One breach can cost your company millions. In 2025, the average data breach cost was $4.8M. But most companies never ask their SaaS vendors about security until after they're locked in.
This 18-point security audit checklist covers the essential questions every finance, security, and ops team should ask before signing a SaaS contract. It's organized by risk area: data protection, compliance, access control, incident response, and vendor stability.
Use this framework to evaluate new tools, audit existing vendors, and build a security-first SaaS stack.
What to ask: "Is all data encrypted while in transit to/from your servers? What TLS version do you use?"
Why it matters: Without encryption in transit, anyone on your network can intercept login credentials or sensitive data. TLS 1.2+ is the minimum standard.
Red flags: Vendor says "we use encryption" but can't specify TLS version. No HTTPS on all endpoints. Allows unencrypted connections.
Risk if missing: HIGH — Man-in-the-middle attacks possible.
What to ask: "Is data encrypted when stored in your database? Who manages encryption keys?"
Why it matters: If your vendor is hacked and someone gains database access, they shouldn't be able to read customer data. Encryption at rest protects against this.
Real-world example: Ring (Amazon) exposed video data in plaintext when hackers compromised employee credentials. Encrypted data would have been unreadable.
Red flags: Vendor doesn't encrypt data at rest. Encryption keys are managed by vendor only (you have no access). No option for customer-managed keys (CMK).
Risk if missing: HIGH — Breach exposes all sensitive data.
What to ask: "Can I manage my own encryption keys? Can you delete your copy of my data if I request it?"
Why it matters: If the vendor controls encryption keys, they can always decrypt your data (legally or otherwise). CMK gives you control. If vendor is breached, they can't read your encrypted data.
Enterprise standard: AWS KMS, Azure Key Vault, Google Cloud KMS integration.
Red flags: Vendor says "we'll never offer CMK — you don't need it." Vendor can't explain key rotation policies.
Risk if missing: MEDIUM — Possible if other controls are strong. Critical for regulated data (HIPAA, PCI-DSS).
What to ask: "When I delete data, is it permanently erased from all servers and backups? How long do backups persist?"
Why it matters: Many vendors keep deleted data in backups for years. GDPR requires permanent deletion upon request. If your ex-employee's data is still accessible, compliance risk increases.
Example scenario: You fire an employee and request their data be deleted. Vendor keeps backups for 2 years. If vendor is breached in that window, ex-employee's data is compromised.
Red flags: Vendor keeps all backups indefinitely. Can't verify when backups are deleted. Doesn't have a data deletion process documented.
Risk if missing: HIGH — GDPR/CCPA non-compliance; data breach exposure extends years past deletion.
What to ask: "Where is my data physically stored? Can I choose the region? Where are backups replicated?"
Why it matters: Some regulations require data to stay in specific countries (EU data must stay in EU under GDPR). If your vendor replicates data globally without consent, you violate regulations.
Example: Slack stores EU customer data in US by default. Requires separate EU Workspace to comply with GDPR.
Red flags: Vendor can't tell you where data is stored. Automatically replicates data globally. No option for single-region deployment.
Risk if missing: HIGH — GDPR, provincial privacy law violations.
What to ask: "Do you have SOC 2 Type II certification? Can you share a redacted copy of the report?"
Why it matters: SOC 2 Type II is audited by third parties and verifies security controls around: access, change management, incident response, and uptime. It's the minimum standard for enterprise SaaS.
Key difference:
Red flags: Vendor has no SOC 2. Only has Type I (not Type II). SOC 2 is older than 2 years (controls change frequently).
Risk if missing: MEDIUM — Shows vendor doesn't invest in security. Acceptable only for small, low-risk tools.
What to ask: "Are you HIPAA-compliant? Can you sign a BAA (Business Associate Agreement)?"
Why it matters: Depends on your industry:
Real-world consequence: If you process HIPAA-protected health information through a non-compliant vendor, you face $100-$50,000 per violation fines + mandatory breach notification.
Red flags: Vendor hasn't heard of HIPAA. Won't sign BAA. Says "compliance is not our responsibility."
Risk if missing: HIGH — Regulatory fines, breach liability, customer lawsuits.
What to ask: "Do you have ISO 27001 certification?"
Why it matters: ISO 27001 is a global security standard covering information security management across the entire company (not just SaaS controls). Enterprise vendors typically have this.
Difference from SOC 2:
Red flags: Vendor has neither SOC 2 nor ISO 27001. Certification is older than 3 years.
Risk if missing: LOW — Nice-to-have but less critical than SOC 2 for US vendors.
What to ask: "Do you have a security.txt file or published vulnerability disclosure policy? Do you run a bug bounty program?"
Why it matters: Vendors with formal disclosure policies catch security bugs faster. Bug bounty programs incentivize researchers to report bugs responsibly instead of selling exploits on dark web.
Example: Companies like GitHub, Stripe, HubSpot run bug bounties. Researchers are paid $500-$10,000 to report bugs. This is infinitely cheaper than a breach.
Red flags: Vendor has no way to report security vulnerabilities. Says "don't hack us or we'll prosecute."
Risk if missing: MEDIUM — Zero-day vulnerabilities may go unfixed longer.
What to ask: "Can I enforce MFA on all user accounts? Can I require MFA for admin access?"
Why it matters: MFA stops 99% of account takeovers. If a hacker steals your password, they can't log in without the second factor (phone, authenticator app, security key).
Real-world impact: Microsoft reported 99.9% of account compromise attacks succeed using passwords only. With MFA, successful attacks drop to near-zero.
Red flags: Vendor doesn't offer MFA. MFA is "optional." Can't enforce MFA company-wide.
Risk if missing: HIGH — Account takeover risk increases 100x.
What to ask: "Do you support SAML 2.0 SSO? Can I manage user provisioning through our identity provider?"
Why it matters: SSO lets you manage all user access from one place (Okta, Azure AD, Google Workspace). You can instantly disable access when someone leaves without manually removing them from 20+ tools.
Provisioning automation: When you add a user to Okta, they're automatically added to the SaaS tool. When they leave, automatic deprovisioning removes them everywhere.
Enterprise requirement: Any vendor selling to mid-market+ must support SAML.
Red flags: Vendor doesn't support SSO. Only supports LDAP (outdated). No SCIM provisioning (manual user management).
Risk if missing: HIGH — Can't centrally manage user access. Ex-employees retain access longer.
What to ask: "Can I create custom roles with granular permissions? Can I restrict access by department or project?"
Why it matters: Not everyone needs admin access. If a contractor's account is compromised, you want to limit what they can access. With RBAC, you can give restricted permissions.
Example: Accountant role can view invoices but not delete them. Intern role can only view published documents, not drafts. Approver role can approve expenses up to $5,000.
Red flags: Vendor only offers Admin vs. User roles (no granularity). Can't prevent users from accessing other departments' data.
Risk if missing: MEDIUM — Insider threat risk; data exposure from compromised low-privilege accounts.
What to ask: "Can I export detailed audit logs of all user activity? How long are logs retained?"
Why it matters: When a breach happens, audit logs answer: Who accessed what? When? From where? Logs are often the only evidence of insider threats or compromised accounts.
What to look for in logs: Login timestamps + IP addresses, file downloads/deletions, permission changes, API calls, export activity.
Retention minimum: At least 90 days. Enterprise standard: 1-2 years.
Red flags: Vendor doesn't provide detailed logs. Logs are deleted after 30 days. Can't export logs.
Risk if missing: HIGH — Can't detect insider threats; no evidence for breach investigations.
What to ask: "If you discover a data breach, what's your incident response plan? What's your notification SLA?"
Why it matters: When a breach happens, time matters. Every day without notification increases exposure. Regulated companies must notify customers within 30-72 hours (GDPR: 72 hours; many US states: 30 days).
What to ask for:
Red flags: Vendor has no incident response plan. Says "we've never had a breach so we don't need one." No documented SLA.
Risk if missing: HIGH — Delayed breach notification violates regulations; limits your response time.
What to ask: "Can I (or a third-party auditor) conduct a security assessment of your systems?"
Why it matters: For high-risk vendors or sensitive data, you may want to audit their controls yourself. Penetration testing can find vulnerabilities before attackers do.
Typical scope: Code review, infrastructure assessment, penetration test of the application.
Who pays: Usually customer pays (can be $5,000-$50,000+). Some vendors include it in enterprise agreements.
Red flags: Vendor won't allow any audits. Says "trust us." Refuses penetration testing.
Risk if missing: MEDIUM — Acceptable if vendor has strong SOC 2 audit.
What to ask: "What third parties have access to my data? Do you audit your subprocessors?"
Why it matters: Your vendor might use AWS, Azure, payment processors, analytics tools, etc. Every subprocessor is a potential attack surface. In 2023, the MOVEit vulnerability affected customers of multiple SaaS platforms that used MOVEit.
What to ask for:
Red flags: Vendor can't list subprocessors. Uses unknown third parties without vetting. No contract terms with subprocessors.
Risk if missing: HIGH — Supply chain compromise (breach in vendor's vendor).
What to ask: "What happens to my data if your company shuts down? Can you provide a data export in a standard format?"
Why it matters: If your vendor goes bankrupt, can you still access your data? Some vendors destroy data when they shut down. Others allow export.
Real-world example: Sendible (social media tool) shut down in 2020 with minimal warning. Customers lost years of scheduling data.
What to ask for:
Red flags: Vendor says "data is ours, you can't export it." Early-stage startup with no revenue/runway. No disaster recovery plan.
Risk if missing: MEDIUM — Data loss if vendor fails.
What to ask: "How often do you release security patches? What's your patch SLA for critical vulnerabilities?"
Why it matters: When a security vulnerability is discovered, vendors must patch it quickly. A slow patch process leaves customers vulnerable for weeks.
What to ask for:
Examples of slow patching: Log4Shell (2021) took some vendors weeks to patch. Many customers were exploited in that window.
Red flags: Vendor patches on irregular schedule. No security advisory list. Can't explain their patch process.
Risk if missing: HIGH — Vulnerability window: time between patch release and deployment increases breach risk.
Use this table to score your vendors. Total points out of 18:
| Score Range | Risk Assessment | Recommendation |
|---|---|---|
| 16-18 items | LOW RISK | Enterprise-grade tool. Safe for sensitive data. Consider for regulated workflows (HIPAA, PCI, GDPR). |
| 12-15 items | LOW-MEDIUM RISK | Good for most teams. May need additional controls for sensitive data (encrypt before uploading, separate approval process). |
| 8-11 items | MEDIUM RISK | Use for non-sensitive data only. No PII, no financial data, no trade secrets. Strong internal controls required. |
| 5-7 items | MEDIUM-HIGH RISK | High-risk. Only use if no alternative exists. Implement compensating controls (isolated account, access restrictions, air-gap from sensitive systems). |
| < 5 items | HIGH RISK | Not recommended for production use. Consider alternatives or require substantial security upgrades. |
If you can only evaluate 3 items due to time constraints, prioritize:
If a vendor has ANY of these, do not sign the contract:
Scenario: Choosing between Airtable, Google Sheets, and Notion for a marketing calendar (non-sensitive data).
| Item | Google Sheets | Airtable | Notion |
|---|---|---|---|
| Encryption in Transit | ✓ | ✓ | ✓ |
| Encryption at Rest | ✓ | ✓ | ✓ |
| SOC 2 Type II | ✓ | ✓ | ✓ (since 2024) |
| GDPR/CCPA Compliant | ✓ | ✓ | ✓ |
| MFA Required | ✓ | ✓ | ✗ |
| SSO/SAML | ✓ | Airtable Pro+ | ✗ |
| Audit Logs | ✓ | Pro+ | ✓ (limited) |
| Data Export | ✓ | ✓ | ✓ |
| Score | 16/18 | 15/18 | 13/18 |
| Verdict | Enterprise-grade | Low-medium risk | Medium risk |
Decision: All three are acceptable. For a marketing calendar, Notion is fine despite lower score (non-sensitive data). If you're storing customer lists or pricing data, Google Sheets or Airtable preferred.
Scenario: Choosing a HIPAA-compliant patient communication tool.
Non-negotiables:
If tool doesn't have all of these, don't use it. HIPAA violations cost $100-$50,000 per violation.
Use the checklist below to audit your top 5 SaaS tools this week:
📊 Free Benchmark Tool
See if your SaaS budget is above or below the industry benchmark — 2,100+ companies benchmarked across 12 industries.
Benchmark my spend →