PursuitAgent
Menu

Field notes

The weekly DDQ evidence-freshness sweep

A 20-minute weekly routine that catches stale evidence links before a reviewer does. What the sweep covers, what it skips, and why we recommend it for teams that answer more than one DDQ a month.

PursuitAgent 2 min read Procurement

A DDQ is a security questionnaire with a deadline, and every answer you give lives or dies by the evidence link attached to it. Links rot. Policies get revised and re-uploaded with a new filename. Certifications expire. Sub-processor lists shift when a vendor gets acquired.

The weekly DDQ evidence-freshness sweep is a 20-minute routine. It runs on Monday morning. Here’s what’s in it.

What the sweep checks

  • SOC 2 report. Is the current report within the 12-month audit window? If not, is the bridge letter current? Both go on the same shelf; one without the other is a half-answer.
  • Pen test report. Most buyers want one from within the last 12 months. Some want quarterly. Know which flavor you’re answering and flag the ones that are close to their cutoff.
  • Insurance certificates. Policy expiration is the single most common stale-evidence failure. A cert that expired last week is worse than no cert, because it signals the team isn’t tracking.
  • Sub-processor list. Any change in the last week? Any processor added whose DPA isn’t signed? The sub-processor page on the public site should match the one behind the DDQ answers.
  • Data-flow diagram. Has the architecture changed since the last revision? A data-flow diagram from 18 months ago that shows a service you retired is worse than no diagram.
  • Employee count and locations. This is the quiet one. DDQs ask it; the number changes; nobody updates the boilerplate. A buyer who cross-references your LinkedIn page will catch a six-month-old number and wonder what else is old.

What the sweep doesn’t check

  • Policy text. Policy revisions happen quarterly in most shops; weekly sweep is the wrong cadence. Policy review belongs to a separate quarterly cycle.
  • Vendor-specific custom evidence. If a buyer asked for evidence of a specific control in a specific format six months ago, that artifact is for that buyer, not for the general KB. Don’t sweep it.

Why 20 minutes is enough

If the sweep is taking more than 20 minutes, the underlying KB has too much evidence that is owned by no one. The sweep is not the place to fix that; a quarterly ownership review is. The weekly sweep assumes every piece of evidence has an owner and a renewal date; it’s a date check, not a content check.

The cheapest version

A spreadsheet with three columns: evidence name, current expiration date, renewal owner. Sort by expiration. Anything inside 60 days is yellow; inside 30 is red. The sweep is: open the spreadsheet, read the red rows, pester the owner.

We wrote the longer version of this in the DDQ response playbook. The evidence attachment API post is the engineering-side view. The 20-minute weekly sweep is the discipline that connects them.

Sources

  1. 1. PursuitAgent — DDQ response playbook
  2. 2. PursuitAgent — DDQ evidence attachment API
Tagged ddq procurement evidence routine