Security Questionnaire Glossary for SaaS Founders
Security questionnaires use terms that sound heavier than they need to. This glossary explains common buyer-review language in plain English so SaaS founders can answer with less confusion.
Quick note
This guide is practical product education, not legal advice, security advice, SOC 2 certification, GDPR certification, or compliance certification. Review every answer against your actual product and company processes before sending it to a buyer.
Subprocessor
A third-party vendor that helps process customer data. Common examples include hosting providers, databases, payment processors, email services, support tools, and AI providers.
RTO and RPO
RTO is recovery time objective: how quickly you aim to restore service. RPO is recovery point objective: how much data loss is acceptable between recovery points. Do not invent these numbers if they are not defined.
Encryption in transit and at rest
In transit means data moving between systems, usually protected by HTTPS/TLS. At rest means stored data protected by database, disk, or storage encryption.
Least privilege
A security principle where users and team members get only the access they need. It is a strong phrase, so only use it if your access process supports it.
Incident response
The process for detecting, investigating, containing, communicating, and fixing security incidents. Small teams can start with a lightweight policy and improve it over time.
Make this easier in VettBase
VettBase helps small SaaS teams draft security questionnaire answers, save reviewed wording, reuse approved answers, and flag missing information before sending unsupported claims.