First, thank you so much for this! I hate these things.
However answering these questions without nuance and context can at best cause a lot more back and forth between company and vendor, and at worse kill the deal immediately. Example:
Bad way, no context: Do you have external certification for HIPPA/PCI compliance: No.
Better way: Do you have external certification for HIPPA/PCI compliance: No, because product does not collect, store, or process health data or payment card data.
How do you handle cases like this in an automated fashion?
Great question. I agree, answering a question like that in a thoughtless way can make your company look pretty unprofessional.
We build a 'profile' of the company - what it does, they systems used, the type of data it handles (and doesn't) to answer these questionnaires.
Part of the purpose of having a human-in-the-loop - especially for the first 1-2 questionnaires, is to support this type of review and ensure that answers are a sufficiently high quality.
As a general rule of thumb when answering security questionnaires (which our system supports), any "negative" answer should have additional clarification. FWIW, I'd say that a more appropriate answer to that question would be N/A instead of No to avoid confusion, assuming that the company doesn't handle any PHI / CHD.
I use TurboTax. Before that I went to a big box tax preparer. They made me find, and bring, and drive back home to get the ones I forgot, all the documents they need, to essentially fill out their own equivalent of TurboTax, all the while me keeping an eye that they don't mistype something, because at the end of the day, I'm responsible. I spent more time than the tax preparer.
This is pretty much the experience I expect. And I just don't see how this can be automated well (yes, I read the human-in-the-loop remark, but also the 15 seconds one), if there's such unstructured data, both on the input as well as the output side of this process. It seems to me you're just going to be renting out a glorified copywriter or editor.
The ultimate success or failure of our business depends on our ability to get our NLP to deliver high quality answers and minimize the time our own internal reviewers need to spend on each questionnaire. We are making progress here every day, but still need to get better.
It's totally fair to be skeptical that we can pull that off. I will say though that we are fanatical about NOT making this a business where we hire lots of humans to be reviewers. We'd rather fail than hire an army of low wage workers to do the soul sucking job of reviewing other people's questionnaires all day every day.
However answering these questions without nuance and context can at best cause a lot more back and forth between company and vendor, and at worse kill the deal immediately. Example:
Bad way, no context: Do you have external certification for HIPPA/PCI compliance: No.
Better way: Do you have external certification for HIPPA/PCI compliance: No, because product does not collect, store, or process health data or payment card data.
How do you handle cases like this in an automated fashion?