SaaS Tool Security Checklist

Why SaaS Security Evaluation Matters

When you adopt a SaaS tool, you are trusting that vendor with your data. Customer information, internal communications, financial data; depending on the tool, you may be exposing your most sensitive information.

A security breach at any vendor in your stack can become your breach. Your customers will not care that the leak happened at a third party; they trusted you with their data. Thorough vendor security evaluation protects your customers, your reputation, and your business.

Compliance and Certifications

SOC 2

SOC 2 (Service Organization Control 2) is the baseline certification for SaaS security. It validates that a vendor has implemented appropriate controls for security, availability, processing integrity, confidentiality, and privacy.

Request the SOC 2 Type II report, not just Type I. Type II audits controls over a period of time (typically 12 months), while Type I only assesses controls at a point in time. Type II provides much stronger assurance.

ISO 27001

ISO 27001 is an international security standard demonstrating a comprehensive information security management system. It is particularly important for vendors serving international customers or handling sensitive data.

Industry-Specific Compliance

Depending on your industry, you may need vendors who meet specific compliance requirements:

• HIPAA: Required for healthcare data handling
• PCI DSS: Required for payment card data
• GDPR: Required for EU personal data
• SOX: Relevant for financial reporting systems
• FedRAMP: Required for US government agencies

Data Security Checklist

Encryption

• Is data encrypted in transit? (TLS 1.2 or higher)
• Is data encrypted at rest? (AES-256 or equivalent)
• Who controls encryption keys? (Vendor or customer option?)
• Is end-to-end encryption available for sensitive data?

Data Residency

• Where is data stored geographically?
• Can you specify data residency requirements?
• Does data cross international borders?
• Are there data transfer agreements (SCCs) for international transfers?

Data Handling

• What is the data retention policy?
• How is data deleted when you terminate service?
• Can you export your data? In what formats?
• Does the vendor use your data for their own purposes?

Access Control Checklist

Authentication

• Is SSO (Single Sign-On) supported? Which providers?
• Is multi-factor authentication (MFA) available?
• Can MFA be enforced for all users?
• What password policies are available?

Authorization

• Are role-based access controls available?
• Can you create custom roles?
• Is there audit logging of access and actions?
• Can you restrict access by IP address or location?

Admin Controls

• How are admin accounts protected?
• Can you have multiple admin accounts with different permissions?
• Is there separation between billing admin and system admin?
• How are admin sessions managed and timed out?

Infrastructure Security Checklist

Hosting Environment

• Where is the application hosted? (AWS, GCP, Azure, self-hosted)
• What is the uptime SLA?
• Is there geographic redundancy?
• What is the disaster recovery plan?

Network Security

• Are there regular penetration tests? Can you see results?
• Is there a bug bounty or vulnerability disclosure program?
• How are security incidents handled and communicated?
• What DDoS protection is in place?

Development Practices

• Is there a secure development lifecycle (SDLC)?
• Are code reviews conducted for security?
• How are dependencies managed and updated?
• Is there security training for developers?

Vendor Security Practices

Internal Security

• What background checks are conducted on employees?
• How is employee access to customer data managed?
• What security training do employees receive?
• How is access revoked when employees leave?

Subprocessors

• What third parties have access to your data?
• How are subprocessors vetted?
• Are you notified of subprocessor changes?
• Can you reject specific subprocessors?

Security Evaluation Process

Security Questionnaires

Standard security questionnaires provide a structured way to evaluate vendors. Common formats include SIG (Standardized Information Gathering), CAIQ (Consensus Assessments Initiative Questionnaire), and custom questionnaires based on your requirements.

Most enterprise vendors are accustomed to completing security questionnaires. Reluctance or inability to complete a questionnaire is a red flag.

Documentation Review

Request and review security documentation including SOC 2 reports, penetration test summaries, security policies, and incident response procedures. This documentation provides objective evidence of security practices.

Security Assessment

For high-risk vendors, consider conducting your own security assessment. This might include reviewing their security architecture, conducting interviews with their security team, or engaging a third party for security evaluation.

Sequenzy Security Posture

Sequenzy takes security seriously as an email marketing platform handling sensitive customer data:

• SOC 2 Type II: Annual certification with clean audit results
• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Control: SSO support, enforced MFA, role-based permissions
• Data Residency: Options for US and EU data storage
• Compliance: GDPR, CAN-SPAM, and CCPA compliant
• Audit Logs: Comprehensive logging of all user actions
• Security Testing: Regular penetration testing and bug bounty program

Security documentation including SOC 2 reports and security questionnaire responses are available to enterprise customers upon request.

Red Flags in Security Evaluation

• No SOC 2 certification for vendors handling sensitive data
• Unable or unwilling to complete security questionnaires
• No MFA or SSO support
• Vague answers about data handling and encryption
• No audit logging or access controls
• Poor response to security questions
• No incident response plan or security contact
• History of security incidents handled poorly

Ongoing Security Management

Security evaluation is not a one-time event. Establish processes for ongoing vendor security management:

• Regular review of vendor security posture (annually at minimum)
• Monitoring of vendor security announcements and incidents
• Contract provisions for security notification and audit rights
• Periodic review of access and permissions
• Exit planning in case security concerns emerge

Your SaaS tool stack evolves over time. Security evaluation must be continuous, not just during initial selection.