Needs confirmation
Vulnerability scan cadence, production hosting region, and legal-approved breach notification wording.
Sample
This mock answer pack (fictional company, no customer data) shows how TrustDesk handles a questionnaire when source material is available but incomplete. Gaps are flagged, never papered over.
| Question | Draft answer | Evidence | Confidence | Status |
|---|---|---|---|---|
| Do you maintain a written information security policy? | Yes. A written information security policy covers access control, data protection, incident response, vendor management, and employee responsibilities. Reviewed at least annually. | Information Security Policy, §1, §8 | High | Ready for approval |
| Do you enforce MFA for administrative access? | Multi-factor authentication is enforced for administrative access to production, cloud, and identity systems. | SOC 2 summary, logical access controls | High | Ready for approval |
| Do you have a documented incident response process? | Yes. A documented process covers triage, containment, investigation, communication, remediation, and post-incident review. | Incident response policy excerpt | High | Ready for approval |
| What is your customer breach notification timeline? | The DPA states customers are notified without undue delay after confirmation of a security incident affecting customer personal data. | Data Processing Addendum, security incident section | Medium | Customer legal approval recommended |
| Do you conduct penetration testing? | No answer drafted. The provided materials do not confirm whether testing is performed. | No supporting source found | Low | Needs evidence |
Vulnerability scan cadence, production hosting region, and legal-approved breach notification wording.
Penetration testing cannot be answered safely without a source, attestation, or approved "not performed" response.
Approved access control, encryption, and incident response answers become answer-library seeds for the next review.