Answer vendor security questionnaires from your own evidence
Turn scattered truth (**context files**, the **manual**, **Audit Logs** behavior, and backup runbooks) into **draft questionnaire rows** about **your** Auxot usage so security review has somewhere to start, without letting chat **invent** certifications you do not hold.
Plus: three Admin-Agent passes: map pasted questionnaire sections to evidence you already have, flag rows that need legal sign-off vs engineering screenshots, and produce a gap list before you promise dates.
| Audience | Admins · Developers · Executives |
|---|---|
| Time | ~12 min |
| Prerequisites | Org-owned prose you trust ([Add your first context file](/tutorials/add-your-first-context-file)): subprocessors, retention notes, or internal security summaries. Honest privacy stance ([Run a data privacy review before you ship](/tutorials/run-a-data-privacy-review-before-you-ship)). Helpful: what **Audit Logs** actually stores ([View your audit logs](/tutorials/view-your-audit-logs)), continuity docs ([Back up and export your Auxot data](/tutorials/back-up-and-export-your-auxot-data)). |
| You'll end up with | A **questionnaire working doc** (section → draft answer → evidence pointer → **human owner**), with explicit **unknowns** instead of confident fiction. |
When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.
Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.
Why this matters
Sales cycles and enterprise procurement hand you spreadsheets or portals full of security questions. The failure mode is guessing, or worse, letting an assistant hallucinate controls your org never built.
Auxot already centralizes how you work; it does not replace counsel or your security lead. What it can do is hold your narrative: encryption patterns (Security), configuration facts (Configuration), and where audit history lives and how it egresses (View your audit logs, Back up and export your Auxot data). You paste questions (still initiated by you) and align answers to evidence you can point to.
This is the mirror image of reviewing incoming vendor contracts (Review documents against your standard terms): here you are the vendor describing your stack.
No certification is claimed because Sales wants it: you cite evidence, you flag false claims.
Quick start
- Gather sources. Subprocessors list, retention bullets, backup owners, and who admins are; ideally in org context files (Add your first context file).
- Create a working table. Columns: Question ID, Draft answer, Evidence link or path, Owner, and Status (confirmed / needs review / gap).
- Paste one section at a time into chat with an agent scoped to security drafts: attach relevant context files; forbid blanket “yes we encrypt everything” without citing the manual row you verified.
- Separate facts from aspirations. Product limits (Plan for retention and deletion requests) belong in honest wording, not buried footnotes.
- Route sign-offs. Legal phrasing, indemnities, and statutory claims leave chat: ticket to counsel with your draft attached.
Done? First questionnaire section filled with traceable evidence rows, plus a short gap list you can schedule instead of hiding.
The agent can do that?
1. Section mapping
Chat → Admin Agent:
Pasted questionnaire section (vendor asks about OUR Auxot deployment): [paste headers only]. Map each header to: (a) context file title we should attach, (b) manual `/docs/...` path or internal wiki, or (c) "needs human interview". Output as a markdown table.
Why it’s non-obvious: Questionnaires shuffle topics: mapping first prevents answering access control with encryption paragraphs. You still open each source.
2. Evidence-grade draft
For question "[paste]" draft a two-sentence answer using ONLY these sources: [list titles]. End with "Verify:" bullets listing manual anchors I must click before sending externally.
Why it’s non-obvious: Forces citation discipline after you name allowed sources: reduces confident invention.
3. Gap finder
Scan draft answers for phrases that imply ISO/SOC/certifications we did not list as owned. Flag lines, redlines only.
Why it’s non-obvious: Procurement readers grep for magic words: mechanical pass catches overstated language.
Go deeper
Self-hosted vs hosted
Deployment truth lives under Self-hosting docs (Deployment): do not describe your VPC using generic SaaS wording you did not validate.
Logging and audit
When questions ask how actions are logged, anchor on Audit Logs tabs and API egress reality (View your audit logs): not imagined SIEM features.
Credentials
Rotation and scope stories pair with Rotate credentials without surprising your agents and Manage your Credentials: paste architecture your org actually runs.
Leadership snapshot
When questionnaires feed board decks, reuse brevity habits (Brief leadership on your agent program): still not legal advice.
Owner change and dry runs
Two adjacent patterns harden the same questionnaire muscle: Hand off the audit narrative when your compliance lead changes keeps these answers durable when the person who wrote half of them leaves, and Run an internal pre-audit drill against your own narrative stress-tests the drafted answers before a buyer or auditor finds the soft spots.
Walkthrough
Step 1: Build or refresh context bundle
Minimum: subprocessors + retention + admin access model, org-scoped files (Add your first context file).
Step 2: Import questionnaire skeleton
CSV → working markdown table: no answers yet, IDs stable for revisions.
Step 3: Draft high-risk cluster first
Encryption, logging, data residency, and subprocessors: sections that burn deals when wrong.
Step 4: Attach receipts
Screenshots or exported API samples belong outside chat if policy forbids: link to ticket IDs instead.
Step 5: Review with security/legal
Agent output label: DRAFT: human verified: date, reviewer initials.
What’s next
- → Allocate model spend to teams for internal reporting. Turn Jobs rows into team-shaped totals leadership can defend after questionnaires quiet down.
- → Build an audit narrative from your logs. When buyers want how we govern AI in prose: Jobs/Threads/Events stitched into a short story with evidence pointers.
- → Hand off the audit narrative when your compliance lead changes. Questionnaire answers lean on one person’s tacit knowledge: write the handoff so the answers survive a role change.
- → Run an internal pre-audit drill against your own narrative. Stress-test the drafted answers internally before a buyer or auditor turns them into a procurement problem.
- → Review documents against your standard terms. When their paper needs review, not your answers about Auxot.
- → Run a data privacy review before you ship. Align questionnaire retention language with reviews you already run.
- → View your audit logs. Cite only behaviors you confirmed.
- → Back up and export your Auxot data. Backup and audit export honesty shows up constantly on questionnaires.
- → Plan for retention and deletion requests. Deletion asks appear mid-procurement: playbook beats improvisation.
Reference
- Manual: Security, Configuration, Authentication & API Keys
- Pages in Auxot: Settings → Context Files, Audit Logs, Settings → Teams / API Keys
- See also: Allocate model spend to teams for internal reporting, Red-team your agents against prompt injection, Trigger a workflow from GitHub Actions, Add your first context file, Brief leadership on your agent program, Run a quarterly review of your agents