How It WorksPricingBlogStart Free Trial
All answers

How do I respond to a security questionnaire without a SOC 2 report?

March 6, 20262 min readFirst-Time SOC 2

The Situation

An enterprise prospect sends you a security questionnaire — 50-100 questions about your security practices. You don't have a SOC 2 report to point to. Here's how to handle it.

Response Strategy

Be Specific, Not Generic

Bad: "We use industry-standard encryption." Good: "All data at rest is encrypted using AES-256 via Supabase PostgreSQL. Data in transit is encrypted via TLS 1.3 on all Vercel endpoints."

Be Honest About Gaps

Bad: "Yes, we conduct annual penetration testing." (You don't.) Good: "We have not conducted a formal penetration test yet. We use automated vulnerability scanning via Dependabot and plan to conduct our first pentest in Q3 2026."

Attach Evidence

For key questions, attach supporting screenshots:

  • MFA enforcement settings
  • Encryption configuration
  • Branch protection rules
  • User access list showing role-based access

Common Questions and How to Answer

QuestionHow to Answer Without SOC 2
"Do you have a SOC 2 report?""We are pursuing SOC 2 Type I, targeting [date]. In the interim, here are our current security controls."
"How do you handle access management?"Describe your exact process — SSO provider, MFA enforcement, access review cadence
"How do you manage code changes?""All changes require GitHub PR with peer review and CI checks before merge to main"
"Do you have an incident response plan?"Provide the plan if you have one; if not, describe how you'd respond
"Where is data stored?"Name your providers, regions, and encryption settings

Tips

  • Respond within 1 week. Slow responses signal organizational immaturity.
  • Be consistent. If you send a questionnaire to one customer, save your answers for the next one.
  • Mention your SOC 2 timeline. "We're pursuing SOC 2 and expect our report by [date]" shows commitment.
  • Create a trust page. Publish your security practices on your website so prospects can self-serve basic information.
  • Use a tool like Screenata to accelerate your SOC 2 timeline so you can replace questionnaires with a report sooner.

Related Questions

First-Time SOC 2

Can I use my SOC 2 report to skip security questionnaires?

A SOC 2 report reduces security questionnaire burden by 60-80% but doesn't eliminate questionnaires entirely. Most enterprise buyers accept a SOC 2 report in place of detailed control questions, but still ask about data handling specifics, incident history, and business continuity that SOC 2 doesn't fully cover.

First-Time SOC 2

How do I collect SOC 2 evidence across multiple engineering teams?

Collecting SOC 2 evidence across multiple teams requires standardized branch protection rules, consistent access control policies, a shared evidence library, and a designated compliance coordinator. Use the same GitHub settings, CI pipelines, and access review processes across all teams to simplify evidence collection.

First-Time SOC 2

How do I handle emergency changes and hotfixes during a SOC 2 observation period?

Emergency changes during a SOC 2 observation period are acceptable if you document them properly. Create a post-deployment PR within 24 hours, record the justification for bypassing normal review, and get retroactive approval. Having 2-3 documented emergency changes during an observation period won't cause audit findings.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.