(no title)

These are reasonable questions and I see quite a lot of value if they are filled out extensively and in a good faith approach. Most of the answers of usual security questionnaires can be deduced from the responses to this DSQ.

I really have a problem with Q6:

> Have you had any security breaches in the last two years?

> If yes: please explain the breach, and provide copies of any postmortem/root cause analysis/after-action reports.

Almost nobody will answer this truthfully. I see a couple of options: 1. There was a breach and it was public, then why are you asking. Do your research! 2. There was a breach and it was not made public. The company will likely not admit it to you. 3. There was a breach but it was a) not relevant to your case/b) internal/c) the data lost was not customer data/d) we forgot that there was/etc.

While lying in case of 2. might make the vendor liable (IANAL) they might be able to argue that 3 was actually the case.