What Security Questionnaires Actually Test — And What They Should Tell You About Your AI Vendor
Security questionnaires aren't compliance theater — they're a vendor maturity diagnostic. The most telling question separates mature AI vendors from pretenders.
Philipp Heideker
Co-Founder & CEO
Last updated: April 10, 2026
TL;DR: Security Questionnaires are not compliance theater; they're a maturity diagnostic. Vendors that answer them clearly and completely tend to be reliable enterprise partners. The most telling question separates mature vendors from pretenders: "Where are our data stored, and will customer data be used to train your AI models?"
The Real Story Behind Enterprise Security Reviews
A 47-page security questionnaire landed on the desk of many early-stage AI founders the moment their first enterprise prospect came along. The immediate reaction, understandably, was eye-rolling: More bureaucracy.
But something unexpected happens after you work through one. You realize: this isn't a compliance checkbox. It's a vendor maturity scan.
Each question—even the repetitive or obscure ones—tests whether a company has genuinely thought through enterprise data responsibility or is simply hoping nobody asks uncomfortable questions. The questionnaires enterprises send are not arbitrary. They're distilled from thousands of vendor failures, security breaches, and regulatory fines. They represent institutional memory.
What Security Questionnaires Actually Assess
Security questionnaires typically evaluate three capabilities, in order of enterprise criticality:
1. Data Residency and Handling
Where does customer data live? Can the vendor move it? Is it encrypted in transit and at rest? Can customers request deletion?
This is the foundational question. If a vendor is unclear about data location, or stores everything in the US while serving GDPR-bound European enterprises, the questionnaire flags this immediately.
2. Architectural Maturity
Does the vendor have role-based access controls? Multi-factor authentication? Audit logging? Security monitoring? Incident response procedures?
These are not exotic requirements. They're table stakes for any company processing regulated data. Yet many younger AI startups haven't implemented them because they've prioritized speed over structure.
3. Governance and Accountability
Does the vendor have a dedicated security function (a CISO, or a dedicated security team)? Are there formal policies for vendor access, background checks for developers, regular security training?
Governance questions distinguish companies that have thought deeply about security from those that have simply coded it.
The pattern that emerges: most questions don't require exotic infrastructure. They require discipline, documentation, and honest answers. "Yes, we handle that" because it's actually designed that way, not because you hope nobody notices otherwise.
Why Many AI Startups Struggle With Enterprise Security Reviews
The short answer: they didn't architect for enterprise from day one.
Not because they're indifferent to security, but because they optimized for speed, not structure.
When you're building a prototype, you store customer data wherever is simplest. You move fast. You iterate. You think about product, not process. Procedures feel like overhead.
Then your first enterprise prospect asks: "Describe your data classification system and controls for personal data."
You have neither. You have a database.
This cascades. Common gaps include:
- No SOC 2 audit. Comprehensive audits take time and resources, so early-stage startups often defer them. Then enterprises require them.
- Unclear policy on training with customer data. Many early AI companies have no formal position on whether they use customer data to improve models. The default is often "maybe, we're still deciding"—exactly what enterprises cannot accept.
- No data residency options. Built for the US market; EU customers ask for EU-only hosting.
- Missing SSO support. Enterprises want to provision access through Okta or Azure AD, not create local accounts.
- Incomplete audit trails. When "show me every action on our data in the last 90 days" requires manual database log reading, you've failed.
The startups that struggle aren't negligent. They're typical. They optimized for product-market fit and then discovered that enterprise customers are buying something different: reliability and control.
The Single Most Diagnostic Question
Most security questionnaires contain 50+ questions. But one question does most of the filtering:
"Where is customer data stored? Will customer data be used to train your AI models?"
A mature enterprise vendor answers clearly:
- Data is stored in [specific geography: Germany, EU].
- Customer data is not used to train our models.
- Customers can request deletion.
- Data is encrypted in transit and at rest.
A vendor still finding its footing typically hedges:
- "That depends on the region..."
- "We use anonymized data for model improvement..."
- "We're currently finalizing our data residency strategy..."
The difference is maturity. Mature vendors have made these decisions and can articulate them without qualification. Hedging indicates the decision hasn't been made yet, or the vendor isn't confident in defending it.
How GDPR Became an Advantage for Responsible European AI Vendors
This might seem counterintuitive—isn't GDPR a compliance burden?—but for vendors serious about enterprise, GDPR is a structural advantage.
GDPR Enforces Clarity
American tech companies often operated in a regulatory environment where "we'll sort out liability later" was acceptable. GDPR doesn't permit that. You must know where data lives, what happens to it, how it's protected, and how you respond if something fails.
This forced clarity becomes a competitive strength: you know your own architecture and can defend it.
GDPR Makes Violations Expensive
High-profile enforcement actions against large tech platforms (with fines in the billions) have crystallized CFO and procurement attention. Data protection is no longer theoretical; it has a price tag.
GDPR Shapes Organizational Design
US venture capital historically rewarded growth at any cost. European regulation rewards responsible operations. This shapes the DNA of companies: which decisions they make early, which trade-offs they accept, which corners they won't cut.
The EU AI Act (in force since August 2024) adds an additional layer, imposing governance requirements on high-risk AI systems, including those used in employment or coaching contexts. This creates another round of regulatory clarity that vendors must answer for.
What Enterprise Buyers Should Actually Look For
Data Sovereignty Outweighs Feature Richness
A vendor with average AI capabilities but bulletproof data handling will outperform a vendor with brilliant AI and loose data practices. As usage scales, data protection becomes a load-bearing wall. When it fails, everything collapses. Features improve over time. Data cannot be recovered.
Governance is Proof of Maturity
When a vendor has a security function, documented incident response, and regular security training, they've already survived growth. They've solved the hard organizational problems that trip up startups.
Clarity is a Filter
Vendors that hedge on data location, data usage, or deletion policies haven't yet decided. They're still in startup mode, where decisions are flexible and reversible. Enterprise prospects want vendors in enterprise mode: decisions are locked in and defensible.
10 Questions to Ask Your AI Vendor About Security
| Question | What It Tests | Red-Flag Response |
|---|---|---|
| Where is customer data stored geographically? | Data residency and compliance | "It varies" / "We can move it later" |
| Will customer data be used to train your AI models? | Data governance and privacy ethics | "Anonymized data" / "We're reviewing that" |
| How quickly can we request deletion of our data? | Data lifecycle and deletion rights | "90 days" / "We're working on faster deletion" |
| Do you have SOC 2 Type II certification? | Third-party security audit | "We're working on it" / "Not yet" |
| Who in your company has access to our data? | Access controls and accountability | "Developers when needed" |
| Do you support SSO/SAML? | Enterprise access management | "Not yet" / "On the roadmap" |
| How do you respond to security incidents? | Incident response maturity | No documented process |
| Do you have a Data Processing Agreement? | Legal compliance framework | "We use standard terms only" |
| How often do you conduct security training? | Security culture and discipline | Ad-hoc or informal |
| Can you provide audit logs of our data access? | Transparency and accountability | "Only aggregated reports" |
What Mature Vendor Responses Look Like
When a vendor is operating at scale and has thought through enterprise requirements, certain patterns emerge in how they answer:
On data: Answers are specific and geographic. "All EU data is stored in Frankfurt on German infrastructure" rather than "it's somewhere in Europe."
On access: There's a clear explanation of who needs data and why. "Customer success teams can view usage dashboards but cannot see chat transcripts. Engineers have read-only access to logs for debugging."
On incidents: They describe an actual process: notification timeline, escalation path, customer communication. Not a rough sketch, but something they've practiced.
On compliance: They've already undergone audits or are in the middle of one. They don't describe it as a future project.
On deletion: They can be precise about timelines. "Within 30 days, all customer data is purged from production systems and backups."
When Sleak Worked Through Its First Enterprise Security Review
When a large German automotive supplier sent over their security questionnaire, the initial expectation was painful compliance work. What emerged was more valuable.
The questionnaire forced clarity on design decisions that had been implicit assumptions. Sleak had assumed customer data would stay in Germany, but built no architecture to guarantee it. They'd said they don't train on customer data, but had no audit trail to prove it.
The choice became clear: either invest in proper infrastructure or stop claiming enterprise readiness.
The investment came first: dedicated EU infrastructure, field-level encryption for sensitive coaching data, comprehensive audit logs for every data access, a formal Data Processing Agreement, and advisory support on security practices.
Three months of engineering. Real cost.
What happened next was unexpected: the thorough questionnaire response became a sales advantage. Procurement teams didn't need to be convinced of commitment—Sleak could show concrete evidence (audit logs, architecture diagrams, DPA). The deal closed faster. The legal process was cleaner. And the product was genuinely more secure.
This is typical: vendors that invest in maturity find that enterprise deals move faster, not slower. Buyers trust clear answers over vague reassurance.
Frequently Asked Questions
Q: Do I need SOC 2 to sell to enterprise customers? A: Not legally, but practically it carries weight. SOC 2 Type II (audited over time, not just a snapshot) costs time and money, and the timeline depends on the audit firm and your readiness. Start the conversation early if you plan to serve enterprise.
Q: What's the difference between GDPR and the EU AI Act for AI vendors? A: GDPR governs how you handle data. The EU AI Act governs the AI system itself: how it makes decisions, whether it's high-risk, what documentation is required. An AI coaching system in an employment context is likely classified as high-risk. Both apply simultaneously.
Q: If we're fully GDPR-compliant, are we compliant with the EU AI Act? A: Not automatically. You can handle data perfectly (GDPR) but fall short on system documentation or risk management (AI Act). They're separate frameworks with overlap, not identical.
Q: Should security slow down product development? A: Not ideally—it should redirect it. Secure defaults baked into architecture from the start are cheaper and faster than retrofitting security later. Vendors that struggle are usually those who built fast first and tried to add security afterward.
What This Means for Vendor Selection
When an enterprise prospect sends a 47-page security questionnaire, it's not bureaucratic friction. It's honesty. They're showing you what they've learned from previous vendor failures.
When a vendor answers those questions clearly and thoroughly, it's not compliance theater. It's maturity. They've made the hard decisions. They understand that security is non-negotiable.
In AI, where trust is hardest to build and easiest to destroy, this distinction matters enormously.