Choosing the right SaaS (Software as a Service) provider is a crucial decision for any organization. When evaluating potential vendors, it's essential to have a clear understanding of their security measures, service level agreements, and other factors that may impact your business.
Here are some key questions to help guide your evaluation process.
How do they ensure data security?
Data security should be a top priority when selecting a SaaS provider. Investigate the provider's measures for protecting your data and your customer's personal information. Assess how it handles Personally Identifiable Information (PII) and ensure they use encryption for data transmission and storage to prevent unauthorized access. Additionally, inquire about their overall security approach, such as client-side feature flags and setting evaluations.
You can learn about ConfigCat's security framework here.
Do they conduct penetration testing?
Regular penetration testing is essential for identifying potential security vulnerabilities. Ensure the SaaS provider conducts these tests at least once a year, preferably through an independent third party.
ConfigCat's product lifecycle includes reviewing our code quarter and testing for possible vulnerabilities using SonarQube for Static Application Security Testing (SAST).
What is their security architecture?
Understanding how a SaaS provider ensures user data safety is critical. The SaaS solution should be designed in a way that user data doesn't leave your system, with the feature flag and setting evaluation occurring on the client-side within the provider's SDK.
Get to know ConfigCat's architectural overview.
What security audits and certifications do they have?
A reliable SaaS provider will have completed independent audits and obtained relevant certifications, such as SOC-2 and ISO 27001. These certifications demonstrate a commitment to maintaining high security standards and adhering to international best practices.
As of May 31, 2022, ConfigCat has been certified for ISO/IEC 27001:2013, a certification for Information Security Management System (ISMS).
What is included in their Service Level Agreement (SLA)?
An SLA is a crucial aspect of any SaaS partnership. Ensure that the SLA includes measurable objectives regarding performance, availability, and reliability, as well as tracking and reporting guidelines, liability limitations, and compensation details if targets are not met.
You can read all about ConfigCat's SLA here.
How do you handle service unavailability?
Even with an SLA in place, no service is guaranteed to be available 100% of the time. It's, therefore, essential to understand the potential impact of service unavailability on your business and customers. Evaluate the provider's fallback mechanisms and redundancy measures, such as multiple availability zones, CDN usage, load balancing, and local caching of the last known configuration.
ConfigCat provides data centers at several locations around the globe to ensure high availability, multi-layered load balancing, and fast response time for customers.
Can their solution support on-premises or internal applications?
If your organization uses internal or on-premises applications, ensure that the SaaS provider can accommodate your infrastructure. Discuss your specific requirements and ask about available options for managing or reducing outbound connections to the service.
Why should you choose their solution over building it in-house?
When evaluating a SaaS solution, it's natural to question whether building a similar system in-house would be more advantageous. However, weighing the potential costs, time, and resources required for such a project is important against the benefits of choosing a ready-made solution. Focus on building core aspects of your business that provide a competitive advantage, and consider purchasing non-core, mission-critical components from reputable SaaS providers.
In conclusion, selecting the right SaaS provider involves scrutinizing their security practices, SLAs, service availability, compatibility with your infrastructure, and the value they provide over building a solution in-house. By asking the right questions and thoroughly assessing potential SaaS providers, you can make more informed decisions that best serve your business needs.