Vendor Onboarding Forms/Security Questionaires
Over time, it has become more and more common for customers and potential customers to use Vendor Onboard Forms and Security Questionaires. Some of these are very simple with just some official company and banking details and some are very detailed with lots of questions. This article outlines what's required in regards to this from a LiquidFiles perspective.
LiquidFiles Internal Information
We don't disclose any LiquidFiles internal information such as turnover, number of staff, number of customers or anything similar. If you have a form with that asks any questions like this, we require that these fields are either marked as optional, or if there's dropdown options that there's an option to select "not applicable" or similar.
We will not fill something in just to satisfy your form validation. If you require something to be filled in that we can't we will stop the submission and ask that you remove the requirement.
LiquidFiles Personal Information
Same as above, we don't provide personal information about anyone within LiquidFiles. You can use "Support" as a name and support@liquidfiles.com as an email. We don't provide any phone numbers.
We will not fill something in just to satisfy your form validation. If you require something to be filled in that we can't we will stop the submission and ask that you remove the requirement.
Online Forms
We won't sign up for or complete any online web form submissions to register LiquidFiles as a company with you, fill out security questionaires and similar. The reason is simply that before we stopped doing this, we never actually manage to fill in a single questionnaire. Every single questionnaire we came across was targeted towards cloud service providers as described in the Security Questionaire section below. With online form submissions, often everything stopped on the first page with some mandatory form field that we couldn't fill in and no "n/a" option. This then led to suggestions such as "well, can't you just fill something in?" and no, we won't fill in bogus/incorrect data just to satisfy your form validation. Given that this was just frustrated all around, we've just stopped doing online form submissions all together.
Feel free to extract your questionnaire into an offline spreadsheet, PDF or similar with no validations.
Security Questionaires
So far, every Security Questionaires we've come across have been targeted towards Cloud based solutions, which is not applicable to LiquidFiles. LiquidFiles is a product vendor only. We sell you the product, you install and manage this yourself (or get someone to install and manage it for you). Any question in regards to management of the product, the staff that's managing the product cannot be answered by us because we simply don't do that for you. Any question in regards to how LiquidFiles is configured can also not be answered by us because with LiquidFiles being a product and not a service we have no visibility of how you have actually configured LiquidFiles. Please see the example questions below for some example responses.
From our experience there will likely be a small portion of (technical) questions that are relevant to non-cloud solutions such as LiquidFiles and we can actually answer. Perhaps a question like "can we require that all System Administrators use Strong Two-Factor Authentication?" and the answer will be something like "yes, you can require all System Administrators to use Strong Two-Factor Authentication. This is configured in Admin → Groups". But as soon as the question is stated as "are all System Administrators configured with Strong Two-Factor Authentication?" we cannot answer it because we have no visibility of how you've actually configured it. We can only speak to the capabilities of the product and the default values, not how you've configured it.
So while we can fill in any required forms, please be aware that if your security questionaire is targeted towards Cloud based solutions, there will be a lot of answers with variations of this is Not Applicable as LiquidFiles is not a Cloud Service.
Cost/Fee
Shorter forms, 15 questions or less (excluding company details), that are sent in a spreadsheet, PDF or other type that can be filled out off-line, we are happy to do this free of charge.
For larger forms (more than 15 questions) we will charge an upfront fee of USD$500 that covers the first 2 hours. If the fom takes longer than 2 hours to fill in, we will make an estimate how long it will take from then on and charge an additional USD$250/hour after that.
The reason we are charging for larger forms is that it's impossible for us to scale this. When we spend two hours developing the product or update the documentation or anything like that, it benefits most/all customers. If we spend 2 hours filling out a security questionaire for you, that benefits exactly zero other customers and why we feel it's not justifiable spending a lot of free time doing that.
Example Responses
We will only answer questions relating to your LiquidFiles installation. We won't answer questions about LiquidFiles internal system, procedures or processes.
We have included some examples of common questions. In our experiences, as detailed above, most if not all of these questionaires are targeted towards cloud service companies and not product vendors that don't manage customer installations.
Question | Response |
---|---|
Are all administrators configured with strong 2-factor authentication? | You can configure all administrators to use strong 2-factor authentication, this is either configured on a per group basis in Admin → Groups or individually in Admin → Users. Since LiquidFiles is a product and not a service we have no visibility of the actual configuration. This question will need to be directed to whomever is managing LiquidFiles for you. |
Does the data center have redundant power, including battery and generators? | You can install LiquidFiles in whatever data center you want. Since LiquidFiles is a product and not a service, we have no visibility of where LiquidFiles is installed. This question will need to be directed to whomever has installed LiquidFiles for you. |
What are the certifications held by the SOC? | LiquidFiles is a product, not a service. We (LiquidFiles the company) does not manage yours or any other customers LiquidFiles installations. This question needs to be directed to whomever is managing LiquidFiles for you. |
Are all data transfers encrypted with strong encryption algorithms? | The default is to only permit encrypted data transfers and when encrypted transfers are enabled only strong encryption algorithms will be used. This is configured in Admin → System → Network. Since LiquidFiles is a product and not a service, we have no visibility of your actual configuration. This question will need to be directed to whomever is managing LiquidFiles for you. |
How many days will a terminated staff member have an account before it will be removed? | You can configure accounts to be automatically removed after a certain times of inactivity. This is configured in Admin → Groups. Since LiquidFiles is a product and not a service we have no visibility of the actual configuration. This question will need to be directed to whomever is managing LiquidFiles for you. |
Vendor Portals
Every so often we get requests along the lines of "Please register on our vendor portal where you can track progress of Purchase Orders, submit Invoices, manage your vendor details, ...".
Unfortunately, we won't register LiquidFiles on your vendor portal. There's a few reasons for this:
- If we register as a vendor on your portal it sets the expectation that you will be able to submit purchase orders and we will then upload invoices to your vendor portal, but we won't. First, we don't sell on, process, or keep track of Purchase Orders. And secondly, we won't upload invoices to your portal. We have built our own quoting tool at https://license.liquidfiles.com. This is where you can generate any LiquidFiles Quote or Invoice you may need. When it comes to renewals, we will start sending reminders starting 90 days out so you can perform whatever internal process you need to be able to complete this in time. Obviously, if your internal process is that you upload that to some website, feel free to do so, but it's your responsibility to generate any quote or invoice needed and process it however you need for your own internal processes.
- In the past before we stopped doing this, it was actually rare that we could sign up to any venfor portal anyway. There was always some mandatory question about the company that stopped the submission. We won't disclose internal details about the company such as company size, turnover, profit, number of customers or similar details. We don't have a phone number or individual contact details. All support and all communications with LiquidFiles happen through our support/ticketing system at https://support.liquidfiles.com / support@liquidfiles.com (support@liquidfiles.com creates and updates tickets on https://support.liquidfiles.com). This then lead to the frustration of "well, can't you just fill something in?" and no, we won't submit something just to satisfy your form validation.
- In case we change anything about LiquidFiles, we will announce that on our Mailist, we won't login to various vendor portals and update whatever detail that was changed.
If you need to maintain this yourself internally, obviously completely up to you, but it will be your responsibility to maintain these details, generate quotes and invoices, and so on. If this doesn't work for you, feel free to contact your favourite reseller and they can register on your vendor portal and purchase LiquidFiles on your behalf.