9 Security Questions To Ask Your SaaS Provider - Software as a service

9 critical questions to ask SaaS vendors

Security risks are growing with the development of more advanced technologies and the Internet of Things (IoT), enabling constant connectivity.

As a business owner, you regularly implement software-as-a-service (SaaS) solutions into your company’s processes for greater productivity and reduced stress. However, like all organisations, SaaS services are not immune to cyber threats. 

Before purchasing their products, here are 9 questions you must ask all software vendors about their data security.


What security questions should you ask your SaaS vendors?

1. How do you store personal information?

Depending on the organisation’s size, SaaS providers like Microsoft store customer information in their own data centres accessible via the cloud. While it can be easy to assume that data stored in these types of infrastructure are secure, it is not always the case.

Before handing over your personal information (or that of your employees) to SaaS providers, you must ask the other party how they will store, manage, or use your data.

2. How do you store information generated by customers?

Adopting a SaaS product means becoming a partner with an external company. From cloud computing software to customer relationship management (CRM), you and your staff will be using the other party’s program(s) to streamline your operations, collect sensitive data, and form relationships with your customers.

Have the vendor explain how they will manage your customers’ data. For example:

  • Do they use data encryption?
  • What are their policies surrounding the usage of third-party information?
  • Do customers have a say in what you and the SaaS provider can and cannot do with their information?
  • Where do they store information?

Keeping your customer’s well-being in mind is necessary to ensure optimal data protection and a respectable reputation.

3. Do you work with external parties to deliver your products?

Smaller SaaS providers will likely work with independent cloud vendors for hosting or delivery purposes. This is an indicator of the company’s operations. It should alert you to the possibility that your data is moved and stored beyond the reach of the SaaS organisation.

You should enquire about external parties that have stakes in the SaaS provider’s business. This can cover additional vendors and their role in the product’s development. At the same time, ask about their security controls and strategies to safeguard data and promote cyber security best practises. 

4. What is your history with cyber threats?

23% of UK-based organisations lost between 10,000 pounds and 49,000 pounds due to security breaches in 2021. While there is a chance the vendor may not have experienced a company-shattering disaster, it is worth checking that the SaaS organisation has dealt with cyber-attacks in the past.

You can ask about specific incidents and how they dealt with them. If they experienced issues and solved them quickly, that signifies a responsible company.

5. Do you have a cyber security strategy in place?

Hackers can invade systems in various ways, and all companies must have comprehensive strategies to prepare for, identify, address, and recover from potential disasters.

As a company dealing with software and technology, SaaS vendors’ security plans should leverage the latest practises and tools to protect themselves and their customers. 

You can learn more about a vendor’s cyber security measures with the following questions:

  • Who audits your systems?
  • How do you maintain the strength of your networks? For example, do you conduct penetration tests or have undertaken cyber security awareness training?
  • How old is your IT infrastructure?
  • How often do you upgrade your systems?
  • Do you have a disaster recovery plan?

6. Are you certified in cyber security?

Cyber security certifications formally recognise an individual’s accomplishments and knowledge pertaining to safe digital practises and the management of data. A SaaS provider should be well-versed in cyber security and be willing to share their certifications as proof.

Cyber security certifications include:

  • ISO 27001
  • The UK GDPR (General Data Protection Regulation)
  • The EU GDPR
  • CISSP (Certified Information Systems Security Professional)
  • And more

7. Has your product been tested for security?

Verifying a product’s security ensures that it follows all relevant laws and regulations, is safe, and does not expose its users to legal or reputational risk.

Ask the vendor about the tests they conducted before releasing their product. You can ask for a copy of the test report to confirm the vendor’s claims. If the vendor has not conducted tests or is unwilling to share their findings, you should not do business with them.

8. Does your product support 2FA or MFA?

2FA (2-factor authentication) and MFA (multi-factor authentication) provide products with an additional security layer, requiring users to prove their identity with evidence as they log into a program. It helps to reduce the chances of unauthorised users accessing systems.

Ask the vendor about their SaaS product’s security measures. If they incorporated solutions such as MFA and 2FA into their program, it shows that they take security seriously and created a product with the end-user in mind.

9. What real-world security measures do you have in place?

Business and cyber security conversations typically focus on digital solutions and network safety plans. This is only a fraction of what organisations must do to protect their data and services.

You should ask the SaaS company about their physical security measures, such as in-house security teams, location of servers, etc. The safety of a SaaS company’s physical infrastructure is just as important as the security of its products.

Have cyber security specialists vet your SaaS vendors

Asking your SaaS vendors the essential questions is important. You want to ensure you are partnering with a trustworthy company with transparent policies and a high standard of ethics.

The digital security experts at NetworkIQ specialise in assessing SaaS products and their companies. Talk to the team today to adopt the most secure solutions, protect your data, and prepare for digital transformations.


Read our latest blogs

Leave a comment

Your email address will not be published. Required fields are marked *