Customer Due Diligence

What to Do When a Customer Sends Security Questions

A practical response plan for founders who have received customer security questions and need to answer clearly without scrambling through scattered documents.

Quick Verdict

Do not rush to answer every question from memory. First, identify what the customer is really asking for: controls, ownership, evidence, risk management, data protection or incident readiness. Then answer with what exists, what is planned and who owns the next action.

Without panic, vague promises or claiming maturity you cannot evidence.

Who this is for

This page is useful for

  • Founders with an active customer security request
  • Teams answering due diligence for the first time
  • Operators collecting evidence manually
  • Startups worried a deal may stall
  • Businesses that need credible answers without overclaiming

Founder pressure this addresses

Without panic, vague promises or claiming maturity you cannot evidence.

This is the practical security middle ground: enough structure to build trust, without turning your startup into a large-enterprise security programme too early.

What founders are really asking

A customer security request is not just an admin task. It is a trust test. The customer wants to know whether your business can protect data, operate responsibly and explain how security is managed.

The right answer is usually not “do everything”. It is to create a clear security baseline that shows what exists, who owns it, what evidence supports it and what needs to improve next.

Practical breakdown

Use this table to translate the question into the security areas your startup should organise.

Area What it means Useful evidence or output
Policy questions They want to know whether expectations are documented. Security policy, access policy, incident policy.
Access questions They want to know who can reach sensitive systems and data. Access register, MFA notes, leaver process.
Vendor questions They want to know whether third parties are understood. Supplier list and risk notes.
Incident questions They want to know what happens if something goes wrong. Incident contacts and escalation route.
Evidence questions They want proof, not just statements. Screenshots, trackers, review records and approvals.

How to respond without scrambling

Sort questions into categories

Sort questions into categories

Mark what you can evidence now

Mark what you can evidence now

Flag what needs clarification

Flag what needs clarification

Avoid overclaiming controls that do not exist

Avoid overclaiming controls that do not exist

Create an evidence folder as you answer

Create an evidence folder as you answer

Use the gaps to build your next security priorities

Use the gaps to build your next security priorities

Use this when…

  • A customer security questionnaire has arrived
  • A deal is waiting on security answers
  • You are not sure which evidence to provide
  • You need to turn one request into a repeatable process

Recommended next steps

The best next step depends on whether you need clarity, templates, implementation support, readiness review or ongoing security judgement.

Next step

Need to diagnose the gaps?

Use the quiz to identify which security areas need the most attention before the next request.

Take the quiz

Next step

Need templates and structure?

Use the Security Toolkit to organise policies, access, vendors, risk and evidence.

Get the Security Toolkit

Next step

Need help with an active request?

Book a consultation if a customer question set is already blocking progress.

Book a free 30 min consultation

Simple maturity route

Start with the Startup Security Quiz if you need clarity. Use the Security Toolkit if you need a baseline. Move to the Implementation Kit when you need repeatable processes. Use the Security Readiness Audit when external scrutiny is approaching. Use Fractional Security Advisor when security decisions need ongoing leadership.

Frequently asked questions

Should we answer customer security questions even if controls are not perfect?

Yes, but answer accurately. Explain what exists, what is planned and what is owned rather than overstating maturity.

What if we do not have all the evidence?

Record the gap, decide whether it is material, and create an action plan. Missing evidence is often a sign that the process is informal.

Can a security questionnaire block a deal?

It can, especially if the customer has procurement, legal, compliance or data protection requirements.

What should we build after answering the first questionnaire?

Create reusable evidence, standard answers, owners and a review cadence so the next request is easier.

References