by the team behind Tendersight after one too many midnight DDQs. How we fill CAIQ →

After the free fill, run the full workflow in FillBase

Slack handoff, knowledge base, team @mentions — same product your team uses for every CAIQ.

Start free

🏠

💬

Acme Inc.✎

Jump to...

Channels

# vendor-security

# sales-deals

# engineering

Direct messages

James

Fili

Christina

# vendor-securityStripe DDQ · due Friday

👥 4📌⋯

James10:42 AM

@Fili pls fill this

📎Stripe_Vendor_Security_DDQ.xlsx

FiliAPP10:43 AM

@Christina Couldn't find specific info on this: "How do you encrypt your data?". Can you provide some info?

Christina10:45 AM

We use AES-256 at rest via AWS KMS — I'll add the SOC 2 excerpt to the knowledge base. Key rotation is automatic every 90 days.

FiliAPP10:47 AM

Here is the DDQ — 248/265 questions answered.

@Christina@James please approve your categories here:

Stripe DDQ 2026 — Questionnaire

Review and approve category answers before submission.

app.fillbase.app

Message #vendor-security

+😊@📎

Back to project Questionnaire

#	Category	Requirement	Description	Status	Answer	Evidence	Assignee	Reviewers
1	Security	How do you encrypt data at rest?	Describe encryption algorithms, key management, and storage controls for customer data at rest.	Ongoing	We use AES-256 at rest via AWS KMS. Key rotation is automatic every 90 days. SOC 2 Type II covers encryption controls.	1		—
2	Security	How do you encrypt data in transit?	TLS versions, certificate management, and internal service-to-service encryption.	Answered	All external traffic uses TLS 1.2+. Internal APIs use mTLS between services. Certificates are managed via AWS ACM with auto-rotation.	2	F	—
3	Security	Do you have a documented incident response plan?	IR plan scope, roles, communication procedures, and testing frequency.	Answered	Yes. Our IR plan is reviewed annually and tested via tabletop exercises every 6 months. SOC 2 Type II covers incident management controls.	3		—
4	Security	Describe your access control model for production systems.	RBAC, least privilege, MFA requirements, and privileged access management.	Answered	Production access is RBAC via Okta with mandatory MFA. Privileged access requires approval workflow and is logged in Datadog.	1		—
5	Compliance	How often are vulnerability scans performed?	External and internal scanning frequency, remediation SLAs.	Answered	Weekly automated scans via Snyk and quarterly external penetration tests. Critical findings remediated within 7 days.	2	—	—
6	Compliance	List all subprocessors that process customer data.	Subprocessor name, purpose, location, and data types processed.	Ongoing	Click to add...	—	F	—
7	Compliance	Do you maintain SOC 2 Type II certification?	Certification status, scope, and most recent audit report availability.	Answered	Yes. SOC 2 Type II report available under NDA. Scope includes Security, Availability, and Confidentiality trust criteria.	4		—
8	Operational	Describe your employee security training program.	Onboarding training, annual refreshers, and phishing simulations.	Pending	Click to add...	—		—
9	Security	Is multi-factor authentication enforced for all users?	MFA coverage for workforce, contractors, and privileged accounts.	Answered	MFA is required for all users via Okta. Hardware keys enforced for production access.	2		—
10	Security	How is customer data logically segregated in multi-tenant environments?	Tenant isolation model, database separation, and cross-tenant access controls.	Verified	Each tenant has a dedicated schema with row-level security policies. Cross-tenant queries are blocked at the ORM layer.	3	F	—
11	Operational	Describe your business continuity and disaster recovery program.	RTO/RPO targets, backup frequency, failover testing, and geographic redundancy.	Answered	RTO 4h / RPO 1h. Daily encrypted backups with cross-region replication. DR tested annually.	2		—
12	Compliance	Do you perform background checks on employees with data access?	Pre-employment screening scope and periodic re-checks.	Answered	Yes. Background checks for all employees and contractors with production or customer data access.	1	—	—
13	Security	How are security patches deployed to production systems?	Patch management process, SLAs by severity, and emergency patching.	Answered	Critical patches within 72 hours. Monthly maintenance window for non-critical updates via automated Ansible playbooks.	1		—
14	Operational	Is a formal change management process documented and followed?	Change approval workflow, segregation of duties, and audit trail.	No evidence	Click to add...	—	F	—
15	Compliance	How long are audit and application logs retained?	Log types, retention periods, immutability, and access controls.	Answered	Application logs retained 13 months. Audit logs 24 months in immutable S3 with Object Lock.	2	—	—
16	Compliance	Do you support customer-initiated data deletion requests?	GDPR/CCPA erasure workflow, timelines, and verification.	Ongoing	Yes. Deletion requests fulfilled within 30 days via automated pipeline with confirmation email.	—		—
17	Security	Describe your secure software development lifecycle (SSDLC).	Code review, SAST/DAST, dependency scanning, and release gates.	Answered	PR reviews required, Snyk + Semgrep in CI, DAST on staging, no deploy without passing security checks.	3	F	—
18	Security	Are production environments separated from development and staging?	Network segmentation, account isolation, and data masking in lower environments.	Answered	Fully separate AWS accounts per environment. Production data never copied to lower environments.	2		—
19	Security	How do you manage third-party API keys and secrets?	Secret storage, rotation, access logging, and revocation procedures.	Pending	Click to add...	—	F	—

~260Questions

17CSA domains

70–80%SOC 2 overlap

~15 minWith FillBase

Every SaaS company selling to enterprise gets a CAIQ

The Cloud Security Alliance questionnaire maps to the Cloud Controls Matrix and evaluates your SaaS across 17 security domains. It's standardized, which is good — but it's still 260 questions that someone needs to answer before the deal closes.

Highest accuracy of any questionnaire type

The CAIQ's standardized Yes/No/NA format and stable Control IDs make it the most AI-friendly assessment. Expect 85–92% accuracy from day one.

70–80% overlap with your SOC 2

Both frameworks cover access control, encryption, incident response, monitoring, and operational security. FillBase exploits this overlap automatically.