Help Center / Security questionnaires

Security questionnaires

Send a vendor a structured security questionnaire, capture their answers, and let Covenant score them. The same scoring engine runs in the app and in the vendor portal, so what the vendor sees matches what you see.

The built-in templates

Template	Tier	Structure	Best for
Covenant SMB Lite	free	3 sections, 12 questions	A fast baseline for any small vendor.
HIPAA Security Rule (vendor)	free	3 sections, 9 questions	PHI vendors; questions cite the CFR section they map to.
SIG Lite (Shared Assessments-aligned)	Pro	9 sections, 24 questions	A broader assessment across all SIG domains.
CAIQ Lite (CSA, abridged)	Pro	8 sections, 15 questions	Cloud vendors; aligned to the CSA Cloud Controls Matrix.

Pro templates. SIG Lite and CAIQ Lite are marked (Pro) in the picker. They are representative, abridged libraries; the full SIG/CAIQ libraries and a custom questionnaire builder are planned for a later wave. The templates that ship are fully functional and scored — nothing is a stub.

Sending a questionnaire

Open the vendor and find the Security questionnaire card.
Pick a template from the dropdown.
Click Send to vendor portal. Covenant mints a signed, expiring tokenized link and (via the notification boundary) sends it plus a reminder cadence. See Vendor email portal for the full flow.

Once started, the questionnaire's questions also appear inline on the vendor detail page, so you can fill them in yourself if you are capturing answers from a call or email instead of the portal.

Answering & conditional logic

Each question is either a yes/no/N-A choice or a select from preset options. As you answer, the score and pass-% update live.

Conditional questions (show_if). Some questions only appear when a parent answer matches a specific value. A hidden question is excluded entirely — it is not scored and not counted in the denominator. Both the app and the vendor portal honor this, so the percentage is always over the questions that actually applied.

How scoring works

Every question carries a weight. A question is "passed" unless its answer is the risky one defined by the template (e.g. answering "no" to "Do you encrypt data at rest?"). The result is:

Output	Meaning
Passed %	(total weight − lost weight) ÷ total weight, as a percentage. Shown as "Passed X% of weighted controls."
Answered / total	How many in-scope questions have an answer.
Flags	The specific risky answers, each shown with its weight (e.g. `risk +3`) and the question text.

The questionnaire result feeds the composite score: the share of weight lost is scaled to a penalty of up to −45 points. See Risk scoring for exactly how.

Re-submitting and resetting

Submit (simulate vendor return) / Re-submit marks the questionnaire as returned (used when you are capturing answers yourself rather than importing a portal response).
Reset questionnaire clears the assessment for that vendor so you can start over with a different template.

AI assist (optional). If you have configured a bring-your-own-key AI provider, a Summarize this assessment button turns the risk flags and pass-% into a short risk summary. It is advisory and data-minimized. See Settings & AI.

← Vendors & risk tiering Vendor email portal →