Answering a vendor security questionnaire for your email provider, without three weeks of email
A vendor security questionnaire lands on your desk because someone in your company wants to use a transactional email API. Now you owe security or procurement 40 to 200 answers about a tool you didn't pick. The slow version of this takes three weeks: you email the vendor, a sales rep loops in a solutions engineer, a call gets scheduled, and the answers arrive as a PDF you still have to transcribe.
The fast version takes an afternoon, because almost every questionnaire asks the same eight things about an email provider. Here's what they are, and how to answer each one for Envello without talking to anyone.
The eight questions every questionnaire asks
- Where is the data processed and stored? For Envello: in the EU. Sending runs through AWS SES in eu-central-1 (Frankfurt); the API, database, logs, and backups run on infrastructure in Frankfurt and Nuremberg, Germany.
- What personal data does the vendor process? Recipient email addresses, message content you submit, and delivery event metadata (delivered, bounced, complained, timestamps).
- Is there a DPA, and who has to sign it? Yes, on every plan including free. It's generated at signup and downloadable from the dashboard's Billing section, no sales contact required.
- Who are the subprocessors? The current list is available on request via [email protected], and active customers get 30 days' email notice before any subprocessor is added or replaced.
- How long is data retained? Email event logs default to 90 days and are configurable per account from 7 to 365 days. Retention jobs actually delete; expired data isn't parked in a cold archive.
- Is data encrypted? In transit, yes: TLS on the API and on SMTP delivery where the receiving server supports it. At rest, disk-level encryption on the database and backups.
- How is access controlled? API keys are scoped per account, dashboard access supports team roles, and account actions are recorded in an audit log you can review yourself.
- What happens on termination? Personal data is deleted or returned in line with your configured retention settings, as written into the DPA, except where law requires otherwise.
Answer from documents, not from meetings
The trick to a fast questionnaire is citing sources the reviewer can verify without you. For an email vendor, that's three artifacts: the DPA (covers roles, retention, deletion, subprocessor terms), the security page (covers encryption, access control, and operational practices), and the GDPR page (covers residency and transfer mechanisms). Envello publishes all three, so most rows in the spreadsheet become a one-line answer plus a link.
Where a question goes deeper than the published material, ask the vendor one batched email with every open item at once, not a thread per question. A provider set up for self-serve compliance will answer a batch in one pass. If the answer to a written question is "let's get a call scheduled," that tells you something about how support will work after you've paid, too.
Red flags worth escalating
A few answers should stop a review rather than slow it down. "Data location varies by load" means you can't make a residency commitment to your own customers. A DPA that's only available on annual contracts means your compliance posture depends on your billing tier. And a subprocessor list that hasn't changed in three years usually means it isn't maintained, not that nothing changed.
Keep the finished questionnaire
Save the completed questionnaire with links to the source documents and the date you answered it. The next reviewer, yours or a customer's, starts from your last pass instead of from zero. Most of the answers only change when the vendor changes something material, and for the subprocessor list specifically, the 30-day notice emails are your change log.