GlobalSign Blog

25 Jul 2017

5 Security-Related Questions to Ask Your SaaS Provider

Every day people stumble upon Software as a Service or SaaS providers who promise ease, simplicity and cost-savings with their offerings. While knowing that the cloud space is alive and well, individuals and business owners should still be wary of the potential risks and serious management concerns that could come with SaaS adoption.

Before even thinking of subscribing to any SaaS solution, think about the important questions you should ask your potential vendor.

How Do You Store Our Credit Card Information?

There are some websites that store encrypted credit card information on SQL databases, but you’re never sure how secure those databases are. To be safe, make sure that your SaaS provider won’t store your credit card details in their own server.

Ideally, a company will use a payment gateway or vendor’s server for processing and storing your information. While not 100% safe from attacks, these third-party companies have the proper security and infrastructure to handle your data.

Are You PCI Compliant?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards created to make sure that companies that store, process, or transmit cardholder data (including major debit, credit, prepaid, ATM cards and the like), maintain a certain level of security.

Ask your provider if they’re PCI-compliant. Aside from having a secure network for processing payments, it’s important for any SaaS provider to have a secure set of physical access protocols in place. Ask about how employees go about accessing cardholder data.

Ensure that only authorized people have access to this information and find out if physical access is restricted to those who do not handle customer and payment. Contact centers, for instance, usually ban mobile phones in production floors to prevent sensitive data leak. Other similar environments have gone paperless to make it harder for employees to write down sensitive data.

What Happens to Our Data When We Stop Using Your Service?

When putting your data into the hands of a SaaS company, you shouldn’t have to worry about vendor lock-ins. The terms of service should explicitly state that you’re still the owner of the data you create and store in their servers. You should also be able to back up and export your data so that in case you decide to unsubscribe, you’ll have easy access to the data you own.

Additionally, the data format in which you are to export your data should be non-proprietary to avoid compatibility headaches in case you choose to select a new provider.

Do You Offer Service Level Agreements (SLA)?

Buying a new car or a new phone usually comes with a warranty. A contractor is required to show the homeowner a blueprint made by an architect when building a house. The same goes for SaaS; an SLA guarantees that the service will be delivered as promised and is supposed to offer a remedy when the provider fails to meet these requirements.

Ask your cloud provider about service availability (e.g. 99.99% uptime), outage scenarios, disaster recovery measures, processes to address problems and the expected resolution period and so on. Read your provider’s SLA carefully. Be clear about their definition of uptime and downtime. Be aware of all the technical details if you must.

Have You Ever Had a Security Breach?

Ask your potential SaaS provider to provide you in detail history of security breaches in their company. By asking this you will also find out how they are able to correct such incidences and how they’re making sure that it will be prevented in the future. This will also be a good indicator of the kind of security they have in place.

Physical security also matters, even though it often gets overlooked. Ask your provider if certain policies are in place to prevent someone from downloading data from your servers onto a USB stick and walking away without anyone noticing.

While the cloud is an extremely viable option for businesses of all sizes these days, clients must still ask the crucial questions needed to ensure that the chosen SaaS provider is able to meet your requirements. After all, you’re still the customer and you just want to make sure that your data is safeguarded and kept under your control.

About the Author

Klaris Chua is a digital content marketer who has written many pieces on startups and small business communications. She used to be a reporter for a business newspaper but the conventional path of a writer didn't appeal to her. You can connect with her on Twitter.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign

Share this Post