cc9.1-4-001

CC9.1 · D4 · f1

Difficulty

Gaps

Red Herrings

67%

Avg Score

Task

You are conducting a SOC 2 Type II readiness assessment for Quantum SaaS Inc. covering the observation period Q4 2025 (October 1 – December 31, 2025). Review all provided evidence and assess compliance with CC9.1 (Risk Mitigation for Vendors and Business Partners). Cross-reference the vendor management policy against the vendor inventory and exception register. Not all documents may be relevant. Identify genuine control deficiencies — consider whether exceptions or compensating controls adequately address apparent gaps before flagging.

Evidence

evidence/vendor-management-policy.md — Quantum SaaS third-party vendor risk management policy
evidence/vendor-inventory.csv — Vendor inventory with tier, SOC 2 status, DPA, and subservice organization details
evidence/vendor-exception-register.csv — CISO-approved exceptions for vendor compliance gaps
evidence/data-classification-policy.md — Data classification policy [noise]

Findings

ID	Type	Severity	Finding
F-001	red_herring	low	DataRobot has no SOC 2 report — but has valid CISO exception with compensating controls DataRobot is a Critical-tier vendor without a SOC 2 report. This looks like a clear policy violation. However, VEXC-2025-001 shows an active CISO-approved exception with compensating controls (securit...
F-002	red_herring	low	HubSpot has no SOC 2 report — but has valid CISO exception with alternative assessment HubSpot is a High-tier vendor that has not provided its SOC 2 report despite requests since October 2025. VEXC-2025-002 shows a CISO-approved exception with an alternative assessment (security questio...
F-003	gap	high	Stripe uses carve-out method for GCP subservice organization — no independent assessment Stripe is a Critical-tier vendor processing customer PII and financial data. Their SOC 2 report uses the carve-out method for GCP. Policy Section 4.2 states: 'If carve-out method is used, Quantum must...
F-004	gap	high	Snowflake SOC 2 report review not completed within 90-day SLA Snowflake is a Critical-tier vendor processing customer PII. Their SOC 2 report was received December 15, 2025. The vendor inventory shows 'review not yet completed' as of the evidence collection date...
F-005	gap	medium	No quarterly business reviews for High-tier vendors (SendGrid, HubSpot, Zendesk, Amplitude) Policy Section 4.3 requires quarterly business reviews for Critical vendors. The vendor inventory shows business reviews completed for all Critical vendors (AWS, Datadog, Stripe, Okta, Snowflake, Data...
F-006	gap	medium	Multiple High-tier vendors use carve-out method with no independent subservice org assessment SendGrid (AWS carve-out), Amplitude (AWS + GCP carve-out), and Lattice (AWS carve-out) all use the carve-out method for subservice organizations in their SOC 2 reports. Policy Section 4.2 requires ind...

Results

Model	Provider	Score	Recall	Prec.	F1	Gaps	Reported
Sonnet 4.6	Anthropic	73%	100%	57%	73%	4/4	7
Opus 4.7	Anthropic	67%	100%	50%	67%	4/4	8
GPT-5.5	OpenAI	100%	100%	100%	100%	4/4	3
GPT-4.1	OpenAI	67%	75%	60%	67%	3/4	5
Haiku 4.5	Anthropic	80%	100%	67%	80%	4/4	6
GPT-4o	OpenAI	18%	50%	11%	18%	2/4	16