SaaSFort
vendor-assessment checklist procurement

The 50-Point Vendor Security Assessment Checklist for SaaS

A comprehensive checklist covering every security question enterprise procurement teams ask SaaS vendors. Use it to prepare before the questionnaire arrives.

SaaSFort Team 3 min read

The 50-Point Vendor Security Assessment Checklist

Enterprise procurement teams use detailed security questionnaires to evaluate SaaS vendors. This checklist covers the 50 most common questions so you can prepare your answers before the questionnaire arrives.

Infrastructure Security (1-10)

  1. Do you use encrypted connections (TLS 1.2+) for all data in transit?
  2. Is data encrypted at rest using AES-256 or equivalent?
  3. Do you maintain a network architecture diagram?
  4. Are production environments isolated from development?
  5. Do you use a WAF (Web Application Firewall)?
  6. Is your infrastructure hosted in SOC 2 certified data centers?
  7. Do you have DDoS protection in place?
  8. Are backups encrypted and tested regularly?
  9. Do you support data residency requirements (EU, US)?
  10. Is your DNS configured with DNSSEC?

Application Security (11-20)

  1. Do you perform regular vulnerability scans?
  2. Do you follow the OWASP Top 10 guidelines?
  3. Is there a secure software development lifecycle (SSDLC)?
  4. Do you conduct penetration testing at least annually?
  5. Are security findings tracked and remediated with SLAs?
  6. Do you have a bug bounty or vulnerability disclosure program?
  7. Are all dependencies scanned for known vulnerabilities?
  8. Do you use static and dynamic application security testing?
  9. Is input validation enforced on all user inputs?
  10. Are API endpoints authenticated and rate-limited?

Access Control (21-30)

  1. Do you support SSO (SAML, OIDC)?
  2. Is multi-factor authentication enforced for admin access?
  3. Do you follow the principle of least privilege?
  4. Are access rights reviewed quarterly?
  5. Is there role-based access control (RBAC)?
  6. Do you have an offboarding process that revokes access?
  7. Are API keys rotated regularly?
  8. Do you support IP allowlisting?
  9. Are admin actions logged and auditable?
  10. Is there session management with timeout policies?

Compliance & Governance (31-40)

  1. Are you SOC 2 Type II certified (or in progress)?
  2. Are you ISO 27001 certified?
  3. Do you comply with GDPR?
  4. Do you have a Data Processing Agreement (DPA)?
  5. Is there a formal information security policy?
  6. Do you conduct regular security awareness training?
  7. Do you have a risk management framework?
  8. Are third-party vendors assessed for security?
  9. Do you maintain a data classification policy?
  10. Is there a formal change management process?

Incident Response (41-50)

  1. Do you have a documented incident response plan?
  2. Is there a 24/7 security monitoring capability?
  3. What is your notification timeline for security incidents?
  4. Do you conduct post-incident reviews?
  5. Is there a disaster recovery plan with defined RTOs?
  6. Do you maintain business continuity procedures?
  7. Are incident response procedures tested annually?
  8. Do you have cyber insurance?
  9. Is there a designated security team or officer?
  10. Can you provide evidence of your last security audit?

How SaaSFort Automates This

Many of these questions can be answered automatically with continuous security scanning. SaaSFort generates Deal Reports that pre-answer questions 11-20 with real scan data, saving weeks of manual evidence gathering.

Ready to prepare your security evidence? Start your free scan and get audit-ready in hours, not weeks.

Ready to put this into practice?

Run a free OWASP scan on your domain. First results in under an hour — no signup required.

Start Free Scan