RFP questions: security questions for your password manager vendor

Updated March 2025 · passwordmanager.eu

Copy-paste these prompts into your security questionnaire. Adapt wording to your sector; ask for evidence (architecture docs, SOC2/ISO reports) not adjectives.

Data and cryptography

Describe encryption at rest and in transit; specify algorithms and key lengths.
Is customer vault data zero-knowledge to vendor staff? Any exceptions for support?
How are encryption keys generated, stored, and rotated?

Tenancy and isolation

Single-tenant options: when available and at what cost?
Logical separation between customers in shared infrastructure

Operations and incidents

Incident response SLA and customer notification timeline
Penetration testing frequency and customer access to summaries
Backup RPO/RTO and last successful restore test date

Compliance artefacts

Current subprocessors and transfer mechanisms for non-EEA services
Data processing agreement template and DPIA support materials

After you shortlist vendors, run priorities through our weighted assessment so procurement scores match how your organisation actually weighs EU hosting and compliance.