How to use this map
- Find the closest questionnaire topic.
- Start with the listed primary page.
- Use the secondary page only if the reviewer asks for more depth.
Architecture and boundaries
| Questionnaire topic | Primary page | Secondary page |
|---|---|---|
| Architecture and trust boundaries | Security Architecture | Shared Responsibility |
| Hosted vs self-hosted ownership | Shared Responsibility | Overview |
| Tenant isolation and logical separation | Security Architecture | Identity and Access |
| Encryption in transit and at rest | Encryption Standard | Encryption and Key Management |
| Key management and key rotation | Encryption and Key Management | Encryption Standard |
Identity and access
| Questionnaire topic | Primary page | Secondary page |
|---|---|---|
| API identity and token controls | Identity and Access | Shared Responsibility |
| Login and SSO protocol support | Authentication and Password Standard | Identity and Access |
| Automated user provisioning and deprovisioning | Authentication and Password Standard | Identity and Access |
| Inactive account disablement after inactivity | Authentication and Password Standard | Identity and Access |
| Session timeout and reauthentication controls | Authentication and Password Standard | Identity and Access |
| Device or IP-based session restrictions | Authentication and Password Standard | Network Security |
Data governance
| Questionnaire topic | Primary page | Secondary page |
|---|---|---|
| Data handling scope and stored data | Data Handling | Overview |
| Subprocessors and third-party services | Subprocessors and Third Parties | Shared Responsibility |
| Integration directionality and connectivity model | Network Security | Security Architecture |
| Material change notice (security, availability, or data handling) | Subprocessors and Third Parties | Compliance and Assurance |
Cloud operations
| Questionnaire topic | Primary page | Secondary page |
|---|---|---|
| Cloud services policy and baseline requirements | Cloud Services Security Standard | Network Security |
| Cloud security alert monitoring | Incident Response | Cloud Services Security Standard |
AI and model governance
| Questionnaire topic | Primary page | Secondary page |
|---|---|---|
| AI provider handling and deployment options | AI Data Controls | Overview |
Assurance and legal
| Questionnaire topic | Primary page | Secondary page |
|---|---|---|
| Compliance status and current assurances | Compliance and Assurance | Documents and Requests |
How we answer in-progress controls
When a control is not fully complete, we answer with:- current implementation status,
- compensating controls currently in place,
- target completion timing,
- and where evidence will be provided when complete.