Reference

RFP, Security Questionnaire & Vendor Risk Glossary

Plain-language definitions for RFPs, security questionnaires, DDQs, vendor risk assessments, trust centers, and compliance terms.39 terms defined and regularly updated. Use this glossary when responding to questionnaires or building your compliance program.

What this glossary covers

This glossary explains the language behind security questionnaires, vendor risk assessments, trust centers, compliance packs, and AI-governed response workflows. It is built for security teams, revenue teams, procurement leaders, and buyers who need quick answers during active reviews.

The glossary also connects directly to VeriRFP's Learn hub, where each term links to a deeper guide, comparison page, or workflow article. That makes it a fast reference layer and a navigation hub for the broader education library.

How to use this glossary

Each term includes a concise definition, operational context explaining how the term appears in real security review workflows, and an extended guide with common pitfalls and best practices. Use the definitions when responding to buyer questionnaires, writing internal security policies, or training new team members on vendor risk vocabulary. Terms link to related entries and deeper guides in the VeriRFP Learn library, so you can move from a quick lookup to a full workflow article without leaving the glossary.

The glossary organizes around five topic areas: questionnaire formats and standards (SIG, CAIQ, VSAQ, DDQ), compliance frameworks and certifications (SOC 2, ISO 27001, FedRAMP, HIPAA), vendor risk management processes (TPRM, due diligence, risk scoring), trust center and buyer-facing concepts (NDA gating, compliance packs, buyer analytics), and AI governance terminology (ATF, prompt injection, behavioral monitoring, circuit breakers). Browse the full list below or click any term to read the complete definition with operational context.

Why precise terminology matters in security reviews

Security questionnaires are high-stakes documents where imprecise language creates real risk. When a buyer asks about your "incident response plan" and your team conflates it with "business continuity," the resulting answer may satisfy the question literally but fail the spirit of the review. Buyers and their auditors scrutinize terminology carefully — using "encryption at rest" when you mean "encryption in transit" can trigger follow-up questions, delay procurement, or disqualify a vendor entirely. This glossary helps teams align on the precise meaning of each term before drafting responses.

Terminology also affects cross-team collaboration during questionnaire responses. Security engineers, legal counsel, and compliance officers often use the same words to mean slightly different things. A shared glossary reduces internal misalignment and ensures that the answer a security SME drafts, the legal reviewer approves, and the buyer receives all reflect the same understanding. Organizations that standardize their security vocabulary across teams consistently produce more accurate and internally consistent questionnaire responses.

AI Hallucination

AI hallucination is when a model generates plausible but factually wrong output — a critical risk that evidence-backed questionnaire automation prevents.

Audit Trail

An audit trail is a chronological record of system activities providing documentary evidence for compliance and security questionnaire verification.

Business Associate Agreement (BAA)

A BAA is the HIPAA-required contract governing how a vendor handles protected health information. Covered entities must sign one with every vendor touching PHI.

Business Continuity Plan (BCP)

A business continuity plan outlines how an organization continues operations during and after a disruption, commonly evaluated in vendor security reviews.

BYOK AI (Bring Your Own Key)

BYOK AI allows customers to supply their own API keys for AI services, ensuring data never passes through the vendor's AI infrastructure.

CAIQ (Consensus Assessments Initiative Questionnaire)

CAIQ is a cloud security questionnaire developed by the Cloud Security Alliance (CSA) to evaluate cloud service providers against the CSA Cloud Controls Matrix.

Cloud Controls Matrix (CCM)

The Cloud Controls Matrix (CCM) is a Cloud Security Alliance control framework for cloud environments, covering 197 control objectives across security domains.

Compliance Pack

A compliance pack is a curated bundle of security docs delivered to buyers during procurement: SOC 2, policies, certifications, and pen test summaries.

Data Processing Agreement (DPA)

A DPA is a contract that governs how a vendor processes personal data on behalf of a customer. GDPR-focused security reviews require one.

Data Residency

Data residency refers to the geographic location where data is stored and processed, a critical concern in security questionnaires for regulated industries.

Evidence Library

An evidence library is a centralized repository of approved security docs, policies, and prior responses used as source material for questionnaire answers.

FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is the US government program that standardizes security assessment for federal cloud services.

GDPR

GDPR (General Data Protection Regulation) is the EU law governing personal data protection, with major implications for vendor security reviews and DDQs.

GRC (Governance, Risk, and Compliance)

GRC (Governance, Risk, and Compliance) is an integrated framework for managing governance structures, enterprise risk, and regulatory compliance.

HIPAA

HIPAA (Health Insurance Portability and Accountability Act) establishes standards for protecting sensitive patient health information in the United States.

Incident Response

Incident response is the organized approach to addressing and managing security breaches and cyberattacks, frequently evaluated in buyer questionnaires.

ISO 27001

ISO 27001 is the international standard for information security management systems (ISMS), specifying how to establish, implement, and maintain controls.

MFA (Multi-Factor Authentication)

MFA requires users to verify identity with two or more factors and is one of the most common control checks in enterprise security questionnaires.

NDA (Non-Disclosure Agreement)

An NDA is a legal agreement gating access to sensitive compliance docs. Buyers sign NDAs before viewing SOC 2 reports, pen tests, and security architecture.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a set of standards for managing cybersecurity risk. Organizations of all sizes adopt it voluntarily.

PCI DSS

PCI DSS is a security standard for organizations that handle credit card data. It mandates specific controls for cardholder data protection.

Penetration Testing

Penetration testing is authorized simulated attack used to evaluate system security. Pen test results are common evidence in security questionnaires.

Procurement Portal

A procurement portal is a dedicated workspace where vendors deliver curated security documentation, compliance packs, and follow-up materials to buyers.

RBAC (Role-Based Access Control)

RBAC is an access control method that assigns permissions based on user roles, commonly asked about in security questionnaires and compliance reviews.

Security Questionnaire

A security questionnaire is a set of questions buyers use to evaluate a vendor's security posture and compliance during procurement.

Security Questionnaire Automation

Security questionnaire automation uses AI and evidence libraries to draft, review, and deliver responses to buyer security questionnaires at scale.

Shared Responsibility Model

The shared responsibility model defines which security controls the cloud provider owns versus the customer — referenced often in cloud security reviews.

SIG Questionnaire

The SIG (Standardized Information Gathering) questionnaire is a standardized vendor risk assessment tool created by Shared Assessments covering 18 risk domains.

SLA (Service Level Agreement)

An SLA is a formal agreement defining service commitments — uptime guarantees, response times, support levels — commonly evaluated in vendor security reviews.

SOC 2

SOC 2 is an AICPA audit framework evaluating service organizations on five Trust Services Criteria covering security, availability, integrity, and privacy.

SSO (Single Sign-On)

SSO allows users to authenticate once to access multiple applications. It is a frequently required capability in enterprise security questionnaires.

Subprocessor

A subprocessor is a third party that processes personal data on behalf of a data processor. Security reviews require vendors to disclose all subprocessors.

Third-Party Risk Management (TPRM)

Third-party risk management (TPRM) is the discipline of identifying, assessing, and mitigating risks from external vendors, suppliers, and service providers.

Trust Center

A trust center is a public-facing web page where vendors publish their security posture, compliance certifications, and documentation for buyers.

Vendor Risk Assessment

A vendor risk assessment evaluates a third-party vendor's security, compliance, and operational risks before and during the business relationship.

Vendor Risk Scoring

Vendor risk scoring assigns numerical risk ratings to vendors based on questionnaire responses, compliance documentation, and external threat intelligence.

Vendor Security Review

A vendor security review is the end-to-end process where a buyer assesses a vendor's security posture via questionnaires, documentation, and risk scoring.

VSAQ (Vendor Security Assessment Questionnaire)

A VSAQ is a vendor security assessment questionnaire buyers use to evaluate a vendor's security controls, usually customized to the buyer's requirements.

Zero Trust Architecture

Zero Trust is a security model requiring strict identity verification for every user and device, increasingly referenced in enterprise security questionnaires.

Deep-dive guides

Some topics need more than a quick definition. These long-form guides cover real examples, response workflows, and best practices end to end.

Due Diligence Questionnaire (DDQ)

Full guide to DDQs — types (vendor, investment, M&A, regulatory), 8 content domains with sample questions, 18 real examples, response best practices, and a realistic timeline.

Security Questionnaire

Definition, common formats (SIG, CAIQ, VSAQ, custom), response process, and how teams use automation to cut turnaround from weeks to hours.

Trust Center

What a trust center is, the reactive-to-proactive evolution, NDA-gated document access, and how trust centers reduce inbound questionnaire volume.

Privacy controls

We use essential cookies for sign-in and service operations. With your permission we also load analytics to understand how teams use the product. Analytics stay off until you accept. See our Privacy Policy.