You built a security tool internally. It works. Your team uses it. Now procurement is asking for a SOC 2 Type II report, a data flow diagram, a sub-processor list, a completed CAIQ v4, and evidence of penetration testing conducted within the last 12 months.
You have a Python script. It runs on your laptop. Where do you start?
Understanding What Procurement Actually Needs
Before you panic, understand what the vendor security review is actually asking. Procurement is not trying to block your tool. They are trying to answer a set of standard questions about data security, access control, and operational continuity.
The questions fall into four categories: Where is data stored and how is it protected? Who has access and how is that controlled? What happens when something goes wrong? Can you prove this tool does what you say it does?
The Old Way: Six Months and $100,000
The traditional path to answering these questions for an internal tool is brutal. You hire a compliance consultant. They work with your security team over three to six months to document every system the tool touches, map controls to a framework, and prepare evidence packages. You get a penetration test. You engage a third-party auditor. You produce a SOC 2 report. Total cost: $75,000 to $150,000 in professional services, plus engineering time.
For a tool that saves $200,000 per year in analyst hours, this math is painful but defensible. For a tool that saves $40,000 per year, the compliance cost exceeds the value. The tool dies.
The New Way: Inherited Compliance
The alternative is inherited compliance. Instead of building compliance from scratch for your tool, you deploy your tool on infrastructure that already has the compliance certification. Your tool inherits the certified status of the infrastructure it runs on.
This is how ARX works. The platform runs on Aptible, which holds SOC 2 Type II, HIPAA, and HITRUST certifications. Every tool deployed on ARX runs on that certified infrastructure. The platform automatically generates the compliance documentation — data flow diagram, sub-processor list, SOC 2 control mapping — from the actual runtime behavior of your tool.
What you send to procurement is a PDF that documents: which controls are inherited from the ARX certified infrastructure, which controls are implemented at the application layer, what data your tool accesses and where it flows, and which third-party systems your tool calls. This document generates in minutes, not months.
What This Means Practically
The six-month vendor review becomes a two-week procurement approval. The $100,000 compliance build becomes a platform subscription. The tool that was going to die in procurement is in production by end of the month.
You still need to answer the questionnaire. You still need documentation. But the work is done for you, from your tool's actual behavior, by the platform your tool runs on. The compliance gap closes.