Vendor Security Reviews

Your biggest client just asked for your security package.

Don't lose the deal because the package doesn't exist yet.

Kompflow is the governance layer that gives you everything a client's security team asks for: WISP, risk assessment, vendor inventory, training records, and incident response plan. Already written, current, and signed.

See pricingSee how it works

What a client security questionnaire usually asks

Different companies send different forms, but the questions cluster into a familiar pattern:

"Show us your written security program."

They want your Written Information Security Plan (WISP). Not a template. Not a privacy policy. The actual written program that says what your firm protects and how.

"When did you last do a risk assessment?"

Most enterprise security teams want a documented risk assessment from within the last 12 months, covering the scenarios that apply to a professional-services firm.

"How do you manage access to our data?"

They're asking about MFA, least-privilege access, offboarding procedures, and audit logs. They expect proof, not assertions.

"Who has access to our data, including your subprocessors?"

They want your vendor inventory with data-flow context, DPAs or subprocessor agreements, and which vendors touch client data.

"What happens if you get breached?"

They want your Incident Response Plan (IRP) with specific timelines, notification procedures, and a named point of contact.

"Who on your team has been trained on security?"

They want training records: who, when, what modules, completion status.

"Who's accountable for your security program?"

For most mid-sized firms under the FTC Safeguards Rule, that's your Qualified Individual (QI). Name, title, and escalation path.

Why CPA firms lose these deals

Three common ways this conversation breaks down:

The firm has nothing to send

The owner turns to the MSP and says “can you write this up for us?” The MSP says “we can give you a network architecture summary, but we don't write WISPs or do risk assessments.” The firm falls behind. Two weeks later, the prospect goes with a different vendor.

The firm has an old template

The owner sends a WISP template from 2022 that wasn't customized to the firm. The prospect's security team flags it as stale. The deal stalls in security review.

The firm has the documents, but they're scattered

WISP on a shared drive somewhere. Training records in a separate system. Risk assessment from a consultant who left the firm two years ago. Putting the package together takes two weeks of someone's time. The prospect waits, then stops waiting.

What Kompflow gives you

A single place where every artifact a client or prospect might ask for is already generated, kept current, and ready to send.

The Security Package

Generated for your firm, kept current as your firm changes:

  • WISP: your Written Information Security Plan, updated as your software and team change.
  • Risk assessment: documented, scoped to professional services, refreshed on a schedule.
  • Incident Response Plan: including state-by-state breach notification.
  • Vendor inventory: with DPAs, subprocessor agreements, and data-flow context.
  • Training records: every person, every module, every completion date.
  • Audit trail: signed approvals, version history, date stamps on every decision.
  • Qualified Individual (QI): named and documented for firms that require one.

When the questionnaire lands, the package is ready. You send it the same day, not three weeks later.

The moments you need it most

New logo pursuit

You're bidding a large enterprise or public-company client and their procurement team is running a full vendor assessment.

Existing client expansion

A long-time client just got a new CISO, and suddenly all vendors are getting re-reviewed.

RFP response

The RFP includes a security attachment that needs 40+ questions answered.

Subpoena or litigation request

A client (or a regulator) asks for documentation under time pressure.

How AI helps without getting in the way

The Insurance Gap Assistant(Professional and Premium) was built for cyber insurance questionnaires, but the same logic works when a client's security team sends a questionnaire. Ask it things like:

“What's our answer to ‘describe your access management program’?”
"This question asks about data retention. What do we have documented?"
“Show me our current WISP summary I could paste into a vendor questionnaire.”

The assistant reads your actual firm data and helps you draft responses grounded in what you have, not generic advice. You always review and approve before any of it goes to the client.

Which plan?

Starter

WISP, risk assessment, training records, incident response basics, vendor inventory. The full security package, without the AI assistant.

Professional

Everything in Starter + Insurance Gap Assistant (15 questions/day), Microsoft 365 auto-sync, evidence-backed control testing, QI workflow.

Premium

Everything in Professional + unlimited Insurance Gap Assistant, dedicated onboarding.

See full pricing

Common questions

Can my MSP just answer these questions for me?

Some MSPs can answer the network-and-infrastructure questions. Very few can produce a WISP, a risk assessment, documented risk decisions, training records, or a vendor inventory. Those are governance artifacts that sit with the firm, not the MSP. That's where Kompflow fits.

What if the client's questionnaire asks something I don't have an answer for?

The Insurance Gap Assistant (Professional and Premium) can tell you whether you have it and where it lives. If you don't have it yet, it tells you what's missing and how to close the gap. Most client questionnaires map to artifacts Kompflow already produces.

Do you have an actual vendor questionnaire library?

Not a branded library today. The Insurance Gap Assistant is carrier-agnostic and questionnaire-agnostic, and it answers based on your firm's data rather than a pre-canned response set. Pre-built questionnaire templates are under consideration on the roadmap.

Can I customize the package I send to each client?

Yes. You choose which artifacts to include. Most firms send the same core package: WISP, risk assessment, IRP, training summary, QI identification, and add vendor-specific pieces (data-flow maps, specific control evidence) as requested.

Ready to stop losing deals on security review?

See pricingSee how it worksBuilt for cyber insurance too

30-day money-back guarantee on every firm plan.

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy