Every business owner should go into a vendor partnership with a clear understanding of the details. When considering a potential software as a service (SaaS) vendor, what’s one security question that should always be asked?
Young Entrepreneur Council (YEC) is an invite-only organization comprised of the world’s most successful young entrepreneurs. YEC members represent nearly every industry, generate billions of dollars in revenue each year and have created tens of thousands of jobs.
1. Where Is Our Credit Card Data Stored?
Get a guarantee that your provider won’t store your credit card details on its own server. In a best-case scenario, a provider will use a payment gateway or vendor’s server for processing and maintaining all of your information. Though no measure is cyberattack proof, most of these third-party vendors have the appropriate security and infrastructure in place to handle your sensitive data. – Blair Thomas, eMerchantBroker
2. Do You Use Two-Factor Authentication?
By now, most mission-critical systems offer two-step verification. In addition to logging in with a password, a code will be sent to your mobile phone, which you‘ll also need to enter to confirm that you are really you. This additional layer prevents someone who may have access to your password from also logging into vital technical systems and causing damage. – David Ciccarelli, Voices.com
3. What’s Your Action Plan for a Worst-Case Scenario?
When evaluating a SaaS partner, ask them what the worst-case scenario is that they can foresee. It might be a data breach, a service outage or something else, depending on the software. Then, ask how they would deal with that worst case. Ask detailed questions, and make sure you‘re comfortable with the action plan laid out. – Brittany Hodak, The Superfan Company
4. Is Data Encrypted at Rest?
Data should be encrypted in transit and at rest. Secure sockets layer (SSL) encryption for data in transit is nearly ubiquitous, but many vendors don’t encrypt data at rest on storage devices. If their network is breached, that data is vulnerable. Ask potential vendors if the data is encrypted, how it is encrypted and who has access to the keys. – Vik Patel, Future Hosting
5. Are You GDPR Compliant?
The recent EU General Data Protection Regulation sowed much confusion among online businesses worldwide, but one positive side effect is that it forced reputable SaaS vendors to reevaluate their security measures and the ways that they safeguard and use sensitive data. If a vendor has detailed policies related to GDPR, it’s a good indication that they take compliance seriously and have recently reviewed and improved their practices. – Thomas Smale, FE International
6. Can I Speak With Previous Clients?
The best way to know if you’ve got a good SaaS vendor is to check out the deliverables to previous clients. If they’re satisfied, then that is a good indication that you’re on the right track. If that customer is dissatisfied, then run the other way and save yourself the time, money and disappointment. – Chris Quiocho, Offland Media
7. Are There Any Additional Fees?
Many vendors will provide a flat fee for their services, but there are always some contingencies that you might not foresee that may require additional fees. It’s best to get all of this information up front so that you can forecast your expenses better. – Patrick Barnhill, Specialist ID Inc.
8. How Often Do You Upgrade the Application?
While app upgrades are common and important for getting new features, it’s good to know the frequency of the upgrades. Will it be once a year or once a month? Find out how previous upgrades have gone from customers’ experiences to see if they impacted the use of the application. – Syed Balkhi, WPBeginner
9. How Many People See Our Data?
As a general rule, I’ve found that the most secure services and partners minimize the number of people who interact with or are exposed to the data. I ask this question to prospective SaaS vendors because I want to avoid having too many links in the chain. This has been the best way I’ve found so far to keep my data, and my customers’ data, secure. – Bryce Welker, Crush The PM Exam
10. Will You Export My Data If I Switch Providers?
You want to make sure that you own the data you‘re putting into the platform you‘re using. The last thing you want is to be held hostage by a SaaS provider when you leave them. Eventually, you may find another solution and want to move with your data. – Joe Apfelbaum, Ajax Union
11. What Happens to Data When It’s Deleted From Your App?
Some companies store data indefinitely on their servers, while other companies erase the data once you delete it on your end. If privacy is a concern to you, find out whether they delete the data on their servers and how often. – Jared Atchison, WPForms
12. What Are Your API Policies?
When considering a new SaaS vendor to help accelerate your business, the biggest vulnerability is the application programming interface, where their system connects to yours. First, understand any costs involved in implementing APIs. Next, verify that all API calls are both authenticated through a key or open authorization (OAuth) and encrypted by 128-bit or greater. The answers will tell you much about how the vendor values security. – Daniel Reilly, B2X Global
13. Has Your Security Ever Been Compromised?
Ask about breaches that the vendor has experienced to get insight into its security levels. This also gives you the means to find out what the vendor did to rectify it, as well as the measures it has taken to prevent similar events from taking place again. While cloud safety matters, don’t overlook physical security. Ask how easy it is to simply copy data onto a USB drive without drawing attention. – Derek Robinson, Top Notch Dezigns