Glossary

The complete glossary of RFP, DDQ, and security questionnaire terms

Definitions for every acronym, framework, and concept that shows up in response management. From AIMA to VSAQ, plus everything in between. Bookmark this page. Your team will use it.

Get the Enterprise AI Guide

A

AEO (Answer Engine Optimization): The practice of structuring web content so AI assistants (Perplexity, ChatGPT, Google AI Overviews, Claude) can extract direct answers and cite the source. Distinct from traditional SEO, which optimizes for search engine result pages.
AI (Artificial Intelligence): In response management, AI typically refers to one of three layers: exact-match autofill, similarity search, or generative AI. The third layer is the one that varies most by vendor in terms of architecture and risk profile.
AIMA (Alternative Investment Management Association): The trade body for the alternative investment industry. AIMA publishes a standardized DDQ template used by hedge funds and alternative investment managers when responding to institutional investor due diligence.
AIFMD (Alternative Investment Fund Managers Directive): European Union directive regulating the management and marketing of alternative investment funds. AIFMD compliance is part of the regulatory burden for EU-active asset managers.
Approval gate: A controlled checkpoint in a workflow where designated users can advance, reject, or modify content before it moves to the next stage. Approval gates enforce review before sensitive content is exported or sent.
Astro: RocketDocs' private generative AI engine. Astro runs on Llama 3.1 hosted privately inside the RocketDocs environment. Customer data is never sent to third-party model providers.
Audit trail: An immutable, time-stamped log of every action taken in a system. In response management, an audit trail records who created, edited, approved, and exported each piece of content. Required by SOC 2, ISO 27001, HIPAA, 21 CFR Part 11, and most enterprise compliance frameworks.
Autofill: The platform feature that automatically fills in a question with an approved answer from the content library when an exact or close match exists. The first layer of three-layer AI.

B

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht): The German federal financial supervisory authority. Regulates banks, financial services providers, insurance undertakings, and securities trading.
BCBS (Basel Committee on Banking Supervision): The primary global standard setter for the prudential regulation of banks. Basel III is the current reform package. Banks respond to BCBS-related capital and liquidity questionnaires from regulators.
Browser extension: A plugin that brings the RocketDocs content library to any web form. Used when a customer security questionnaire or RFP is hosted on a third-party portal that does not allow Word or Excel export.
Bulk actions: Operations performed across many items at once instead of individually. RocketDocs supports bulk SME assignment, bulk autofill, bulk Astro generation, bulk approval, and bulk content tagging.

C

CAIQ (Consensus Assessments Initiative Questionnaire): A widely used cloud security questionnaire published by the Cloud Security Alliance. Customers use CAIQ to evaluate the security posture of cloud service providers. CAIQ Lite is a shorter version covering the most important controls.
CCPA (California Consumer Privacy Act): California state law granting consumers rights over the personal information businesses collect about them. CCPA compliance is a common topic in vendor security questionnaires.
CFA Institute DDQ: Due diligence questionnaire templates published by the CFA Institute for separately managed accounts and other investment products. Widely used by investment consultants and institutional investors.
CFTC (Commodity Futures Trading Commission): US federal agency that regulates the derivatives markets, including futures, swaps, and certain types of options. CFTC-registered firms respond to recurring CFTC examinations.
CMMC (Cybersecurity Maturity Model Certification): A certification framework required by the US Department of Defense for contractors handling controlled unclassified information. CMMC builds on NIST 800-171 with additional maturity levels.
CMS (Centers for Medicare and Medicaid Services): The US federal agency that administers Medicare, Medicaid, and parts of the ACA. Health plans participating in Medicare Advantage, Part D, and Medicaid managed care respond to CMS audits and exams.
Content library: A centralized, governed knowledge base of approved answers, content blocks, attachments, and supporting evidence. The foundation of every response management deployment.
Content record: The fundamental unit of a content library. A content record typically contains a question, an approved answer, a status (Draft, Under Review, Published, Expired), an owner, a review date, and a complete version history.
CRO (Contract Research Organization): In life sciences, a service organization that conducts clinical trials and other research on behalf of pharmaceutical, biotech, and medical device sponsors. CROs respond to sponsor qualification questionnaires.
Cycle time: The elapsed time from receiving a questionnaire (or starting a proactive proposal) to delivering the final response. The primary metric for response management efficiency. Mature deployments often see 50 percent cycle time reduction.

D

Data residency: The requirement that certain data be stored and processed in specific geographic locations. Common in financial services, healthcare, and government contexts. RocketDocs supports US and EU data residency.
DDQ (Due Diligence Questionnaire): A structured questionnaire used by investors, auditors, regulators, and customers to evaluate a company's operations, compliance, and risk profile. DDQs are typically recurring (quarterly, annually) and deeper than RFPs.
Diff tracking: A version history feature that highlights what changed between versions of a content record. Used in compliance review to show exactly what was modified and by whom.

E

eCTD (Electronic Common Technical Document): The format for regulatory submissions to health authorities (FDA, EMA, PMDA) used in pharmaceutical and biotech regulatory submissions. RocketDocs is not an eCTD system but can feed content into eCTD workflows.
EMA (European Medicines Agency): The European Union agency responsible for evaluating and supervising medicines. Pharmaceutical and biotech companies submit regulatory documentation to EMA for marketing authorization in the EU.
Encryption at rest: The practice of encrypting stored data so it is unreadable without the encryption key. RocketDocs uses AES-256 encryption at rest, the standard for enterprise data protection.
Encryption in transit: The practice of encrypting data while it moves between systems. RocketDocs uses TLS 1.2 or higher for data in transit, the standard for secure web communication.

F

FCA (Financial Conduct Authority): The UK regulator for financial services firms and financial markets. FCA-regulated firms respond to recurring FCA examinations and ongoing supervisory questionnaires.
FedRAMP (Federal Risk and Authorization Management Program): The US government program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud service providers used by federal agencies. FedRAMP authorization is required for SaaS vendors selling to federal customers.
FINRA (Financial Industry Regulatory Authority): The self-regulatory organization that oversees brokerage firms and exchange markets in the US. FINRA-registered firms respond to recurring FINRA examinations and rule-required questionnaires.

G

GDPR (General Data Protection Regulation): European Union regulation on data protection and privacy. GDPR compliance is a common topic in vendor security questionnaires, especially from EU customers.
Generative AI: AI that produces new content (text, images, code) based on training data and user prompts. In response management, generative AI is the third layer of three-layer AI, used to draft answers when exact match and similarity search do not return a result.
GLBA (Gramm-Leach-Bliley Act): US federal law requiring financial institutions to explain their information-sharing practices and protect customer financial information. GLBA compliance is part of every financial services security questionnaire.
Granular permissions: Access controls enforced at multiple levels: user, role, group, content record, library, and project. Granular permissions allow an organization to share content broadly while restricting sensitive content to authorized reviewers.
GxP (Good Practice quality guidelines): A collective term for good practice quality guidelines and regulations in the pharmaceutical, food, and medical device industries. Includes GMP (manufacturing), GLP (laboratory), GCP (clinical), and GDP (distribution).

H

HIPAA (Health Insurance Portability and Accountability Act): US federal law requiring covered entities and business associates to protect the privacy and security of protected health information. The Security Rule and Privacy Rule are the two HIPAA components most relevant to vendor risk reviews.
HITECH (Health Information Technology for Economic and Clinical Health Act): US federal law that strengthened HIPAA enforcement, expanded breach notification requirements, and accelerated electronic health record adoption.
HITRUST (Health Information Trust Alliance): A non-profit organization that publishes the HITRUST CSF, a control framework that aligns with HIPAA, NIST, ISO 27001, and other standards. Many healthcare vendors pursue HITRUST CSF certification as a comprehensive security posture statement.

I

ICH GCP (International Council for Harmonisation Good Clinical Practice): International ethical and scientific quality standard for designing, conducting, recording, and reporting clinical trials. Required for clinical research data accepted by regulators in major markets.
ILPA (Institutional Limited Partners Association): The trade association for institutional limited partners in private equity and other private market funds. ILPA publishes the ILPA Standardized DDQ, widely used by institutional investors evaluating private fund managers.
ISO 27001: The international standard for information security management systems. ISO 27001 certification demonstrates that an organization has implemented a comprehensive information security framework. Required by many enterprise procurement teams.

L

LaunchPad: RocketDocs' Microsoft 365 add-in that brings the full platform into Word and Excel. Users search the library, autofill responses, run Astro, and assign sections to SMEs without leaving the document.
Llama 3.1: An open-source large language model from Meta. RocketDocs hosts Llama 3.1 privately inside its environment to power Astro's generative AI features without sending customer data to third parties.
LOB (Line of Business): A distinct business unit within a larger organization, often with its own products, customers, and compliance requirements. Multi-LOB firms (banks, conglomerates, multi-product asset managers) need response management platforms that support per-LOB libraries and workflows.
Lockdown: The state of a content record or document where editing is prevented until an authorized user explicitly unlocks it. Lockdown protects approved content from accidental modification.

M

MFA (Multi-Factor Authentication): A security control requiring users to present two or more authentication factors (something you know, something you have, something you are) to access a system. RocketDocs supports MFA enforced through the customer's identity provider.
MiFID II (Markets in Financial Instruments Directive II): European Union regulation governing investment services and activities. MiFID II compliance applies to EU investment firms and creates ongoing reporting obligations.
Multi-affiliate: An organizational structure with multiple legal entities under one parent. Common in asset management (multiple investment managers under one holding company), banking (multiple subsidiaries), and insurance (multiple carriers). RocketDocs library structure supports per-affiliate content with cross-affiliate reuse where allowed.
Multi-tab Excel: An Excel file with multiple worksheets (tabs). Most security questionnaires (SIG, CAIQ, custom enterprise reviews) ship as multi-tab Excel files. RocketDocs handles multi-tab Excel natively, with per-tab response placement and bulk operations across tabs.

N

NAIC (National Association of Insurance Commissioners): The US standard-setting and regulatory support organization created by state insurance regulators. NAIC publishes Model Laws that state insurance departments adopt with variations.
NCQA (National Committee for Quality Assurance): A non-profit organization that accredits and certifies a wide range of healthcare organizations. NCQA accreditation is common for health plans and includes operational and quality questionnaires.
NIST 800-53: A US National Institute of Standards and Technology publication providing security and privacy controls for federal information systems. Used as a control framework for federal contractors and adopted in some commercial settings.
NIST 800-171: A NIST publication providing security requirements for protecting controlled unclassified information in non-federal systems. Required for federal contractors and subcontractors handling CUI.

O

OCC (Office of the Comptroller of the Currency): US federal agency that charters, regulates, and supervises national banks and federal savings associations. OCC vendor management expectations (Bulletin 2013-29 and successors) drive much of the security questionnaire volume that hits SaaS vendors selling into national banks.
Office-native: A workflow or platform that operates inside Microsoft Word, Excel, PowerPoint, or other Office applications. Office-native response management eliminates the export-and-reformat step that legacy platforms require.
Open API: A documented API that exposes platform capabilities for custom integration. RocketDocs Open API supports project management, content library access, user provisioning, and webhook event delivery.

P

PCI DSS (Payment Card Industry Data Security Standard): The security standard for organizations that handle branded credit cards. PCI DSS compliance is required for payment-handling SaaS platforms and creates specific security questionnaire patterns.
Personalization tokens: Placeholders in templates that automatically fill with customer-specific information at generation time. Common tokens include company name, logo, key contact, deal size, and industry. Used in RapidDocs and dynamic content workflows.
PHI (Protected Health Information): Health information that is created, received, or maintained by a HIPAA covered entity or business associate and can be linked to a specific individual. PHI handling is governed by HIPAA Privacy and Security Rules.
PII (Personally Identifiable Information): Information that can be used to identify a specific individual. PII handling is governed by GDPR, CCPA, and other privacy regulations.
Private AI: A generative AI architecture where the model runs inside the customer's or vendor's controlled environment, with no customer data sent to third-party model providers. The architecture required for AI in regulated industries.

R

RapidDocs: RocketDocs' logic-driven proposal generation capability. Templates assemble approved content blocks based on configurable inputs to produce branded, personalized proposals and presentations in Word and PowerPoint.
Response management: The category of software and processes for responding to structured information requests, including RFPs, RFIs, DDQs, and security questionnaires. RocketDocs is a response management platform.
RFI (Request for Information): A document buyers use to gather information from potential vendors before formally soliciting proposals. Typically less detailed than an RFP. RFIs often precede an RFP in the procurement cycle.
RFP (Request for Proposal): A document buyers use to formally solicit proposals from vendors. Includes capability questions, pricing requirements, and evaluation criteria. The most common questionnaire type in B2B sales.
RFQ (Request for Quotation): A document buyers use when they have already specified requirements and want pricing from multiple vendors. Narrower than an RFP.
RFx: Umbrella term for any "request for" document, including RFPs, RFIs, RFQs, and other variants.

S

Salesforce integration: A bidirectional connection between Salesforce and a response management platform. Enables CRM data to flow into response projects (customer info, opportunity context) and project data to flow back to the CRM (status, cycle time, win rate).
SCIM (System for Cross-domain Identity Management): An open standard for automating user provisioning and deprovisioning across cloud applications. SCIM-compatible platforms automatically create, update, and remove users based on the customer's identity provider.
SEC (Securities and Exchange Commission): US federal agency that regulates the securities industry and securities markets. SEC-registered investment advisers and broker-dealers respond to recurring SEC examinations.
SIG (Standardized Information Gathering): A widely used security questionnaire published by Shared Assessments. SIG covers a broad range of security controls and is used by enterprise customers to evaluate vendor security posture. SIG Lite is a shorter version.
Similarity search: A search method that finds content matching the meaning of a query, even when the wording differs. The second layer of three-layer AI. Used to find approved answers when an exact match is not available.
SME (Subject Matter Expert): A person with deep expertise in a specific topic. In response management, SMEs review and approve content related to their area of expertise. SME coordination is the bottleneck on most response projects.
SOC 2 Type II: An independent audit of security controls covering security, availability, processing integrity, confidentiality, and privacy. Type II reports cover a period of time (typically six to twelve months), not just a point in time. Required by many enterprise procurement teams.
Solvency II: European Union directive that codifies and harmonizes EU insurance regulation. Primarily concerns the amount of capital EU insurance companies must hold to reduce the risk of insolvency.
SOX (Sarbanes-Oxley Act): US federal law that established new auditing and financial regulations for public companies. SOX compliance creates specific documentation and control requirements that flow into vendor questionnaires.
SSO (Single Sign-On): An authentication scheme where a user logs in once and gains access to multiple applications. RocketDocs supports SSO through Okta, Azure AD, Google Workspace, and other SAML-compatible identity providers.

T

21 CFR Part 11: US Food and Drug Administration regulation governing electronic records and electronic signatures in FDA-regulated environments. Pharmaceutical, biotech, and medical device companies require systems that align to 21 CFR Part 11 expectations: immutable audit trails, structured electronic approvals, and full export history.
Three-layer AI: RocketDocs' AI architecture that handles questions in priority order: exact-match autofill (Layer 1), context-aware similarity search (Layer 2), and private generative AI (Layer 3). Generative AI is the last resort, not the first response.
TLS (Transport Layer Security): A cryptographic protocol that secures data in transit between systems. RocketDocs uses TLS 1.2 or higher for all data in transit.
Trust Center: A web destination where a vendor publishes its security certifications, audit reports, compliance documentation, and security questionnaire responses. RocketDocs maintains a Trust Center at trust.rocketdocs.com.

V

VSA (Vendor Security Alliance): An industry collective that publishes vendor security assessment standards and questionnaires. Used by some enterprise procurement teams as an alternative to SIG or CAIQ.
VSAQ (Vendor Security Assessment Questionnaire): A general term for vendor security assessment questionnaires. Often used to refer to custom enterprise security questionnaires that do not match a standardized format.

W

Webhooks: A method for one application to send real-time data to another when an event occurs. RocketDocs Open API supports webhooks for event-driven integration with internal systems.
Win rate: The percentage of submitted proposals that result in won business. The primary outcome metric for proposal teams. Mature response management deployments often correlate with measurable win rate improvement.
Workflow: The structured sequence of stages a response project follows from intake to delivery. Custom workflows define stages, approval gates, action permissions, and SME assignment rules. Configurable per project type.

FAQ

Frequently asked questions

How is this glossary maintained?

The glossary is updated when new frameworks emerge, when existing standards release new versions, or when our customers ask about terms that are not yet covered. If a term is missing, send a suggestion through the contact form.

Can I link to specific terms in the glossary?

Yes. Each term has its own anchor URL that you can link to directly. Useful for sharing definitions with team members or in vendor documentation.

Does RocketDocs publish similar resources for specific industries?

Yes. Industry-specific glossaries and reference materials are available in the guides library, including the 2026 RFP Response Playbook for Sales Ops and the 2026 DDQ Compliance Checklist for Financial Services.

Can I republish glossary content?

Internal use within your organization is encouraged. For external republishing, syndication, or commercial reuse, contact our content team first.

Ready to put these terms to work?

A specialist will walk you through how RocketDocs handles every framework, questionnaire type, and compliance requirement in this glossary, configured for your industry.

Book a Demo See the platform