The DDQ wave: what the inbox looks like this week
Mid-November volume snapshot across our own fleet. Volume, topic distribution, and the two categories growing fastest this week compared to the baseline.
A quick snapshot of the mid-November 2025 DDQ wave as it hits the inbox, pulled from our fleet. The volume graph is cresting right now and it is worth publishing what we see while the numbers are live.
Volume
Incoming DDQs across our fleet, week of 2025-11-10 through 2025-11-14:
- Volume is 45% above annual baseline. Consistent with the year-end pattern we described in the volume post.
- Median questionnaire length this week: 218 questions. Slightly below the annual median of 240 — the November wave tends to skew toward shorter, custom-written buyer questionnaires rather than full SIG Core submissions.
- Median turnaround requested: 11 business days. Shorter than the annual median of 14. Buyers trying to close onboarding before the holiday freeze.
Topic distribution this week
A mid-wave breakdown by question category (percent of questions across the week’s incoming DDQs):
| Category | This week | Annual baseline | Delta |
|---|---|---|---|
| Access control | 14% | 15% | -1 |
| Encryption | 11% | 12% | -1 |
| Incident response | 10% | 9% | +1 |
| AI/LLM usage | 9% | 5% | +4 |
| Subprocessor / third-party risk | 9% | 7% | +2 |
| BCP/DR | 7% | 8% | -1 |
| Data residency | 6% | 5% | +1 |
| Compliance attestations | 6% | 7% | -1 |
| Supply-chain security | 5% | 3% | +2 |
| Vulnerability management | 5% | 6% | -1 |
| Other | 18% | 23% | -5 |
Two categories are running notably hot this week: AI/LLM usage (up 4 points) and supply-chain security (up 2 points). Both track the growing-category list we published last week. The AI/LLM bump specifically is driven by new questions appearing in custom buyer templates — most of them variants of “do you train on customer data,” “do you use third-party LLMs,” and “describe your AI governance program.”
What the team sees
Two operational notes from analysts inside our customer accounts this week.
SME queue is saturated at most accounts. The 48-hour SLA the team-structure post described is holding across most accounts, but some escalations are waiting 60 to 72 hours. The bottleneck is typically the security engineer SME, not the legal SME. When the hottest categories (AI/LLM, supply chain) need escalation, they route to the same handful of security engineers.
Freshness refusals are climbing. The freshness scoring layer is refusing auto-answers on blocks citing evidence more than 10 months old. Customers whose SOC 2 cycle ran January-to-December are seeing more refusals this month as the attestation approaches renewal. The refusals route correctly but add SME time to questionnaires that would otherwise have been fully auto-answered.
One more week of peak expected, then a gradual tail into the first week of December. January will be the quietest month of the year. For the year-round shape, the volume post is the reference.