SaaS Security Review Portal RequestPath Security

Customer help

Help & FAQ

Use this page as a customer-facing guide to the portal's review workflow, decision language, local storage model, installation notes, and common support questions.

Getting started

Set up the portal

  1. Install SaaS Security Review Portal on a Windows workstation approved for this use.
  2. Choose a data folder if your organization wants review records stored outside the default app location.
  3. Review Admin Settings for branding, required approvers, decision triggers, evidence expectations, and editable questionnaire options.
  4. Create a new SaaS review or export a requester questionnaire for intake.

Workflow

How a review moves through the app

1. Start with the business request

Capture the SaaS product, provider, requestor, business owner, technical owner, change ticket, purpose, request type, and urgency.

2. Complete security discovery

Document data types, accidental CUI concern, repositories, Security Protection Data, AI behavior, permissions, controls, evidence, FedRAMP status, and CMMC scope impact.

3. Record reviewer decisions

Use the Reviewer view to save the decision, notes, scope, prohibited use, required controls, approvers, evidence documents, and reassessment date.

4. Export records

Use Approval Record for the selected review and SaaS Register for the review list. Treat exported PDFs, JSON, and questionnaires as sensitive records.

Decision meanings

How to read recommendations

Approved - Non-CUI Only

The SaaS may be acceptable for the documented non-CUI use case, subject to the recorded scope, reviewed evidence, and prohibited-use language.

Approved - CUI Authorized

Restricted federal data is in scope and the review rules found the required authorization path, without a blocking expert-review trigger.

Conditional Approval

The request may be acceptable after listed controls, evidence, restrictions, or reviewer requirements are completed. It should not be treated as final until conditions are resolved.

Cybersecurity Expert Review Required

The request includes triggers such as broad tenant permissions, repository integrations, Security Protection Data, AI indexing or retention risk, equivalency claims, or CMMC scope impact.

Denied

The request conflicts with a strict rule, such as restricted federal data without an acceptable authorization path or an AI/data-use condition that cannot be controlled.

Data storage

Where records are saved

The portal saves review data, settings, audit entries, and questionnaire tracking locally. Evidence documents added to a review are copied as normal files into the selected portal data folder.

The app uses operating-system-backed protected storage when available. Organizations should still protect the Windows profile and data folder with normal workstation controls, backups, endpoint security, disk encryption, and access controls.

Do not store CUI, CDI, export-controlled data, credentials, secrets, or sensitive personal data unless your organization has approved this app and storage method for that use.

Install notes

Using the free local desktop app

  1. Install the Windows desktop app.
  2. Open the portal and create a new review, import a questionnaire, or adjust Admin Settings.
  3. Start using the local review workflow after installation.
  4. If Windows shows a reputation warning, verify that the installer came from the expected source and compare the published SHA256 hash.

For support, use the contact form on the home page or email support@requestpathsecurity.com.

FAQ

Common questions

Does the portal certify a SaaS product?

No. It creates an internal decision-support record. It does not certify a product, establish compliance, or replace cybersecurity, legal, privacy, contract, CMMC, NIST, FAR, DFARS, or FedRAMP review.

Can we customize the review options?

Yes. Admin Settings controls request types, data actions, data types, repositories, FedRAMP choices, service categories, scope categories, controls, permissions, evidence, AI flags, branding, approvers, and review timing.

What should we attach as evidence?

Evidence may include security reports, privacy terms, subprocessor lists, data processing terms, retention and deletion details, AI/data-use statements, authorization information, and other records your organization requires for review.

Is the audit log tamper-proof?

No. The local audit log helps with accountability inside the app, but it is not a tamper-proof or centrally controlled audit system.

Can we use it without an internet connection?

Yes. The desktop workflow is local. Normal workstation, storage, export, email, and backup behavior still depends on your environment and policies.

Is this app free to use?

Yes. Version 1.0.0 is free to use as a local desktop decision-support tool.

Need help?

Send a support or implementation question.

Open support form Email support