Subscribe to our YouTube channel

Tricia Dunlap, Esq.

~4 minute read

What is SaaS and Why You Need To Be Careful: 4 Tips for Picking SaaS Vendors

What is SaaS? Software as a Service is necessary for all modern businesses. It includes software such as G-Suite, MailChimp, SalesForce, and Microsoft products. But right now let’s focus on choosing a SaaS vendor.

It’s time to look beyond just whether or not a SaaS vendor will give you the operational functions you need, and it’s time to consider the data privacy issues in how they function. This is a three-part series on SaaS vendors because there’s a lot to consider.

This first post deals with the principles that your business should adopt as you prepare to choose a SaaS vendor. Post two gives you some tips on how to do a preliminary vetting of potential vendors so that you can narrow a long list down to a short one. Then, in post three, I’ll give you some tips on a deeper dive and due diligence on how to take that short list and choose the one vendor that you think is going to not only serve your needs as a business, but also appropriately protect the data that your business needs.

Basic Principles in Choosing a SaaS Vendor

In recent years, a lot of businesses have come to think of data as a business asset. They’re not wrong about that. It is a business asset, but it’s not a commodity, and it’s important that you don’t start thinking of data as a commodity because there are too many laws and regulations
around the use, collection, sharing, and potential sale of data, for you to think of it as simply a commodity.

Plus, good cyber security begins with a thoughtful and principled approach to data privacy. So the days of a business hoovering up as much data as they possibly could about their customers, clients, the general public, or whoever visited their site just because you can is really no longer a good business practice. If you’re still doing that you’re probably sowing the seeds of future liabilities for your business that could be really burdensome and damaging.

There are four principles, that you should adopt so that your data continues to be a business asset and doesn’t become a toxic asset.

1. Data Minimization

Your business should collect only the data your company needs for its legitimate purpose. Before you can adopt that principle, you have to step back and determine what data you need, and then limit your data collection practices accordingly.

You should also adopt a routine habit of figuring out which data in your systems is obsolete. Perhaps it’s factually inaccurate, it’s not current anymore, or you just don’t need it anymore. You should delete that on a regular basis. This should be part of routine housekeeping.

2. Data Is Not a Commodity

I said this earlier and I’m gonna say it again data is not a commodity, it is an asset that you need to carefully manage in order to protect the products and services that you provide. The data also needs to be appropriately protected.

3. Design Thoughtful Systems

You need to design your systems thoughtfully, so that you have a low risk for security incidents. This means things like ensuring devices are encrypted, using elaborate and long passwords that are stored in a password manager (not on a Post-it note on your desk, no no, don’t do that anymore). Use two-factor authentication on every single log-in, and then require a new password every 90 days or so and ban the reuse of an old password.

Those are some bare minimum systems that you must have in place to have an appropriate data privacy management policy.

4. Carefully Vet Any SaaS Vendor

You should no longer look at a SaaS vendor solely from the point of view of, does it serve my business needs? And do I like the background color of its platform? Or maybe the user interface is really easy and simple. Those are important considerations, but you’ve also got to look at their cyber security practices and their data privacy practices.

Those are four principles that you need to adopt. I hope it was helpful. Post 2 of this series gives you five ways to take a long list of potential vendors down to a short list.

Make sure to subscribe to our YouTube channel so you can see new videos on data privacy, SaaS vendors, and other business law topics!