Evaluating SAAS contracts

rachana gupta
4 min readDec 2, 2021

Initially cloud was all about IAAS, however assembling hardware and shipping large servers was now a thing of past. It was just few clicks away to have your own server and you would also avoid sitting in cold datacenters for troubleshooting and with cloud it can be done from anywhere. Then came the PAAS services era, where you could have software installed quickly and get business ready quickly. You just had to worry about the application and had no associated access to OS or hardware.

Now we are in era of SAAS, from initial skepticism to financial institutions moving to SAAS is an amazing achievement of modern times. The SAAS provider automates many time consuming and repetitive tasks and makes the businesses focus on innovation, than get into problems of scaling in the middle of their annual sale. Companies barely have any upfront costs, but find SAAS cheaper and easier to manage.

It makes sense to consider all of your options to find a great IT solution that’s going to work best for your company and your budget. In case companies choose SAAS then there are security checks they should be additionally doing when choosing the vendor. The best part of SaaS is you don’t have to install anything, just sign in through the browser or mobile apps. To put it short, without any local hosting on servers, you can start accessing the software from any smart device.

  1. How will you handle the onboarding of users and deprovisioning when they leave?

This is self explanatory, on how to add new users and how to remove users when they leave. If its cumbersome process then the SAAS is not worth it. It should have well defined workflows for approvals. Additionally we should ask if SAAS provider has any user management api , if there is not then its a reason enough to not go ahead.

2. Does the application have SSO and MFA ?

New age exploits are all on identity, securing it has become crucial. Even if they charge additional for enabling SSO, it will be worth from security perspective. If its local use accounts, then its worth checking how the user passwords are stored? Hopefully not a table in some database :). Then you can cross them off your list.

3. The datacenter protection details or cloud provider details.

Ask your SaaS provider on details of the mechanisms and techniques they use to secure their data centers.

a) A secure, SAS70-certified Tier 4 data center.
b) Intrusion detection systems.
d) SSL and application security.
e) 24×7 security monitoring.
f) Third-party certifications for security practices.

4. The compliance standards

The compliance standards the SAAS service meets, as you might be using it on your own customers in different domains.

5. The support model and SLA

I believe a bad customer support kills a product. In case of SAAS, the amount of time you cannot access a application is equating downtime. They should be also able to provide audit logs when requested without cumbersome processes. Do they provide 24/7 support?

6. RTO and RPO

The more specific questions to ask here would be about their uptime/availability statistics and how they protect their services from disasters.

A good SaaS provider should have a 99.5% uptime. Make sure your SaaS provider has backup servers so that there is no disruption in your work in case their hardware fails, or a disaster (earthquake, tsunami, etc.) happens. Finally, make sure you get a refund if your SLA is not met.

7. Maintenance windows.

How often do the SAAS provider seek planned downtime ? Do they failover to DR for minimum disruption? Do they have blue green deployment strategy? Look at their ratings and previous major downtimes and causes of that? Are they security patches? or they frequently keep fixing the product?

8. User friendly solution?

How easy is it to use? Basically if its a call center solution, can your non technical agents use it easily or they need training? Do they keep changing UI a lot which causes confusion?

9. Data retention policies?

I had once seen a retention policy on a security saas provider who said they will retain customer data for 7 years even after decommission. Why will anyone want them to keep our data? This causes privacy concerns and also what if its sold to someone else or gets breached? Also, there should be easy path to get data from SAAS provider in case you decide to stop their services. You shouldnot get stuck in a bad product if you get a better and cheaper choice.

10. Previous history?

Always good to look up the company for any breaches in the past.



rachana gupta

I write about cybersecurity and also reflect on life