OddDuck Syndicate
Large buyers often send long questionnaires (SIG, CAIQ, or custom spreadsheets). The goal should be accurate answers tied to the services in scope, not a perfect score. Misrepresenting controls creates legal and operational risk for both sides.
Scope the environment
Clarify whether the vendor hosts data, accesses production, or only delivers source code to your repositories. Answers for a pure development shop differ from a managed SaaS operator. We state this explicitly at the top of every response.
Use evidence, not adjectives
Where a control exists—backup retention, MFA on admin accounts, logging—point to the policy or configuration standard. Where it does not, say “not applicable” or “planned” with a timeline rather than “yes” by reinterpretation.
Involve the people who operate systems
Questionnaires answered only by sales tend to drift. We route technical items to engineering and operations leads so procurement receives one consistent story.
For reviews related to OddDuck Syndicate, email security@odducksyndicate.com. See also our Security & compliance page.