[ziddoap]

>We are a two engineer team without a SOC audit and without a third party pen test that stores medical and financial data.

>These questionnaires are time consuming and redundant.

This is how data breaches happen. You should be willing to jump through a few, usually reasonable, hoops if you're storing medical and financial data.

Instead of looking for a quick-fix that will "suffice", you may consider actually securing the sensitive data you hold on other people.

Edit: After a little googling, I'm genuinely concerned about the product you are offering, at a firm of your size, with no compliance. Yikes from me.

[reiderrider]

Well our conclusion is to work on security for a week and then submit. I didn’t say anything about not having security/compliance rather about completing another security questionnaire.

[ziddoap]

You may not have specifically said it, but it is certainly clear from the way you are speaking about security as an annoying burden.

Just, for example, your comment "Work on security for a week and then submit". What does that even mean? Security is a going concern, not a one-and-done. What do you expect to accomplish in a week?

You mentioned you have no 3rd party pentest, nor SOC compliance. Regardless if they are required by law, not having a rudimentary pentest (which are fairly inexpensive) speaks volumes about your companies posture on security.

I hope you let the people that are trusting you with their extremely private medical and financial data that you are tired of answering security questionnaires, and aren't too concerned about having a 3rd party validate your security.