# Security Vendor Due Diligence Checklist for SaaS Buyers

This checklist is practical buyer guidance, not legal, regulatory, or security advice. Use it to decide what to ask before approving a new SaaS vendor.

## 1. Company and product basics

- Vendor name, product, and owner inside your business
- Data categories processed: customer data, employee data, payment data, source code, credentials, telemetry, support tickets
- User groups needing access
- Criticality if the service is unavailable
- Countries or regions where data is stored or processed

## 2. Evidence to request

- Current SOC 2 Type II report, ISO 27001 certificate, or equivalent assurance report if relevant
- Penetration test summary or executive letter
- Security whitepaper or trust center documentation
- Data processing agreement and subprocessors list
- Incident response summary and breach notification terms
- Business continuity and disaster recovery summary

## 3. Access and identity

- SSO support and which plans include it
- MFA support for admins and end users
- Role-based access controls
- SCIM or automated user provisioning if needed
- Audit logs: what is logged, retention period, and export options
- Admin separation and least-privilege controls

## 4. Data protection

- Encryption in transit and at rest
- Customer-managed key options if required
- Backup frequency and restore process
- Data retention and deletion process
- Export options if you leave the vendor
- AI/model training position if the product includes AI features

## 5. Operational risk

- Uptime history and status page
- Support response targets
- Subprocessor change notification process
- Known dependencies on major cloud providers or third-party APIs
- Change management process for major security-impacting releases

## 6. Decision outcome

Use a simple outcome so procurement does not stall forever.

- **Approve:** Evidence is sufficient for the data and risk level.
- **Approve with conditions:** Proceed only with controls such as SSO, restricted data, or contract clauses.
- **Escalate:** Security, legal, or leadership review required.
- **Reject:** Risk is too high or vendor cannot provide basic evidence.