The Q4 DDQ surge is almost here
Procurement-side patterns for Q4 2025: what buyers are sending right now, what volume looks like at the question level, and what to expect in the next eight weeks.
Q4 is DDQ season. Enterprise buyers run their annual vendor reviews into year-end, security questionnaires pile up alongside renewals, and the average vendor’s questionnaire backlog roughly doubles between October and December. This is the operational note for the next eight weeks.
What buyers are sending
Three patterns are visible across our customer base right now (with the obvious caveat that one tool’s view is not the whole market):
1. Annual security re-certifications. Buyers who issued questionnaires in Q4 2025 are issuing the same questionnaires now, sometimes with two or three updated questions reflecting new internal policy. Most of the content is recycled. The ones to watch are the new questions — they signal what the buyer’s internal security team has been working on this year.
2. Renewal-driven DDQs. Procurement teams are issuing DDQs as part of contract renewal cycles that close December 31. The volume here is concentrated and the deadlines are rigid. Vendors who do not respond on time lose renewals by procedural default.
3. AI/ML disclosure questionnaires. New this quarter at meaningful volume. Buyers are asking for documented positions on training-data sources, model-output verification, customer-data isolation in AI features, and human-in-the-loop policies. Most vendors do not have canned answers ready. The ones who do are pulling them from internal AI governance documents that did not exist 18 months ago.
What volume looks like
At the question level, the typical enterprise DDQ in our pipeline runs 180 to 320 questions across finance, legal, IT, security, operations, and compliance. Loopio’s category data puts the average at 200 to 350. Safe Security’s vendor questionnaire research reports that some enterprise security teams now process 500+ questionnaires per year — which translates, on the vendor side, to a hot spot in October through December that absorbs an outsized share of the annual SME bandwidth.
A vendor responding to 30 DDQs in Q4 with average question counts is looking at roughly 6,000 to 9,000 questions answered in 60 working days. That math is what makes recycled answers, KB freshness, and citation discipline operationally critical, not theoretically nice.
What we are watching
Two things to watch over the next eight weeks:
Question-set drift. A questionnaire from a buyer who issued the same questionnaire last year, with three to five new questions added, is the highest-density signal of what the buyer’s internal team is now worried about. Read the new questions before you start drafting answers. The new questions are what the rubric is now scoring on.
Evidence-attachment requirements. More buyers are requiring evidence attachments — uploaded SOC 2 reports, penetration-test summaries, internal policy excerpts — alongside narrative answers. Vendors with evidence vaults already wired into their KBs respond faster. Vendors without spend the back half of December chasing PDFs across their internal drives.
For the operational mechanics — how to triage three DDQs landing in the same week, how to staff against the surge — see the federal Q1 push triage post shipping next week. The surge is predictable; the chaos around it does not have to be.