SaaS security checklist: What to ask your vendor before you buy

Ellie Wiseman

· Jan 19, 2023

AI and machine learning

Omnichannel marketing

Consumer privacy laws and their implications for companies is a hot topic. Companies are constantly being targeted by malicious actors, and when cyber breaches occur, repercussions are far-reaching.

Cloud-based systems raise concerns about information security due to the large volumes of customer, personal, and sensitive data they store, and their vulnerability to data breaches and other security threats.

Therefore, to prove they are viable and stable, and instil trust in consumers, SaaS companies must comply with a set of security laws. When working with SaaS companies, it’s advised to put a process in place for auditing them for security and privacy compliance.

Why privacy and security are important for SaaS

Security and privacy matter in SaaS now more than ever. Below are a few reasons:

Adhering to security protocols is a regulatory requirement

The bottom line is that security and privacy measures exist for a reason – so that a company’s software deployment, security management, and data management are safe for consumers and protects their information.

Security breaches cause costly downtime

SaaS applications must be available anytime, anywhere, on any device, meaning they require 100% uptime. Security attacks cause downtimes and crashes, which is an unaffordable cost. Gartner’s 2014 report found that downtime costs a company an average of $5,600 per minute, while a study conducted two years later by Ponemon Institute estimated that the cost rose to $9,000 per minute. According to a 2019-2020 survey conducted by Statista, 25% of respondents reported an hour of server downtime costs their business an astonishing $300,000 to $400,000.

It will help your business grow

With security threats rife in SaaS, and high-profile security attacks dominating the news cycle, businesses and their customers are rightfully worried about their data. When a business can prove they have completed all the required regulatory security tests and audits and have had their security management and policies deemed up-to-date and compliant, it can provide a significant competitive edge when building relationships with existing and prospective customers.

Brand reputation depends on it

It’s a bad look for companies to fall victim to a security breach. In most cases, it will clear out their sales pipeline for some time and in extreme cases could cause irreparable damage to a company’s reputation. In fact, a 2021 report found that 65% of SaaS buyers say concerns about data privacy and security are factored into their tech purchase decisions. This percentage increased to 73% for enterprise organizations with 1,000+ employees.

Security matters not just for your clients, but for your client's clients

In B2B SaaS, there can’t be a weak link in the chain. Prospective customers may want to know who you do business with and what their credentials are, because it concerns them too.

What to look for when evaluating SaaS vendors

Not too long ago, the question around privacy and security compliance was like an honesty box; a business could say they were compliant, and a customer would take their word for it. Today, the stakes are much higher. Part of getting buy-in from CTOs and other executive decision makers is providing them with a company’s security documentation and certifications.

To make the vendor vetting and buying process easier, we’ve created a SaaS security checklist that includes the security standards to measure companies against. The checklist features certifications to look for and compliance frameworks to meet, as well as other security considerations (e.g. two-factor authentication and permissions) and mandatory staff training.

Compliance frameworks to meet

SOC 2

System and Organization Controls (SOC) 2 is a framework for managing customer data, developed by the American Institute of Certified Public Accountants (AICPA). It is based on five Trust Services Criteria: security, accessibility, processing integrity, confidentiality, and privacy.

Security: The protection against security breaches that could lead to unauthorized system access.
Availability: The accessibility of the system, ensuring employees and clients can complete their work.
Processing integrity: The assurance that the systems operate as intended.
Confidentiality: The protection of confidential information by limiting its access, use, and storage.
Privacy: Safeguarding sensitive personal information against unauthorized users.

During a SOC 2 audit, independent auditors will assess controls and attestations that are unique to the company, which they have designed to comply with the Trust Services Criteria.

While SOC 2 compliance isn’t a legal requirement for SaaS and cloud-based organizations, it demonstrates a high-level security posture. If you want that extra level of assurance that a company is securing your data, look out for compliance with this framework.

HIPAA

The Health Insurance Possibility and Accountability Act (HIPAA) was established in 1996 to improve the efficiency of the US healthcare system by standardizing best practices for maintaining the security and privacy of healthcare data.

For SaaS businesses, HIPAA compliance means adhering to the administrative, technical, and physical safeguards of the HIPAA Security Rule. If you build an application that collects personally identifiable data about an individual that may later be shared with a medical professional, or you are a service provider whose clients create, receive, store, or transmit Protected Health Information through your services, you are subject to HIPAA compliance.

GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the EU and the European Economic Area. It requires companies to have robust processes in place for handling and storing personal information to afford consumers a higher level of control regarding their personal information.

GDPR compliance is essential for SaaS businesses, and they must ensure their data subjects give explicit consent before collecting or processing any of their data.

CCPA

The California Consumer Privacy Act (CCPA) is legislation enacted to give consumers more control over the personal information that businesses collect about them in order to combat incidents of data breaches and better manage privacy concerns.

CCPA applies to businesses that have gross revenue of $25+ million, collect data for at least 50,000 California residents, or derive at least 50% of annual revenue from the sale of personal information.

ISO 27001:2022

ISO 27001 is a part of a set of international standards on information security within the ISO/IEC 27001 series. The ISO framework is a combination of processes and policies that helps organizations protect their information through the adoption of an Information Security Management System (ISMS).

ISO 27001 is a data security credential for businesses that control and process data, and applies to all businesses to ensure they manage risks effectively, regularly, and measurably. It is a foundational building block for SaaS companies who want to be recognized by international security standards.

US Privacy Shield Framework

The EU-US Privacy Shield Framework was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. It will soon be replaced with the Trans-Atlantic Data Privacy Framework, which will provide safe and secure data flows between the EU and the US.

Ortto is compliant with the General Data Protection Regulation (GDPR) (visit our GDPR compliance page here), the California Consumer Privacy Act (CCPA), and Service Organization Controls (SOC 2), Health Insurance Portability and Accountability Act (HIPAA) as well as meeting the framework for the EU and US Privacy Shield.

Other positive signals to look for

As well as proof of compliance with the above security standards, you should look for other positive signals of a company’s trustworthiness, including:

Two-factor authentication, SSO, permissions, and audit logs

Usernames and passwords are the main targets of cybercriminals, so it's advised to understand how a company approaches logins and permissions, both in the product and internally.

Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data (e.g. password and a code generated on Google Authenticator). It neutralizes the risks associated with compromised passwords – for example, passwords are hacked or phished – as that the password is not enough for a hacker to gain access. 2FA is therefore essential to web security.

Also noteworthy is Single Sign On (SSO), which combines several different application login screens into one, and means users only log in once each day and only use one set of credentials. This reduces the risk of attacks occurring, as users don’t have to use separate passwords for each application that are often variations of the same password.

In Ortto, you can choose to enforce either 2FA or SSO or both. For more information on how to configure these privacy and security settings in your account, visit our help documentation page here.

You should also consider who in the company will have permission to view and manage your data. In Ortto, we’ve built-in tools to help you manage security and data privacy, such as 2FA and user roles, meaning you can have control over who will have permission to view and manage your – and your customer’s – data.

Mandatory staff training

Security training is a big component of employee onboarding, but not all security training is created equal. Ortto employees are required to complete training from KnowBe4 – the world’s largest integrated platform for security awareness training with simulated phishing attacks. Our team also undergoes regular security training and we regularly audit and test our breach and disaster recovery programs.

Reviews from other users

A good way to measure the trustworthiness of a brand is to check third-party review sites like Product Hunt and G2 Crowd. If there’s anything to worry about regarding a company’s security practices, it’ll surely be noted there.

Clear language around security/privacy, and easy access to documentation

Is the company forthcoming when it comes to security compliance? Are they willing to share documentation at request? Better yet, do they have a page on their website where you can find out more information? If a company has invested time and resources in privacy and security, they won’t hesitate to share documentation.

Information on security and privacy settings in help docs and set-up docs

Does the company have help/set-up documentation easily accessible that provides adequate information on security and privacy settings and answers FAQs?

What to ask your sales rep

So, you’ve checked a vendor’s credentials and are satisfied that they can prove compliance with various regulations. Now it’s time to continue the conversation with the company’s sales rep to get an even greater understanding of their approach to privacy and security.

Below are some questions to ask:

Do you host or store your data locally?

In Ortto, all customer data is hosted in the United States by default. However, at signup, Ortto customers can elect to have their data hosted in a location that may be more relevant: for example, in Australia or in the European Union. For more information on data storage, visit our help documentation.

Do you comply with the Privacy Act?

Ortto complies with the Australian Privacy Act and also meets APRA requirements for institutions across banking, insurance, and superannuation.

Do you undergo regular penetration testing?

Ortto undergoes penetration testing every six months. Reports are available on request.

Do you have a bug bounty program?

Ortto has a bug bounty program. If you would like to participate in our bug bounty program please read our Responsible disclosure policy and submit any security vulnerabilities here. Our up-to-date policies and bounty rates are listed here.

What support do you offer? Are there dedicated customer success managers?

Ortto’s stellar customer support team is on-hand 24 hours a day, six days a week to address any support queries customers have. In fact, were awarded the ‘Best Support for Mid Market’ badge in G2’s Winter 2023 Reports.

Describe how your organization decides who does and does not have access to sensitive data

In Ortto, access to the product and data can be obtained by senior developers and support staff with an audit trail, only when there is a customer request to help with support issues.

What technology/platforms/languages/stacks/components are utilized in the scope of the application?

Ortto uses AWS, Golang, Javascript, and React.

Do you keep sensitive data in hard copy?

Ortto keeps no hard copies.

Do you have an internal password policy?

Ortto uses Google SSO and follows its policy.

Do you have complexity or length requirements for passwords?

Our team follows best-practice passwords according to Google’s password policy. See all best practices here: Google Workspace Help.

Final word

In today’s world, the importance of security and privacy cannot be understated. When comparing SaaS vendors, be sure to rigorously vet their security protocols to ensure your data – and your customers’ data – are protected from threat.

Ortto is designed to exceed modern security and privacy standards. Book a demo or speak to sales today.