How to Answer CAIQ-Lite (with Templates and Sample Answers for SaaS)

TL;DR — CAIQ-Lite is the 73-question security questionnaire enterprise buyers send you before they'll sign a contract. Most SaaS founders waste 12 hours per response writing answers from scratch and still lose deals on weak language. This guide walks through every question theme, gives you sample answers, and provides a free Excel template you can adapt in an afternoon. The real unlock is canonical answers — write once, reuse forever.

You've sent the demo. You've quoted the price. The buyer says "love it, just need to clear procurement." Then it lands in your inbox — a spreadsheet with 73 yes/no/comment columns titled "CAIQ-Lite." The deadline is Friday. The deal is six figures. You sigh, open the file, and lose your weekend.

This is the modern SaaS sales cycle. CAIQ-Lite — the Cloud Security Alliance's "lite" version of their 235-question Consensus Assessment Questionnaire — is now standard procurement gating for enterprise buyers in EU and US markets. If you sell to anyone over 200 employees, you'll see it.

This guide gives you the structure to answer it well, the sample answers to copy from, and the system to never answer the same question twice.

What CAIQ-Lite actually is

The Cloud Security Alliance (CSA) maintains the Consensus Assessment Initiative Questionnaire — a standardised set of security and compliance questions for cloud service providers. The full CAIQ has 235+ questions across 17 domains. CAIQ-Lite distills this to ~73 questions covering the most-asked topics.

Buyers like it because: - It's standardised — they ask every vendor the same thing - It's free — no licensing fee - It maps to ISO 27001, SOC 2, NIST CSF, GDPR

You should like it because: - Once you've answered it well, the same answers reuse across ~80% of buyer questionnaires - It exposes your weaknesses before they become contract risks - Strong answers shorten sales cycles by 2–6 weeks

CAIQ-Lite is published as an Excel file. Three columns: Question, Yes/No/N/A, Notes. The notes column is where deals are won or lost.

The 10 themes — what's actually being asked

CAIQ-Lite questions cluster into 10 themes. Group your answers by theme; you'll see the same question rephrased four times across different domains.

Theme 1: Audit & Compliance (Q1–Q8)

What buyers want: proof that an independent third party has verified your security posture.

Common questions: - Do you have SOC 2 Type II? - Do you have ISO 27001? - Do you publish audit reports? - Are you GDPR-compliant?

Sample answers:

Q: Do you have SOC 2 Type II? Yes / No / In progress. Notes: "We are currently in our SOC 2 Type II observation period (started Jan 2026; report expected Q3 2026). SOC 2 Type I report available under NDA. Audit firm: [name]."

Q: Do you publish audit reports? Yes. Notes: "Trust Centre at /security includes our latest audit summary, sub-processor list, security whitepaper, and DPA. Full reports under NDA on request."

The trap: don't write "We will be SOC 2 compliant by end of year" — that's a roadmap promise, not an answer. Write what's true today plus the dated milestone.

Theme 2: Data Encryption (Q9–Q14)

Common questions: - Is data encrypted at rest? - Is data encrypted in transit? - What's the encryption algorithm? - Who manages the keys?

Sample answers:

Q: Is data encrypted at rest? Yes. Notes: "All customer data is encrypted at rest using AES-256-GCM. Database storage encrypted at the disk level (AWS EBS) and at the application level for sensitive fields (PII, credentials)."

Q: Who manages encryption keys? Yes. Notes: "Keys managed via AWS KMS with automatic annual rotation. Customer-managed keys (CMK) available on the Enterprise plan. Key access is logged and reviewed quarterly."

The trap: vague answers like "Yes, we encrypt." Buyers' security teams parse for specifics — algorithm name, key length, KMS provider, rotation policy.

Theme 3: Access Control (Q15–Q22)

Common questions: - Do you support SSO? - Do you support MFA? - Is there role-based access control? - How is privileged access managed?

Sample answers:

Q: Do you support SSO? Yes. Notes: "SAML 2.0 SSO via Okta, Azure AD, Google Workspace, OneLogin. Available on Scale tier and above. SCIM 2.0 user provisioning on Enterprise."

Q: How is privileged access managed? Yes. Notes: "Production access requires hardware MFA (YubiKey), is logged via AWS CloudTrail, and is reviewed quarterly by the security lead. Just-in-time access via temporary IAM role assumption — no standing root credentials."

The trap: answering "Yes" without specifying the auth flow. Buyers' identity teams need to plan their integration.

Theme 4: Network Security (Q23–Q28)

Common questions: - Is there network segmentation? - Do you have a WAF? - DDoS protection? - VPN access for employees?

Sample answers:

Q: Do you have a WAF? Yes. Notes: "AWS WAF with managed rule sets (AWS-AWSManagedRulesCommonRuleSet, AWS-AWSManagedRulesKnownBadInputsRuleSet) plus custom rules for application-layer threats. Rate limiting at 100 requests/sec per IP."

Theme 5: Vulnerability Management (Q29–Q34)

Common questions: - How often do you scan for vulnerabilities? - What's your patch SLA? - Do you do penetration testing? - How do you handle disclosures?

Sample answers:

Q: Do you do penetration testing? Yes. Notes: "Annual third-party penetration test by [firm name], plus continuous automated scanning via [tool]. Latest report (executive summary) available under NDA. Critical findings remediated within 14 days; high within 30; medium within 90."

Q: How do you handle disclosures? Yes. Notes: "Security disclosure policy at /security. We respond within 24 hours, triage within 72, and publish coordinated disclosures via our security mailing list."

Theme 6: Incident Response (Q35–Q40)

Common questions: - Is there an incident response plan? - What's the breach notification SLA? - Are incidents tracked and reviewed? - Do you do tabletop exercises?

Sample answers:

Q: What's the breach notification SLA? Yes. Notes: "GDPR Article 33 mandates 72 hours to the supervisory authority. Our customer-notification SLA is 24 hours from the moment we determine a breach has occurred, communicated via the customer's primary admin email plus status.complair.eu. Notifications include scope, impacted data types, and remediation status."

Theme 7: Business Continuity & Disaster Recovery (Q41–Q46)

Common questions: - What's your RTO? - What's your RPO? - Are backups encrypted? - Where are backups stored?

Sample answers:

Q: What's your RTO? Yes. Notes: "RTO: 4 hours. RPO: 15 minutes. Multi-AZ Postgres deployment with automated failover. Daily off-region backups retained 30 days, weekly retained 1 year. DR plan tested semi-annually with documented runbook."

The trap: round numbers ("less than 1 day") signal you don't actually measure. Specific numbers signal maturity.

Theme 8: Data Handling & Privacy (Q47–Q56)

Common questions: - Is the data isolated per tenant? - Where is the data stored? - Do you have a DPA? - Can the customer delete their data? - How long is data retained?

Sample answers:

Q: Is the data isolated per tenant? Yes. Notes: "Logical multi-tenancy with strict row-level access control via [acts_as_tenant or similar]. Every tenant-scoped query filters by company_id at the ORM layer; cross-tenant access is impossible without superuser role on the database, which is restricted to [N] named individuals with audit logging."

Q: Where is the data stored? Yes. Notes: "EU-only by default — AWS Frankfurt (eu-central-1) primary, Dublin (eu-west-1) DR. US data residency available on Enterprise plan with separate AWS account."

Theme 9: Sub-processors & Supply Chain (Q57–Q62)

Common questions: - Do you publish a sub-processor list? - How are sub-processors vetted? - Is there a notification process for new sub-processors?

Sample answers:

Q: Do you publish a sub-processor list? Yes. Notes: "/legal/sub-processors. Updated within 5 business days of any change. Customers on Enterprise plan are notified 30 days in advance via email; objections handled per DPA Section 8."

Theme 10: AI & Automated Decision-Making (Q63–Q73)

This theme is new in 2025–2026 and is where most SaaS questionnaires now diverge. Buyers want to know: - Do you use customer data to train AI models? - Do you call third-party AI APIs? - Is the AI system high-risk under the EU AI Act? - Can users opt out of AI features?

Sample answers:

Q: Do you use customer data to train AI models? No. Notes: "We never use customer data — including prompts, documents, or any inputs — to train any AI model. We do not own or fine-tune foundation models. All AI features are powered by third-party APIs (Anthropic, OpenAI) under contracts that prohibit training on customer prompts (Anthropic Commercial Terms, OpenAI API Data Usage Policy)."

Q: Is your AI system high-risk under the EU AI Act? No. Notes: "Our AI features qualify as 'limited-risk' under EU AI Act Article 50. We provide transparency disclosures (users informed they are interacting with AI), do not perform any function listed in Annex III, and do not make decisions with legal or similarly significant effects on individuals. Documented classification available on request."

Q: Can users opt out of AI features? Yes. Notes: "All AI-powered features are toggle-disabled at the workspace level by an admin. Individual users can opt out of AI suggestions in their personal settings. AI feature usage is fully logged and exportable."

The 5 most common mistakes

After reviewing 100+ SaaS responses to CAIQ-Lite, the same mistakes show up:

1. Vague language. "We use industry-standard encryption." Industry standard for who? Buyers' security teams need specifics — they're filling in their own grid.
2. Roadmap answers as facts. "We will be SOC 2 compliant" gets flagged as a Yes that turns into a No on closer inspection. Damages trust.
3. Inconsistency across questionnaires. You answer SIG one way, CAIQ-Lite another way, custom enterprise questionnaire a third way. Auditors compare. Inconsistency = red flag.
4. Defensive language. "While we don't currently have ISO 27001, we are committed to security…" — sounds defensive, weakens trust. Better: state the fact, then state the timeline.
5. No links to external evidence. Every "Yes" should link to a public page (security overview, sub-processor list, status page, audit report under NDA).

The unlock — canonical answers

Here's the secret most SaaS teams figure out only after their fifth questionnaire: stop answering questions, start maintaining canonical answers.

A canonical answer is the single source of truth for one question, owned by one person, reviewed quarterly. When a new questionnaire arrives, you don't rewrite — you copy from the library.

The canonical-answer system has 4 properties:

1. One question → one answer. Even if 4 different questionnaires phrase it differently, there is one source of truth.
2. Owned. Each answer has an internal owner (CTO, DPO, Head of Security) who signs off.
3. Versioned. When the underlying fact changes (new sub-processor, new region, new policy), the answer is updated and the change is logged.
4. Mapped. Each answer is mapped to the relevant frameworks (CAIQ-Lite Q47, SIG IT.4, ISO 27001 A.8.20).

Maintained well, this turns a 12-hour questionnaire into a 90-minute review-and-export task.

What to do this week

If you've never answered a security questionnaire:

1. Download the Complair CAIQ-Lite template — pre-filled with sample answers from this article. Email-gated.
2. Fill in the easy 30 — the questions where you have a clear yes/no.
3. For the hard 20 — questions where the honest answer is "we're working on it" — write a clear, specific roadmap response.
4. For the AI 10 — go answer them now even if no buyer has asked. They will. Q3 2026 onwards, every enterprise buyer will ask.
5. Show your draft to a friendly customer security person (most large SaaS companies have one). Ask: "where would this lose you trust?"

How Complair fits

We built Complair because we lived through this pain. The product gives you:

• A buyer questionnaire library with CAIQ-Lite, SIG, AI-specific questionnaires pre-loaded
• Canonical answers mapped to the EU AI Act, GDPR, and CSA frameworks — so you maintain answers once and export to any format
• Auto-suggest for new questionnaire questions based on your canonical library
• A public answer page (e.g., /security) that handles many questions buyers used to ask

Free tier available. Design partner program for the next 10 EU SaaS teams (6 months free Scale tier).

FAQ

Q: How long does CAIQ-Lite take to fill out for the first time? First time: 8–14 hours of focused work for a 20-person SaaS. Subsequent: 60–90 minutes if canonical answers are maintained.

Q: Is CAIQ-Lite free? Yes. Published by Cloud Security Alliance. The full questionnaire is at https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix.

Q: Do I need SOC 2 to answer CAIQ-Lite well? No. SOC 2 helps but is not required. Many strong CAIQ-Lite responses come from teams with no formal certifications but solid documented practices.

Q: How does CAIQ-Lite compare to SIG? SIG (Standardized Information Gathering) is owned by Shared Assessments. ~290 questions for the SIG Lite, 800+ for SIG Core. More detailed than CAIQ. Larger enterprise (financial services, healthcare) tend to use SIG. Mid-market enterprise tends to use CAIQ-Lite.

Q: Can I refuse to answer questions I'm not ready for? Yes — write "Not currently in scope" or "Available on Enterprise plan." Honesty beats fabrication. Buyers' security teams flag inconsistencies forever.

Q: How often should canonical answers be reviewed? Quarterly minimum. Trigger reviews on: new sub-processor, new feature involving data, new compliance certification, any incident.