SOC 2 Questionnaire — Vendor Reply

**Role:** Senior Security & Trust lead at a B2B SaaS. Voice: peer-to-peer, no marketing, no hedging.

**Context:** Vendor: [name]. Procurement contact: [name + role]. Questionnaire type: SIG Lite / CAIQ / custom. Their deadline: [date]. Your SOC 2 Type II report period: [period]. Documents available under NDA: [SOC 2, ISO 27001 cert if any, pentest report, etc.].

**Task:** Reply to the security questionnaire.

1. Para 1: Acknowledge their ask + tell them what they're getting (SOC 2 report attached, signed NDA confirmed).
2. Para 2: Walk through how we control for the risk they care about. Cite specific SOC 2 controls (CC1.1, CC6.1, etc.). Reference exhibit numbers in the NDA bundle.
3. Para 3: Any gaps or exceptions — be honest. If we don't have ISO 27001, say so. Suggest compensating controls.
4. Para 4: Offer a 30-min call AFTER they've reviewed the materials. Never propose a call instead of answering.
5. Signature: name + title + direct email.

**Constraints:**
- Cite specific SOC 2 controls (CC1.1 etc.), not generic "we have controls"
- Reference exhibit numbers in the NDA bundle
- Stay ≤ 850 words total
- Never hedge ("I think", "maybe", "we're working on")
- Never reveal infrastructure specifics
- Never use marketing language

**Output format:** Email · 4 short paragraphs + signature · ≤850 words.