How to Evaluate SaaS Security Before Signing
The security questions most buyers skip are the ones that cause the most damage.
Ask for the SOC 2 Type II report, not Type I
SOC 2 Type I attests that controls exist at a point in time. Type II attests that controls operated effectively over a period — usually six to twelve months. Always request Type II. Ask for the full report, not a summary or a marketing badge. Read the auditor's opinion section and the exceptions list. A clean Type II from a reputable auditor is meaningful. If the vendor cannot produce a Type II report, ask for their timeline to achieve it and what interim controls exist.
Data residency and subprocessors
Where is your data stored, and who else has access to it? Every SaaS vendor uses subprocessors — cloud infrastructure providers, analytics platforms, support tools. Ask for the full subprocessor list. Evaluate whether any subprocessors are in jurisdictions that create compliance problems for your data. If you have GDPR obligations, confirm the vendor has appropriate Data Processing Agreements in place with each subprocessor. A vendor who cannot produce this list quickly has not thought carefully about their supply chain.
Incident response and breach notification
Ask directly: what was your last security incident, how did you respond, and what did you change as a result? A vendor who has never had an incident and has no answer to this question is either very new or not being honest. What you want to see is a thoughtful post-mortem and evidence of improvement. Also confirm the breach notification timeline in the contract — many jurisdictions require notification within 72 hours, and your contract should obligate the vendor to notify you in time for you to meet that obligation.
Access controls and offboarding
When an employee leaves your organization, how quickly can you revoke their access to the vendor's platform? Test this during your trial. Also evaluate whether the vendor supports SSO with your identity provider — SSO means that offboarding from your identity provider automatically revokes access to all connected tools. A tool that requires manual deprovisioning with a five-business-day SLA is a security gap waiting to happen.
Penetration testing cadence
Ask when the vendor last ran a third-party penetration test and whether they will share the executive summary and remediation status. Annual penetration testing is the minimum for a vendor that holds sensitive data. If the most recent test is more than 18 months old and the vendor cannot explain why, treat that as a meaningful risk indicator. Also ask whether they run a bug bounty program — vendors who actively invite external security researchers tend to find and fix vulnerabilities faster.