what vendor-questionnaire forms ask

phrasing is paraphrased from common Vanta / Drata / SecurityScorecard / SIG / CAIQ rows. the pack supplies signed evidence for each row.

• does this domain publish an SPF record limiting authorised senders? (SOC 2 CC6.7 · ISO 27001 A.8.20 · NIST SC-8)
• does this domain enforce a DMARC policy (quarantine or reject)? (SOC 2 CC6.7 · ISO 27001 A.5.14 · NIST SC-8)
• are outgoing emails DKIM-signed under a published selector? (SOC 2 CC6.7 · ISO 27001 A.8.24 · NIST SC-8)
• is data in transit protected by a valid, current TLS certificate? (SOC 2 CC6.1 · ISO 27001 A.8.24 · NIST SC-8(1))
• are HSTS, CSP, X-Frame-Options, and related headers configured? (SOC 2 CC6.6 · ISO 27001 A.8.23 · NIST SC-7(8))
• does this domain enforce MTA-STS to prevent SMTP downgrade attacks? (SOC 2 CC6.7 · ISO 27001 A.8.24 · NIST SC-8)
• is DNSSEC signing enabled for this zone? (SOC 2 CC6.6 · ISO 27001 A.8.20 · NIST SC-20)
• which subdomains have certificates issued in CT logs for this root? (SOC 2 CC7.2 · ISO 27001 A.8.16 · NIST SI-4)

what you get

• 15 checks total: 10 free dossier checks + 5 paid Evidence Pack checks
• per-finding mapping to SOC 2 CC6.x, ISO 27001 Annex A, NIST SP 800-53 Rev. 5
• severity-graded findings, plain-English remediation per finding
• up to 100 CT-discovered subdomains
• signed (Ed25519) + hash-chained (SHA-256), ISO-8601 UTC timestamps
• JSON sidecar for procurement workflows that auto-import attestations

pricing

one-shot evidence packs from $29. agencies running 5–100 client domains: $79 / month / $249 / month monthly with white-label.