In preview: DDQ question classification
Every question in an ingested DDQ is classified at intake into finance, legal/privacy, security, or operations buckets. In preview behind a feature flag — DDQ is a pursuit-type the marketed platform does not yet describe.
DDQ ingest in preview classifies every extracted question into one of four buckets at intake: Finance, Legal & Privacy, Security, or Operations & Vendor Management. The classification is shown on every question in the response UI and drives routing — questions land with the right reviewer instead of in a single shared queue. DDQ workflows live alongside the RFP Analysis module today and are not yet a separately marketed pursuit type; this work is the routing layer that will make them one.
Why classify
A typical due-diligence questionnaire (DDQ) runs 200 to 350 questions across all four buckets. Loopio’s DDQ guide puts the median total response time at 15 to 40 hours per questionnaire; our own customer data is in the same range. The single largest source of waste in those 15-40 hours is questions sitting in the wrong reviewer’s queue.
A finance reviewer doesn’t need to see the encryption-at-rest question. A security reviewer doesn’t need to see the revenue-recognition question. When everything goes to one queue, every reviewer scrolls past 70% of the questionnaire to find their slice. The classifier removes that scroll.
The buckets we ship today are coarse on purpose. Finer-grained sub-classification (within Security: SOC, ISO, network, identity, AI/ML) is in flight but not in this release.
How the buckets work
Finance. Revenue recognition, audit history, debt covenants, parent-company financials, banking relationships, insurance policies, financial-strength ratios. Routes to a finance reviewer (typically Controller or CFO).
Legal & Privacy. Privacy posture (GDPR, CCPA, state privacy laws), data-processing agreements, sub-processor lists, retention policies, data-residency declarations, breach-notification obligations, contract redlines history. Routes to legal or compliance.
Security. SOC 2, ISO 27001, FedRAMP, encryption (at-rest and in-transit), key management, identity and access management, network segmentation, vulnerability management, incident response, BCP/DR. Routes to InfoSec.
Operations & Vendor Management. Org chart, employee count, geographic distribution, sub-contractor management, business-continuity drills, change management, training, vendor-management policies. Routes to operations or COO.
A question that genuinely spans buckets gets a primary and a secondary classification. The primary determines the queue; the secondary surfaces in the side panel for the reviewer’s awareness. About 8% of questions in our test set carry a secondary; the rest are clean.
Accuracy
The classifier was tuned against 14 publicly available DDQ templates (CAIQ v4, SIG Lite, SIG Core, plus a handful of redacted custom ones from public procurement filings). Held-out accuracy is 92.4% on the four-bucket task. Most of the residual 7.6% is between Security and Operations on questions like “describe your business-continuity plan” — defensible either way.
When the classifier is unsure (top-class confidence below a threshold), the question is flagged for manual classification at ingest. The reviewer sees a small “needs classification” indicator and assigns a bucket in one click. The assignments train the next iteration of the classifier on a quarterly cadence.
What this enables
This release is plumbing for what comes next.
Starting Monday, Sarah begins a four-part DDQ Anatomy series. Part 1 is the finance section — what the questions ask, what evaluators are actually looking for, what good answers look like. Parts 2-4 cover security, legal/privacy, and operations.
The series is grounded in the bucket structure this classifier ships. The classifier is what makes it tractable to talk about a DDQ as four documents instead of one — each with its own anatomy, its own SME, its own answer-reuse pattern.
Loopio’s DDQ guide describes a typical DDQ as 200-350 questions; Safe Security’s research on the security slice alone reports 200-400 questions and 30-40 hours per questionnaire at enterprise scale. Routing the right slice to the right reviewer is the precondition for compressing those numbers.
Where to find it
DDQ Bucket badges appear on every question in the response UI. The classifier runs at ingest; existing DDQs in your account need a one-click re-classify to populate buckets.
Documentation lives in the in-app help under DDQ → Classification. The dedicated DDQ workflow page is on the roadmap and not yet on the marketing platform site.