For both data store in the application and backups, in which countries is our data stored?
Does your application support federation with OneLogin for single sign-on (SSO) authentication (Security Assertion Markup Language [SAML] or OAuth)?
Please describe your vulnerability management program.
How often do you perform third-party penetration tests on this application and when was the last one?
Who can see or have access to our information?
How do you safeguard our data from other clients and prevent unauthorized viewing of our data?
Is this application hosted on a dedicated or shared instance/infrastructure?
Please describe your security incident response process.
What is the timeline for customer notification in the case of a breach?
What activities/actions within your application are logged?
How do you allow us to view audit and access logs?
How do you communicate with customers about important changes to your platform or processes?
Do you offer periodic reports confirming compliance with security requirements?
What happens to our data when service is terminated?
What actions do you take to destroy data after a customer releases it?
Please describe your backup process.
How many copies of our data are stored, where are they stored, and are they encrypted?
Please describe your disaster recovery processes.