BlogEngineering
October 13, 2025

How we built the Questionnaire Automation Browser Extension

Written by
Austin Hsu
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Many of our customers ran into an issue where they’d receive questionnaires via third-party vendor portals and would need to import them into the Vanta app. Since these portals lacked spreadsheet export, their only option was to manually copy and paste questions into a spreadsheet before uploading it to Vanta. 

Vanta's Questionnaire Automation system initially supported structured spreadsheet formats, but with this example we saw that our customers required support for embedded portals, custom HTML forms, and arbitrary web interfaces. To solve this, we built a browser extension that could extract form data from any web page, process it through our existing answering pipeline, and inject responses back into the original interface.

Initial technical requirements

Building an extension that could integrate with Vanta's existing infrastructure meant making some tough architectural decisions upfront. We had to solve three fundamental problems:

How does an extension even work? Chrome extensions don't work like normal web apps. They operate in multiple isolated contexts—content scripts, background scripts, and UI panels—each with different capabilities and restrictions. Understanding how these pieces talk to each other was our first challenge.

How do we connect the extension to Vanta? We already had a robust API infrastructure with OAuth 2.0 authentication, but extensions can't just make normal API calls from anywhere. We needed to figure out which parts of the extension could talk to our servers and how to maintain user sessions securely.

How do we build and ship this thing? Extensions have their own build and deployment process through the Chrome Web Store. We needed tooling that would work with our existing development workflow and let us ship updates reliably.

Architecture overview

The extension has three main components:

  • Content script: Interacts directly with webpages to grab form data
  • Side panel: The UI for suggested answers and user interaction
  • Background script: Handles secure communication with Vanta’s backend APIs and data syncing

Chrome's security model enforces this separation for good reason. Content scripts can read and modify web pages but can't make external API calls. Background scripts can talk to external services but can't touch the page content. The side panel handles user interactions but is isolated from both.

This constraint forced us to think carefully about data flow. When a user wants to extract questions from a page, the request flows from the side panel to the content script (which reads the page), then to the background script (which calls our API), and back. Each handoff requires explicit message passing, but the clear boundaries make the system much more testable and secure.

Development tooling: Vite + CRXJS

We chose Vite and CRXJS specifically because it fulfilled our requirements around hot module reloading and clean bundling. Extensions have multiple entry points—content scripts, background scripts, side panels, and we needed a build system that could handle all of them elegantly.

One roadblock along the way was getting HMR working in our GitHub Codespaces development environment. Extensions reload differently than normal web apps, and the remote development setup added another layer of complexity. We eventually got it working, but it took some creative configuration around port forwarding.

The permission dilemma

Another difficult decision was figuring out what permissions to ask for. Extensions are powerful, but every permission you request makes users more hesitant to install. We had to balance functionality with trust.

After careful consideration, we settled on just three permissions:

sidePanel - This lets us create the main UI where users interact with the extension. We considered using a popup instead, but side panels stay open while users work on forms, which is much more practical.

storage - We need this to remember user preferences and cache data between sessions. We could have asked for more powerful storage permissions, but the basic storage API covers our needs.

identity - This handles OAuth authentication with Vanta's backend. Extensions can't do normal OAuth redirects, so Chrome's identity API opens auth flows in a temporary window and passes the tokens back securely.

Shipping safely

One of the scariest parts of building an extension was figuring out how to ship it. We started with a terrifying manual process: zip up the code, upload to the Chrome Web Store, and hope nothing breaks. This didn't scale and made everyone nervous about releases.

Now we have a proper CI/CD pipeline that builds the extension, runs our tests, and publishes to the store automatically. Most importantly, we built in manual approval gates so no code ships without human review. The automation gives us confidence that releases will work, the approval process ensures we're being thoughtful about what we ship, and we get a complete audit trail of who approved what and when.

Key learnings

Building this extension taught us some important lessons that go beyond just browser development:

  • Start with your most constrained users. Enterprise customers with locked-down Chrome policies forced us to think differently about permissions and architecture. Designing for them first made our solution better for everyone.
  • Constraints drive creativity. Chrome's security model initially felt limiting, but it pushed us toward a cleaner, more maintainable architecture. The enforced separation between different parts of the extension made our code more testable and secure.
  • User trust is earned through transparency. Every permission we asked for had to be justified. This constraint forced us to be more thoughtful about our feature decisions and ultimately led to a better user experience.
  • Automate the scary stuff. Manual deployments to the Chrome Web Store were nerve-wracking. Building proper automation and approval processes made shipping feel routine instead of risky.

The Questionnaire Automation browser extension is now live on the Chrome Web Store, helping our customers automate security reviews across more formats than ever before. What started as a technical challenge—extending our spreadsheet automation to arbitrary web forms—became a lesson in building within constraints and making difficult architectural decisions pay off.

If solving tricky real-world engineering challenges like this sounds exciting, we're hiring! Check out our open roles at Vanta.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Engineering
Blog

3 GraphQL pitfalls and how we avoid them

Vanta's engineering team shares what they've learned from their initial implementation of GraphQL back in 2017 and how GraphQL ended up being the perfect tool for the team.

Engineering
Blog

Unlocking AI innovation with quality hill climbing

Our engineering organization organized a hands-on AI activity centered on evaluating and iterating prompts.

Engineering
Blog

How Claude + MCP + Vanta could help auditors

At Vanta, we’re always looking to experiment, learn, and stay at the forefront of AI. Recently, we built a proof of concept to explore how auditors could interact more effectively with audits and the data within them.

Engineering
Blog

The evolution of quality at Vanta

Learn how we elevated our engineering practices to meet growing customer demand and expand into new markets.

Related Resources

Engineering
Blog
How we fixed a session race condition at Vanta

Learn how the team diagnosed performance challenges and improved authentication reliability for seamless client access.

Meet the Vanta MCP Server
Engineering
Blog
Built for the agentic era: Meet the Vanta MCP Server

We’re excited to announce that the Vanta MCP Server in now available via public preview—the first step towards bringing trust management into the emerging Model Context Protocol (MCP) ecosystem.

Engineering
Blog
How we navigated database limits with a growing product

Discover how Vanta rethought its data strategy after nearing MongoDB Atlas storage limits—reducing storage by 30% and building a scalable infrastructure to support rapid product growth.

Engineering
Blog
Unlocking AI innovation with quality hill climbing

Our engineering organization organized a hands-on AI activity centered on evaluating and iterating prompts.

Engineering
Blog
How we standardized error handling at Vanta

In early 2024, our error handling strategy led to vague frontend errors that impacted product quality. Learn how we tackled it.

Engineering
Blog
Seven lessons after seven months in Vanta Engineering

See what it's like stepping into a new role on a fast-moving engineering team at Vanta. Learn key lessons on leadership, impact, and effectiveness.

Engineering
Blog
How Claude + MCP + Vanta could help auditors

At Vanta, we’re always looking to experiment, learn, and stay at the forefront of AI. Recently, we built a proof of concept to explore how auditors could interact more effectively with audits and the data within them.

Engineering
Blog
Speeding up the slowest page in the Vanta app by 7x

Learn how we optimized our app, speeding up our slowest page by 7x to deliver a smoother, more efficient user experience.

Engineering
Blog
The evolution of quality at Vanta

Learn how we elevated our engineering practices to meet growing customer demand and expand into new markets.

Engineering
Blog
Building a smarter retrieval system: Lessons from Vanta AI

Discover how Vanta built and optimized a high-scale AI retrieval system to power critical business decisions.

How to de-risk patching third party software packages
Engineering
Blog
How to de-risk patching third party software packages

Patching a package can be risky. Here are some tips and tricks to make patching a package less risky.

The logo for terraform on a black background.
Engineering
Blog
Engineering at Vanta: How we imported our AWS environment into Terraform

Find out how we resolved a host of issues by importing our AWS environment into Terraform.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products