If you have recently looked at the compliance sections of the major cloud software vendor websites, you have probably noticed that they have put a lot of effort into creating content mentioning long acronyms like GDPR, ISO, SOC, etc., some of them accompanied by a number as well. All of these aim at convincing you that their infrastructure is secure and can be trusted, that they meet specific standards, etc.
The significance of these abbreviations can be different: some of those relate to international standards they comply with, while others are specific to an industry sector. But, you cannot discern between certifications received after an extensive audit, or such received with no external review.
The following tips would help you to get a better idea of all those certifications appearing on vendor sites, and particularly those that may impact your SaaS purchasing decisions.
Cloud software vendors who receive certifications following an external audit usually announce this on their sites. Those certifications may differ per country. For example, for the USA a common compliance certification received after an audit on the internal controls is the System and Organization Controls (SOC) one. It is given by the American Institute of Certified Public Accountants and has a SOC 1, SOC 2 and SOC 3 version.
The one named SOC 2 type II is the one relevant for cloud software vendors. It is given after verifying that the SaaS vendor has established internal controls for security, privacy and data processing integrity and that those controls are actually functional. So, if you are looking to purchase SaaS in the US, take a look at whether your SaaS vendor has obtained this certification.
Some of the most popular global security standards are the ones of ISO (the International Organization of Standardization) and the IEC (the International Electrotechnical Commission). Those standards define regulations concerning the security of the SaaS vendor information processing systems. The different IOS/IEC certifications concern different compliance areas, can be accessed via a web page and provide the issuance and expiration date for the certification. Hence, make sure to verify that the certification has not expired.
Specific areas of business may require compliance with more specific certifications. For example, if you are looking for a SaaS solution for processing credit cards, it is important that it is compliant with the Payment Card Industry Data Security Standards. If you are a government entity, make sure that your cloud software vendors comply with regulations required for processing data of government organizations.
As pointed out above, always prioritize audit-passed certification before certification obtained with no external review.
Specific SaaS vendor compliance regulations may require specific actions on behalf of the customer - like signing up for a formal agreement with the vendor, adjusting security or compliance settings and others.
For example, if you are buying a SaaS solution from a cloud vendor in the healthcare sector and this vendor claims Health Insurance Portability and Accountability Act compliance, you would need to sign a business associates agreement with him on behalf of the company. MS Office suite customers are also signing similar agreements with the vendor, but they are also required to complete specific actions, in addition to actions required by their system administrator.
Purchasing from a GDPR-compliant vendor requires you as a customer, to also ensure that you meet specific system requirements and also take actions regarding data privacy and security. Schools and educational organizations using G suite for Education (a cloud tool compliant with Children’s Online Privacy Protection Act) for students younger than 13 years old, are required to adjust settings and obtain parental agreement prior to usage.
By reviewing the certifications and regulations compliance, you would get a better idea on the scale, industry, etc of the customers that this SaaS vendor is targeting. But, don’t expect that SaaS vendor compliance and certifications would guarantee a completely secure, bug-free experience. They only mean that this vendor has invested efforts in setting up documented and well-controlled security and privacy procedures and may be more prepared to fix issues quickly, if/when they arise, compared to organizations who have not set up such practices and processes