Fill SOC 2 questionnaire online free
Upload your SOC 2 compliance questionnaire and your SOC 2 report. We fill up to 50 questions with cited answers — no account required.
Works with
or
@mention
Fili with your SOC 2 file — it fills the questionnaire and @mentions you only when it has questions.
After the free fill, run the full workflow in FillBase
Slack handoff, knowledge base, team @mentions — same product your team uses for every SOC 2.
Channels
Direct messages
James
Christina@Fili pls fill this
@Christina Couldn't find specific info on this: "How do you encrypt your data?". Can you provide some info?
We use AES-256 at rest via AWS KMS — I'll add the SOC 2 excerpt to the knowledge base. Key rotation is automatic every 90 days.
Here is the DDQ — 248/265 questions answered.
@Christina@James please approve your categories here:
Stripe DDQ 2026 — Questionnaire
Review and approve category answers before submission.
platform.fillbase.app
| # | Category | Requirement | Description | Status | Answer | Evidence | Assignee | Reviewers | ||
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Security | How do you encrypt data at rest? | Describe encryption algorithms, key management, and storage controls for customer data at rest. | Ongoing | We use AES-256 at rest via AWS KMS. Key rotation is automatic every 90 days. SOC 2 Type II covers encryption controls. | 1 | | — | ||
| 2 | Security | How do you encrypt data in transit? | TLS versions, certificate management, and internal service-to-service encryption. | Answered | All external traffic uses TLS 1.2+. Internal APIs use mTLS between services. Certificates are managed via AWS ACM with auto-rotation. | 2 | F | — | ||
| 3 | Security | Do you have a documented incident response plan? | IR plan scope, roles, communication procedures, and testing frequency. | Answered | Yes. Our IR plan is reviewed annually and tested via tabletop exercises every 6 months. SOC 2 Type II covers incident management controls. | 3 | | — | ||
| 4 | Security | Describe your access control model for production systems. | RBAC, least privilege, MFA requirements, and privileged access management. | Answered | Production access is RBAC via Okta with mandatory MFA. Privileged access requires approval workflow and is logged in Datadog. | 1 | | — | ||
| 5 | Compliance | How often are vulnerability scans performed? | External and internal scanning frequency, remediation SLAs. | Answered | Weekly automated scans via Snyk and quarterly external penetration tests. Critical findings remediated within 7 days. | 2 | — | — | ||
| 6 | Compliance | List all subprocessors that process customer data. | Subprocessor name, purpose, location, and data types processed. | Ongoing | Click to add... | — | F | — | ||
| 7 | Compliance | Do you maintain SOC 2 Type II certification? | Certification status, scope, and most recent audit report availability. | Answered | Yes. SOC 2 Type II report available under NDA. Scope includes Security, Availability, and Confidentiality trust criteria. | 4 | | — | ||
| 8 | Operational | Describe your employee security training program. | Onboarding training, annual refreshers, and phishing simulations. | Pending | Click to add... | — | | — | ||
| 9 | Security | Is multi-factor authentication enforced for all users? | MFA coverage for workforce, contractors, and privileged accounts. | Answered | MFA is required for all users via Okta. Hardware keys enforced for production access. | 2 | | — | ||
| 10 | Security | How is customer data logically segregated in multi-tenant environments? | Tenant isolation model, database separation, and cross-tenant access controls. | Verified | Each tenant has a dedicated schema with row-level security policies. Cross-tenant queries are blocked at the ORM layer. | 3 | F | — | ||
| 11 | Operational | Describe your business continuity and disaster recovery program. | RTO/RPO targets, backup frequency, failover testing, and geographic redundancy. | Answered | RTO 4h / RPO 1h. Daily encrypted backups with cross-region replication. DR tested annually. | 2 | | — | ||
| 12 | Compliance | Do you perform background checks on employees with data access? | Pre-employment screening scope and periodic re-checks. | Answered | Yes. Background checks for all employees and contractors with production or customer data access. | 1 | — | — | ||
| 13 | Security | How are security patches deployed to production systems? | Patch management process, SLAs by severity, and emergency patching. | Answered | Critical patches within 72 hours. Monthly maintenance window for non-critical updates via automated Ansible playbooks. | 1 | | — | ||
| 14 | Operational | Is a formal change management process documented and followed? | Change approval workflow, segregation of duties, and audit trail. | No evidence | Click to add... | — | F | — | ||
| 15 | Compliance | How long are audit and application logs retained? | Log types, retention periods, immutability, and access controls. | Answered | Application logs retained 13 months. Audit logs 24 months in immutable S3 with Object Lock. | 2 | — | — | ||
| 16 | Compliance | Do you support customer-initiated data deletion requests? | GDPR/CCPA erasure workflow, timelines, and verification. | Ongoing | Yes. Deletion requests fulfilled within 30 days via automated pipeline with confirmation email. | — | | — | ||
| 17 | Security | Describe your secure software development lifecycle (SSDLC). | Code review, SAST/DAST, dependency scanning, and release gates. | Answered | PR reviews required, Snyk + Semgrep in CI, DAST on staging, no deploy without passing security checks. | 3 | F | — | ||
| 18 | Security | Are production environments separated from development and staging? | Network segmentation, account isolation, and data masking in lower environments. | Answered | Fully separate AWS accounts per environment. Production data never copied to lower environments. | 2 | | — | ||
| 19 | Security | How do you manage third-party API keys and secrets? | Secret storage, rotation, access logging, and revocation procedures. | Pending | Click to add... | — | F | — |
You have the SOC 2 — why are you still answering questions about it?
You spent $50K+ getting SOC 2 Type II certified. The report is 80 pages of detailed controls. But prospects still send a 100-question spreadsheet asking about the same controls in their own format. You open the SOC 2 PDF, Ctrl+F for each question, copy the relevant paragraph, and rephrase it. Two hours later, you've answered 30 questions.
~92% auto-fill from your SOC 2 report
SOC 2 questionnaires ask about trust service criteria your report already covers. FillBase maps questions to the exact section and control — achieving the highest auto-fill rate of any questionnaire type.
Cites the specific SOC 2 section
Each answer references the exact trust service criterion (CC6.1, CC7.2, etc.) and the control description from your report. Buyers can verify without reading 80 pages.
Handles the 30% that's NOT in your SOC 2
Some questions go beyond SOC 2 scope — product architecture, business continuity specifics, sub-processor details. FillBase pulls those answers from your policies and prior responses.
Fill your SOC 2
Back to toolSOC 2 Compliance Questionnaire — FAQ
Common questions about filling SOC 2 online with FillBase
DDQ · ISO 27001 · Information Security
Built by the team behind Tendersight after one too many midnight DDQs. How we fill SOC 2 →
