Fill information security questionnaire online free
Upload your information security questionnaire and company URL. We fill up to 50 questions with cited answers — no account required.
Works with
or
@mention
Fili with your Information Security file — it fills the questionnaire and @mentions you only when it has questions.
After the free fill, run the full workflow in FillBase
Slack handoff, knowledge base, team @mentions — same product your team uses for every Information Security.
Channels
Direct messages
James
Christina@Fili pls fill this
@Christina Couldn't find specific info on this: "How do you encrypt your data?". Can you provide some info?
We use AES-256 at rest via AWS KMS — I'll add the SOC 2 excerpt to the knowledge base. Key rotation is automatic every 90 days.
Here is the DDQ — 248/265 questions answered.
@Christina@James please approve your categories here:
Stripe DDQ 2026 — Questionnaire
Review and approve category answers before submission.
platform.fillbase.app
| # | Category | Requirement | Description | Status | Answer | Evidence | Assignee | Reviewers | ||
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Security | How do you encrypt data at rest? | Describe encryption algorithms, key management, and storage controls for customer data at rest. | Ongoing | We use AES-256 at rest via AWS KMS. Key rotation is automatic every 90 days. SOC 2 Type II covers encryption controls. | 1 | | — | ||
| 2 | Security | How do you encrypt data in transit? | TLS versions, certificate management, and internal service-to-service encryption. | Answered | All external traffic uses TLS 1.2+. Internal APIs use mTLS between services. Certificates are managed via AWS ACM with auto-rotation. | 2 | F | — | ||
| 3 | Security | Do you have a documented incident response plan? | IR plan scope, roles, communication procedures, and testing frequency. | Answered | Yes. Our IR plan is reviewed annually and tested via tabletop exercises every 6 months. SOC 2 Type II covers incident management controls. | 3 | | — | ||
| 4 | Security | Describe your access control model for production systems. | RBAC, least privilege, MFA requirements, and privileged access management. | Answered | Production access is RBAC via Okta with mandatory MFA. Privileged access requires approval workflow and is logged in Datadog. | 1 | | — | ||
| 5 | Compliance | How often are vulnerability scans performed? | External and internal scanning frequency, remediation SLAs. | Answered | Weekly automated scans via Snyk and quarterly external penetration tests. Critical findings remediated within 7 days. | 2 | — | — | ||
| 6 | Compliance | List all subprocessors that process customer data. | Subprocessor name, purpose, location, and data types processed. | Ongoing | Click to add... | — | F | — | ||
| 7 | Compliance | Do you maintain SOC 2 Type II certification? | Certification status, scope, and most recent audit report availability. | Answered | Yes. SOC 2 Type II report available under NDA. Scope includes Security, Availability, and Confidentiality trust criteria. | 4 | | — | ||
| 8 | Operational | Describe your employee security training program. | Onboarding training, annual refreshers, and phishing simulations. | Pending | Click to add... | — | | — | ||
| 9 | Security | Is multi-factor authentication enforced for all users? | MFA coverage for workforce, contractors, and privileged accounts. | Answered | MFA is required for all users via Okta. Hardware keys enforced for production access. | 2 | | — | ||
| 10 | Security | How is customer data logically segregated in multi-tenant environments? | Tenant isolation model, database separation, and cross-tenant access controls. | Verified | Each tenant has a dedicated schema with row-level security policies. Cross-tenant queries are blocked at the ORM layer. | 3 | F | — | ||
| 11 | Operational | Describe your business continuity and disaster recovery program. | RTO/RPO targets, backup frequency, failover testing, and geographic redundancy. | Answered | RTO 4h / RPO 1h. Daily encrypted backups with cross-region replication. DR tested annually. | 2 | | — | ||
| 12 | Compliance | Do you perform background checks on employees with data access? | Pre-employment screening scope and periodic re-checks. | Answered | Yes. Background checks for all employees and contractors with production or customer data access. | 1 | — | — | ||
| 13 | Security | How are security patches deployed to production systems? | Patch management process, SLAs by severity, and emergency patching. | Answered | Critical patches within 72 hours. Monthly maintenance window for non-critical updates via automated Ansible playbooks. | 1 | | — | ||
| 14 | Operational | Is a formal change management process documented and followed? | Change approval workflow, segregation of duties, and audit trail. | No evidence | Click to add... | — | F | — | ||
| 15 | Compliance | How long are audit and application logs retained? | Log types, retention periods, immutability, and access controls. | Answered | Application logs retained 13 months. Audit logs 24 months in immutable S3 with Object Lock. | 2 | — | — | ||
| 16 | Compliance | Do you support customer-initiated data deletion requests? | GDPR/CCPA erasure workflow, timelines, and verification. | Ongoing | Yes. Deletion requests fulfilled within 30 days via automated pipeline with confirmation email. | — | | — | ||
| 17 | Security | Describe your secure software development lifecycle (SSDLC). | Code review, SAST/DAST, dependency scanning, and release gates. | Answered | PR reviews required, Snyk + Semgrep in CI, DAST on staging, no deploy without passing security checks. | 3 | F | — | ||
| 18 | Security | Are production environments separated from development and staging? | Network segmentation, account isolation, and data masking in lower environments. | Answered | Fully separate AWS accounts per environment. Production data never copied to lower environments. | 2 | | — | ||
| 19 | Security | How do you manage third-party API keys and secrets? | Secret storage, rotation, access logging, and revocation procedures. | Pending | Click to add... | — | F | — |
Every buyer's security questionnaire is different — but the answers aren't
Prospects call them "security assessments," "vendor security reviews," "infosec questionnaires," or just "the security thing." The format changes every time, but 80% of the questions are the same: encryption, access control, incident response, compliance. You're re-answering the same questions in different spreadsheets — and it takes hours every time.
Handles any questionnaire format
Custom spreadsheets, standard frameworks, or hybrid assessments — FillBase adapts to the buyer's format. No template required.
Learns from every questionnaire you complete
Each completed questionnaire becomes a knowledge source. By your fifth questionnaire, accuracy approaches 95% because FillBase has seen your answers in context.
Source citations build trust
Every answer links to the exact policy, SOC 2 section, or prior response it came from. Your buyer's security team can verify without follow-up.
Fill your Information Security
Back to toolInformation Security Questionnaire — FAQ
Common questions about filling Information Security online with FillBase
Built by the team behind Tendersight after one too many midnight DDQs. How we fill Information Security →
