Skip to main content
Back to Guides
Compliance5 min read

Answering Vendor Privacy Questionnaires Without the Panic

Enterprise deals stall on a spreadsheet: the security and privacy questionnaire. Here's what SIG and CAIQ ask, which documents actually close the loop, and how the cookie consent questions get answered from your logs instead of a guess.

The spreadsheet that decides the deal

You've had the demo calls, the pricing is agreed, legal is drafting. Then procurement sends a spreadsheet with 300 questions about your security and privacy practices, and the deal goes quiet for three weeks. That questionnaire is where enterprise sales actually gets won or lost, and the companies that answer it fast have a real advantage.

Most of these questionnaires aren't bespoke. They're built from one of two industry templates, and once you recognize the format, you can prepare answers in advance instead of scrambling per deal.

The two questionnaires you'll actually see

The SIG (Standardized Information Gathering) questionnaire comes from Shared Assessments. It's the broad one, covering security, IT, privacy, and operational risk across a large set of domains, and it maps its questions to dozens of regulatory frameworks. There's a full version (SIG Core, hundreds of questions) and a shorter SIG Lite for lower-risk vendors.

The CAIQ (Consensus Assessments Initiative Questionnaire) comes from the Cloud Security Alliance and is tuned for cloud providers. It maps to the CSA's Cloud Controls Matrix and, unlike SIG, it's freely available. A lot of vendors fill out a CAIQ once and publish it so buyers can self-serve.

Both include a privacy section. That's the part where questions about cookies, tracking, consent, and data subject rights land, and it's the part a security engineer filling out the rest of the form often can't answer without help.

You'll also see plenty of custom questionnaires that borrow from these templates without following them exactly, plus shorter proprietary ones from individual enterprises. The good news: the underlying questions repeat. Prepare for SIG and CAIQ and you've prepared for most of what a custom form throws at you.

The documents that answer half the questions for you

A well-run answer process leans on a small stack of documents. Have these ready and a large share of any questionnaire resolves to "yes, see attached":

  • A SOC 2 Type II report, or an ISO 27701 / ISO 27001 certificate, depending on which the buyer recognizes.
  • Your data processing agreement (DPA), the contract that governs how you handle the customer's personal data under GDPR Article 28.
  • A current subprocessor list: every third party that touches customer data, what they do, and where they're located.
  • A summary of your technical and organizational measures (TOMs) under Article 32: encryption, access control, logging.
  • A penetration test summary or attestation letter (the summary, not the raw report with live findings).

Keep these current. A subprocessor list that's a year stale or a certificate that expired last quarter does more damage than not having a portal at all, because it tells the buyer your process is sloppy.

The cookie and consent questions

The privacy section almost always includes some version of these: How do you obtain consent for tracking? Can you produce evidence of consent? Do you honor opt-out signals like Global Privacy Control? How long do you retain personal data? Who are your analytics and advertising subprocessors?

These trip people up because the honest answer is operational, not a policy line. "We obtain consent" isn't enough. The buyer's privacy reviewer wants to know that you capture the decision and can retrieve it. This is where a consent platform earns its place in the sales cycle. CookieBeam logs each consent event with a timestamp, the banner version, and the exact purposes accepted or rejected, and it can honor GPC signals as a rejection. So the answer to "can you produce evidence of consent" becomes "yes, here's an exported record," and the answer to "do you honor GPC" is a configuration you can point to. On the subprocessor question, your consent tool also gives you the current inventory of trackers firing on your site, which is exactly the list a reviewer wants to reconcile against your disclosures. See how to audit your cookie consent setup for building that inventory.

Answer once, reuse everywhere

The mistake is treating each questionnaire as a fresh writing project. Build an internal answer library: a canonical response to every common question, with the supporting document attached, reviewed by whoever owns security and whoever owns privacy. When a new spreadsheet arrives, most of it is copy-paste, and only the genuinely deal-specific items need thought.

Better still, put the reusable material somewhere buyers can reach it without asking. That's what a privacy trust center is for, and it turns the three-week questionnaire delay into a link you send on the first call. The point of all this isn't to look compliant. It's to prove, quickly, that you run a real privacy operation, which is the same thing the buyer's DPA review is checking from the other direction.

What reviewers are actually checking

Behind the questions, a privacy reviewer is testing one thing: whether your answers match reality. They'll cross-check your questionnaire against your public documents, your DPA, and, increasingly, what they can observe directly. If you claim you get consent before loading analytics, they may open your own site with dev tools and watch what fires before they click anything. A mismatch there sinks credibility faster than a gap you disclosed honestly.

So the winning move isn't a perfect-sounding answer. It's a consistent one, backed by something checkable. "We honor GPC" should be true when they test it. "We can produce consent records" should mean you actually can, on the spot. Vendors that treat the questionnaire as a marketing exercise get caught; the ones that answer from real systems close faster and renew without friction.

Vendor Privacy and Security Questionnaires: A GDPR Guide | CookieBeam | CookieBeam