Blog · Tag
ddq.
40 posts in this archive.
The evidence vault, a year in: attestations, tests, audits
What lives in the evidence vault, what expires, and the alerting that catches expirations before a DDQ cites a stale attestation.
April DDQ patterns, a year later
A field note on the questionnaires that landed this week — what's repeating from last April, what's new, and the two categories that are quietly eating the most response time.
DDQ season is now year-round
In 2025 the DDQ volume showed a clear seasonal peak — Q4 renewal cycles, January onboarding. A year later the seasonality has flattened. What changed and what it means for capacity planning.
Vendor risk management, patterns we see on the procurement side
A cross-cut of roughly 200 DDQs from the last six months — the fields that repeat, the fields that vary, and what the repetition tells us about how vendor risk teams actually operate.
DDQs from non-US buyers are shaped differently
A field note on three field-level differences between US, UK/EU, and APAC DDQs. Different privacy regimes, different data-residency framings, different evidence conventions. Small shifts that bite if you answer them on autopilot.
The DDQ evidence-provenance API
External auditors can now walk from a DDQ answer back to the source evidence without opening the KB. The endpoints, the auth model, and what we hardened before shipping.
The weekly DDQ evidence-freshness sweep
A 20-minute weekly routine that catches stale evidence links before a reviewer does. What the sweep covers, what it skips, and why we recommend it for teams that answer more than one DDQ a month.
DORA compliance showing up in DDQs
The EU's Digital Operational Resilience Act shows up in a visible fraction of recent DDQs. What the regulation asks for, what buyers actually want, and how to structure the response without inventing posture.
The security-questionnaire closeout list
Ten fields security teams should confirm before signing off on a DDQ. A single-page closeout checklist, written for the person whose name goes on the submission and whose audit exposure is real.
The DDQ evidence-gap audit before year-end
A 60-minute audit that surfaces the DDQ answers you can no longer support with current evidence. Run it before the auditor in February asks. The answers that survive the audit are the ones worth keeping in the library.
The December DDQ panic day
A field note on the second Monday of December: what buyers send, why they send it then, and what the vendor side should do about it.
Year-end DDQ surge: how to staff it
The operational playbook for running 40 to 60 due-diligence questionnaires through a small security and proposal team in the last six weeks of the year, without losing the team.
Black Friday, but for B2B procurement
A quirky pattern from our own inbox: new-vendor DDQs spike in the week after Thanksgiving. A short note on why, and what the seasonality does to team planning.
Multi-tenant DDQ templates across customer accounts
How one SOC 2 answer shape generalizes across many customer tenants without leaking tenant-specific facts. The separation between template structure and tenant content, explained.
The DDQ wave: what the inbox looks like this week
Mid-November volume snapshot across our own fleet. Volume, topic distribution, and the two categories growing fastest this week compared to the baseline.
Confidence-threshold tuning for DDQ auto-answer
Where we set the confidence bar for auto-answering a DDQ question. The precision/recall trade-off, explained with our own data and the number we actually use for security questionnaires.
DDQ answer voice: why consistency beats polish
Buyers forgive plain writing. They do not forgive a questionnaire that reads like it was stitched from eight different people. How to keep 300 DDQ answers sounding like one voice.
The annual security-questionnaire cycle, four industries
SaaS, healthcare, defense, finance. How the timing, volume, and question distribution differ across four regulated B2B industries, and why the cycle shape matters for staffing.
In preview: auto-attachment of evidence on DDQ answers
Auto-attachment of evidence PDFs — SOC 2, pentest, policy documents — to DDQ answers that cite them. In preview for design-partner tenants while DDQ workflows mature toward general availability.
The recycled-DDQ-answers audit
A one-afternoon audit that finds the 40 recycled answers in last year's questionnaires that are silently wrong now. What to look for, what to rewrite, what to retire.
Security questionnaires: the 80% that's really retrieval
The canonical Engineering pillar on DDQ automation. A 300-question security questionnaire is not 300 unique questions — it's mostly retrieval against a corpus that's already written, plus a small tail that isn't.
The security-questionnaire response team that actually ships
Three roles, one DRI, a 48-hour SLA. How regulated vendors staff the Q4 questionnaire wave without shipping stale answers or missing deadlines.
The evidence vault: where SOC 2 PDFs live and how they cite
How a DDQ answer citing 'SOC 2 report, section CC6.1' actually finds the right PDF, serves it to the right buyer, and keeps the audit trail. The storage, access, and audit layer underneath.
DDQ fatigue is a security risk, not a productivity problem
Opinion. Rushing a 300-question security questionnaire at 11pm on a Thursday does not just cost time. It degrades real security posture, and the industry keeps framing it as a staffing issue.
Security-questionnaire volume in 2025, the data
Safe Security's 500+/year claim, tested against the volume we see across our own fleet. Category breakdowns, seasonal spikes, and the questions that are growing fastest.
The DDQ evidence-attachment API
How buyer-side evidence-request fields get auto-populated from a KB evidence vault. The schema, the matching logic, and the human-in-the-loop step we will not remove.
The Q4 DDQ surge is almost here
Procurement-side patterns for Q4 2025: what buyers are sending right now, what volume looks like at the question level, and what to expect in the next eight weeks.
Security questionnaires: linking answers to evidence
How a SOC 2 attestation PDF becomes a citation source for DDQ answers. The ingest pipeline, the per-control extraction, and the per-claim linking that makes 'yes' answers verifiable instead of theatrical.
Vendor onboarding DDQs across four industries
Finance, healthcare, SaaS, and defense. The same 200 questions in four different rephrasings. A teardown of how the category-specific framing changes what the buyer expects to see in the answer — and what stays the same underneath.
The DDQ review cycle you can actually finish
Two rounds, not four. The structure that keeps security questionnaires from missing deadlines, and what to drop when you cut the ceremony.
The Friday DDQ batch we process in under an hour
What automation does to a weekly batch of security questionnaires, and the four things it still can't do.
In preview: question router v2 with confidence scores
DDQ questions now route with a confidence score in preview. High-confidence routes auto-draft from the KB; low-confidence routes to human review with a typed reason for the routing call.
The DDQ answer-reuse myth
The pitch is: every DDQ is mostly the same, so reuse the answers. The reality is: every DDQ is mostly similar but just different enough that naive reuse fails. The gap between similar and identical is where the work lives.
Ingesting a 300-question security questionnaire
A 300-question security questionnaire is a throughput problem, not a writing problem. The ingest pipeline has five stages: extract, classify, dedupe against the last one, retrieve, assemble. Here is what each one does and where it costs.
DDQ Anatomy, Part 4 of 4: operations and vendor management
The closing section of a vendor DDQ. Incident response from the operational side, business continuity, vendor risk management, and the questions that decide whether you're a vendor procurement will renew.
DDQ Anatomy, Part 3 of 4: the security section
The security section is 60 questions long, mostly SOC 2-shaped, and it's where vendors most often ship answers that won't survive the buyer's actual security review. Here's what's asked and how to respond.
DDQ Anatomy, Part 2 of 4: legal and privacy
The legal and privacy section of a vendor DDQ is where 45 questions repeat bid-to-bid. Here's what they ask, what evaluators check, and how to answer without losing a week to it.
The DDQ response playbook, end to end
A canonical playbook for due-diligence questionnaires. Seven stages from intake to post-mortem write-back, what each stage owns, where each one breaks, and why the same DDQ next year should take half the time.
DDQ Anatomy, Part 1 of 4: the finance section
What the finance section of a DDQ asks — SOC audit history, revenue recognition, debt covenants, parent-company financials. What evaluators want, where questions repeat, and what good answers look like.
In preview: DDQ question classification
Every question in an ingested DDQ is classified at intake into finance, legal/privacy, security, or operations buckets. In preview behind a feature flag — DDQ is a pursuit-type the marketed platform does not yet describe.
See the proposal workflow
Take the 5-minute tour, then start a trial workspace when you're ready to run a real pursuit against your own source material.