Signing a SaaS contract is a security decision as much as a commercial one. You're agreeing to store data, process transactions, or run critical workflows on infrastructure you don't control. The security assessment is your only opportunity to understand the risk before it's your problem.
This guide is for enterprise buyers, procurement teams, and IT/security leaders evaluating SaaS vendors.
Why vendor security assessment matters
Your organisation's security posture is only as strong as your weakest vendor integration. High-profile breaches in recent years have repeatedly traced to third-party vendor access — supply chain attacks, shared credential exposure, and data leakage through vendor APIs.
When you give a SaaS vendor access to your data, your network, or your users' information, you're extending your security perimeter to include their security posture. Assess it before you sign.
Understanding security certifications
SOC 2 Type I vs. Type II
- Type I: A point-in-time assessment. An auditor reviewed the controls that exist at a single date. This is the easier certification to obtain and the less meaningful one.
- Type II: A period-of-time assessment. An auditor reviewed that controls were operating effectively over 6–12 months. This is the meaningful certification.
When reviewing a SOC 2 report:
- Note the audit period — a report from 18 months ago may not reflect current controls
- Read the "exceptions" section — listed exceptions are controls the auditor found were not operating as described
- Note the scope — which systems and services are in scope? If the critical service you're using isn't in scope, the certification is less relevant
ISO 27001
ISO 27001 is an international information security management standard. It's more process-focused than SOC 2 — it certifies that the vendor has an information security management system (ISMS) in place and follows it.
- Check the certificate's validity date and the certification body
- ISO 27001 doesn't specify what controls must exist — it specifies that the vendor has defined and follows their own controls
- More meaningful in international contexts; SOC 2 is more recognised in US procurement
PCI-DSS, HIPAA, GDPR certifications
- PCI-DSS: If the vendor handles credit card data, PCI-DSS compliance is required. Ask for their SAQ or ROC (Report on Compliance).
- HIPAA: There is no official HIPAA certification — a vendor claiming "HIPAA certified" is marketing language. What matters is a signed Business Associate Agreement (BAA) and evidence of technical safeguards.
- GDPR: No certification required, but compliance is required if processing EU personal data. Ask for their Data Processing Agreement (DPA) and their privacy policy.
Security questionnaire approach
Industry-standard questionnaires
Rather than sending custom questionnaires (which vendors will answer inconsistently or not at all), request completion of:
- CAIQ (Consensus Assessments Initiative Questionnaire): Cloud Security Alliance standard, covers cloud security controls
- SIG (Standardized Information Gathering): Shared Assessments program questionnaire
- VSA (Vendor Security Alliance questionnaire): Popular in enterprise procurement
Many mature vendors have pre-completed these — request the most recent version.
Key areas to probe
If using a custom questionnaire, prioritise these areas:
Data handling:
- Where is data stored? (Cloud region, country)
- Is data encrypted at rest and in transit? What encryption standards?
- Who (at the vendor) has access to customer data?
- Is customer data ever used for product improvement, ML training, or benchmarking? (This is a common practice that often surprises customers)
Access control:
- How is employee access to customer data managed?
- Is there MFA on all employee accounts?
- What is the offboarding process when an employee leaves?
- How is privileged access (production database access, admin accounts) managed?
Vulnerability management:
- How often is penetration testing conducted? By whom? Can you share the most recent summary?
- How is vulnerability disclosure handled? Do they have a responsible disclosure programme?
- What is the patch timeline for critical CVEs?
Incident response:
- What is the incident response process?
- How and when will customers be notified of a breach?
- What is the breach notification SLA in the contract?
Business continuity:
- What is the RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?
- When was the last DR test? What was the result?
- What is the uptime SLA, and what are the consequences of missing it?
Data residency and sovereignty
Data residency is increasingly important for enterprise buyers subject to regulations (GDPR, India's DPDP Act, RBI data localisation requirements for financial data).
Questions to ask:
- In which countries/regions is data stored?
- In which countries/regions may data be processed (not just stored)?
- Can data move to a different jurisdiction without notification?
- Are there subprocessors (sub-vendors) in jurisdictions you haven't approved?
Contract language to require:
- Explicit list of approved jurisdictions
- Requirement for vendor to notify and obtain consent before adding new jurisdictions
- Right to object to subprocessor additions in restricted data categories
Sub-vendor and supply chain risk
Your vendor's security is only as strong as their vendors' security. Assess:
- Who are the critical subprocessors? (Cloud infrastructure provider, authentication provider, CDN, support tooling)
- Do subprocessors have appropriate security certifications?
- If a subprocessor has a breach, how does the vendor's incident response cover that?
The GDPR requires data controllers to know and approve all subprocessors. Even outside GDPR, knowing the vendor's supply chain is good practice.
The security review of the product itself
For SaaS products with significant integration depth (API access to your systems, SSO, data sync), conduct a technical security review:
Authentication and access
- How are API credentials managed? (Keys, OAuth tokens)
- What is the key rotation policy?
- How does the vendor's product authenticate to your systems?
Integration security
- If the vendor connects to your systems via API, what is the minimum permission scope required?
- Can they operate with read-only access where write access isn't needed?
- How are integration credentials stored on the vendor's side?
Data in transit
- Are all API endpoints HTTPS-only?
- What TLS version is supported? (TLS 1.0 and 1.1 are deprecated)
- Is there a certificate pinning option for sensitive integrations?
Contract protections
Data Processing Agreement (DPA)
Required for GDPR compliance, good practice universally:
- Specifies purpose limitation — what the vendor can do with your data
- Lists approved subprocessors
- Specifies retention and deletion obligations
- Establishes breach notification requirements
Breach notification SLA
GDPR requires 72-hour notification to authorities; your contract should specify when the vendor must notify you. 72 hours is a reasonable standard.
Data return and deletion on termination
Upon contract termination:
- The vendor must return your data in a usable format (not a proprietary export)
- The vendor must delete your data within a specified period (30–90 days is typical)
- You should receive written confirmation of deletion
Audit rights
Enterprise contracts should include the right to audit the vendor's security controls, or request third-party audit results, annually.
Liability for breach
Standard vendor contracts heavily limit liability. Negotiate:
- Increased liability caps for data breaches involving your data
- Direct rather than indirect damage coverage for breach scenarios
- Representation and warranty provisions around security
Vendor tiers and risk-proportionate assessment
Not every vendor warrants the same depth of assessment. Tier your vendors:
| Tier |
Criteria |
Assessment depth |
| Critical |
Stores PII, financial data, or has production system access |
Full assessment, SOC 2 review, contract negotiation |
| Significant |
Integration with internal systems, no PII |
SOC 2 review, key questionnaire areas, DPA |
| Standard |
Business productivity tools, no data integration |
Certification check, DPA if GDPR-relevant |
| Low-risk |
No data access, no integration |
Basic review |
Evaluating a SaaS vendor for an enterprise deployment and need help with the security assessment? Contact us — we conduct vendor security evaluations covering technical controls, certification review, and contract terms for enterprise procurement decisions.