Building TrustRespond.ai: Automating B2B Vendor Security Questionnaires in 12 Seconds
April 2026 · Damir Andrijanic · 8 min read
The enterprise compliance bottleneck
Every B2B SaaS team chasing an enterprise deal knows the pattern: the vendor security questionnaire arrives as a massive, 200-row Excel file from IT, packed with precise questions about data security, SOC 2 evidence, and internal policies.
Mapping your real security documents onto those spreadsheets manually burns weeks of engineering and sales time. Formatting breaks, context gets lost, and the deal cycle slips.
TrustRespond.ai
I built TrustRespond.ai to compress that multi-week bottleneck into a ~12 second automated workflow.
It is an enterprise AI platform that securely ingests compliance documents (such as SOC 2 reports) into a vector database, reads the client's blank Excel questionnaire, maps questions with an advanced RAG pipeline, and returns a fully populated workbook—without breaking the original cell structure or formulas.
Technical architecture and stack
Framework
Next.js 15 (App Router) for a server-first architecture and clean API integration at the edge.
Database and auth
Supabase (PostgreSQL) for authentication, Row Level Security (RLS), and durable application state.
Vector engine
pgvector for storing and querying document embeddings at query time.
AI and LLMs
Google Gemini 2.5 Flash via the Vercel AI SDK—fast, huge context window, and reliable with structured JSON and Excel-oriented outputs.
Monetization
Stripe Checkout and webhooks for automated tiering, billing events, and quota allocation.
Styling
Tailwind CSS with a custom enterprise B2B design language: glass surfaces, deep navy backgrounds, and emerald accents.
Key engineering challenges
1) PostgreSQL statement limits (54001) during ingestion
Issue: Large PDFs (for example 100+ pages) produce hundreds of embedding rows. Packing every chunk into a single Supabase insert exploded the statement size and triggered statement_too_complex failures.
Fix: I built a batching utility that slices inserts into stable batches (for example 50 rows at a time), processes them sequentially, and keeps memory and database load predictable regardless of document size.
2) Row Level Security (RLS) recursion
Issue: Questionnaire generation queried vectors through an RPC while RLS policies referenced helpers like current_org_id(). That pattern hit stack depth limits and created recursive policy evaluation during complex reads.
Fix: I isolated the internal RAG read path: server-side service role access for that generation step only, with tenant boundaries enforced at the API layer. That removed recursion while keeping customer data partitioned by organization.
3) Stripe webhooks and authoritative billing state
Issue: Trusting client-side billing state is an open door for abuse. You need server-side truth after checkout and plan changes.
Fix: I added an org-scoped usage table. A Stripe webhook handler on the Next.js server verifies signatures, then calls a secure RPC to unlock enterprise limits for the correct org_id immediately after payment events.
The user experience
Beyond the backend, the UI is intentionally premium: a dark-glass aesthetic, confident drag-and-drop upload zones, and dry-run mapping analytics so reviewers can trust the automation before it touches a live questionnaire.
The result
The system turns a blank, intimidating 200-row workbook into context-aware answers grounded in private embeddings—while preserving Excel structure.
Processing time
~12 seconds
Engineering time saved (per client)
~40 hours
TrustRespond.ai is a reminder that with disciplined architecture, even gnarly enterprise compliance workflows can feel instant.
Takeaway
Vendor security questionnaires look like a paperwork problem, but under the hood they are a retrieval, security, and data-modeling problem. Solve those three cleanly, and sales stops waiting on spreadsheets.
If you want to see the product in action: