As previously discussed, software as a service (SaaS) solutions offer the allure of being able to outsource IT for data storage.  Being able to rely on someone else to protect you sounds great, but is it really?  Losing control over your sensitive data requires serious diligence of the third party vendor.  Caveat emptor: SaaS solutions can expose companies to unknown risks. Tips to avoid those risks are discussed below.


Do you know what you agreed to when you clicked through to get access to your SaaS solution? People may not always thoroughly read the terms and conditions and they trust what vendors tell them without verifying its accuracy, and those that do, many times still do not have a good understanding of the in’s and out’s of the solution and its security protocols.  Do you fully understand the encryption protocols employed by your vendor and whether it is a high standard?  SaaS providers should provide you with a privacy notice or policy about their methods and tools.  They also should have a disaster recovery policy, which hopefully provides some guarantee that there will be no loss of sensitive data.  Moreover, foreign and federal laws have specific requirements about where sensitive data is stored, but most SaaS providers do not share that information with their customers.  Do you know where your data is, and will be?


By sharing your company’s information with a third party vendor, you can open yourself up to the potential access of your data by unauthorized or unintended third parties. This is particularly concerning with sensitive data that could either be grounds for litigation or competitive risks.  No one enjoys reading terms and conditions, but you have to in order to avoid an unpleasant surprise when you realize the implications of the level of access and authorizations you have agreed to.


When you engage a SaaS service provider, do you have a complete understanding of the vendor’s entire security protocol?  Many companies do not because providers are often secretive and sales people are an especially confident group in terms of calling their product “best in class”.  You do not want to speculate about the service you are paying for, and you should be comfortable asking about the details of their security protocol.  If you do not have this information, you may not be getting a “best in class” service, and your company may be at risk of data compromise among other issues.

The bottom line is, there is no substitute for genuine due diligence on your vendors and finding the right solution for your business.  Ask vendors about their security protocols, encryption tools, disaster plans and recovery methods, and how they keep up with the ever-evolving security standards and legal requirements.