Updated for 2026
Security Reviews Slow Enterprise Sales
Enterprise deals follow a clear pattern. A provider with strong features loses months — or the whole deal — to a vendor security review. The process exists for good reason. Enterprise teams are liable for every tool that touches their records. Regulated sectors have strict vendor rules.
Healthcare firms must track how vendors handle PHI. Financial firms must show safeguards to regulators. Legal teams must protect client files. The review is fair. But for providers without zero-knowledge architecture, it becomes a long gate that rarely moves fast.
Questions That Block or Speed Deals
Enterprise security questionnaires cover 100 to 200-plus questions. Most have solid answers for any competent vendor. Patch plans, staff training, incident response — these just need good docs.
A small set of questions creates real friction for cloud vendors without zero-knowledge design. These are the questions that decide deals.
"Can your staff see customer data?"
For vendors with server-side encryption: yes, in some cases. Support staff can view records to fix problems. Legal orders can force data out. That answer triggers more scrutiny. It often needs risk team review.
For zero-knowledge vendors: no. Staff cannot read plaintext records in any case. The design makes decryption impossible without the customer's key. That answer closes the question. It moves the review forward.
"What does a full breach expose?"
For server-side providers: encrypted data, possibly with key material. Reviewers ask follow-up questions. The answer is not clean.
For zero-knowledge providers: AES-256-GCM ciphertext, no keys. A full server breach exposes nothing usable.
"Can you hand over plaintext data under subpoena?"
For server-side vendors: yes, under legal process. That is a direct concern for firms with sensitive records.
For zero-knowledge vendors: we can only produce ciphertext. We do not hold the keys. No legal order can force us to hand over what we do not have.
See the legal conformance docs and the protection page for full details.
The Argon2id Parameter Detail
Regulated-sector reviews ask for exact crypto parameters. Key derivation method, iteration count, and memory cost are all common questions in healthcare, finance, and government deals. Each missing detail slows the process.
Argon2id with 200,000 iterations is 4× the OWASP minimum for password-based key derivation. Specific answers move reviews forward. Vague answers — "we use standard encryption" — trigger follow-up document requests and slow the deal.
ISO 27001 and the Certification Lift
ISO 27001 conformance handles a different class of review friction. The 100-plus controls in ISO 27001:2022 Annex A cover the org-level questions in most vendor reviews. Access control, key management, physical safeguards, incident handling.
Firms that require ISO 27001 can skip testing individual controls. The certification is proof. It shows controls exist and were audited by a third party. In enterprise buying, that turns a six-month review into a three-to-six-week check.
Zero-knowledge design plus ISO 27001 conformance is a strong buying package. The toughest protection questions get clear answers. Org controls are on record. For privacy tool deals in regulated markets, this pair produces faster approvals. Providers who must build their case from scratch in each review face longer waits and higher deal loss rates.
The Buying Calculus
For enterprise buyers, the vendor review is not red tape. It is real risk management.
The questions target providers whose protection posture exposes the buyer to legal risk.
For vendors in regulated markets, the review is a cost center and a quality signal at once.
Vendors who answer the hardest questions cleanly have fewer long sales cycles.
Those who struggle with key management face longer reviews and higher deal loss rates.
The protection edge of zero-knowledge design is measurable.
The questions that filter out server-side-key providers are the same ones that zero-knowledge vendors answer cleanly in the first submission.
That is not a marketing claim. It is a real, measurable buying outcome with a paper trail.
Learn more in the FAQ hub and explore how entity de-identification works end to end.