| 1 | Yes | No |
Does the vendor provides a private identification code for administrative requests, service change requests, billing contact, or support whether by phone, in person, or online? |
| 2 | Yes | No |
Does the vendor maintain a list of pre-selected persons on your staff with whom they will allow contact for administrative requests, service change requests, billing contact, or support? |
| 3 | Yes | No |
Does the vendor require a secure key, password, or secret code for administrative requests, billing contact, or support? |
| 4 | Yes | No |
Does the vendor provide reasonable, strong authentication to connect with, access, or interact with data and an equally strong means for new account creation and password recovery? |
| 5 | Yes | No |
Does the vendor meet the required legal or regulatory requirements for the product or service (HIPAA, PCI, BASEL2, SOX, SAS70, OSSTMM, etc.)? |
| 6 | Yes | No |
Does the vendor agree to protect and defend customer legal rights and will provide reasonable and timely support (such as connection logs, communication logs, etc.) to defend against legal claims from third parties? |
| 7 | Yes | No |
Does the vendor provide monetary compensation for losses involving their product or service regardless of fault being theirs or a subsequent third party (clawback provision)? |
| 8 | Yes | No |
Is the vendor insured for up to the cost of replacing product or service infrastructure in case of accident or malicious attacks (disaster recovery)? |
| 9 | Yes | No |
Does the vendor require all data from the product or service automatically, both off-site and within the application, is transported and stored by a sufficiently protected means (such as strong encryption)? |
| 10 | Yes | No |
Does the vendor disallow the change or removal of any of the protection mechanisms placed upon the data or service whether local or remote. |
| 11 | Yes | No |
Does the vendor provide a fallback service for business continuity or a timely, alternate means for connecting back to the data of the product or service (disaster recovery)? |
| 12 | Yes | No |
Does the vendor maintain regular and timely back-ups and restoration process of all collected data and configurations? |
| 13 | Yes | No |
Does the vendor maintain a record of all interactions with the data or service with time, date, and type with ready access to recover said records? |
| 14 | Yes | No |
Does the vendor provide advanced maintenance and operational schedules of changes or administration of systems and the personnel responsible? |
| 15 | Yes | No |
Does the vendor provide acceptable protection for the transport and interaction of data or service requests whether over the network with valid encryption certificates for networks, secure protocols or physically using secure courier services and encrypted media? |
| 16 | Yes | No |
Does the vendor provide assurance of complete and total destruction of all records not related to billing or other regulatory or legal requirements at a request of contract or service termination including legal ceasement of operations (vendor or client)? |
| 17 | Yes | No |
Does the vendor maintain low visibility of operations by not sharing or disclosing specific operational information about its services such as location, maintenance processes, core operations personnel, network maps and info, security processes, or lists of customers? |
| 18 | Yes | No |
Does the vendor restrict all customer data and services within the borders of the country of origin? |
| 19 | Yes | No |
Does the vendor run regular and timely checks on the authenticity and integrity of stored data and information with a recovery process in place for corruptions whether accidental or malicious? |
| 20 | Yes | No |
Does the vendor have a process to provide legal entities access for eDiscovery and forensics in the case of criminal or regulatory proceedings? |
| 21 | Yes | No |
Does the vendor provide a reasonable process of immediate notification of damages, threats, or any incident response action taken due to issues surrounding the safety or security of customer services and data regardless if digital or physical? |
| 22 | Yes | No |
Does the vendor provide an immediate notification through an alternate channel from how the request was made of any support, administrative or operational changes (including a change in the company's owners). |
| 23 | Yes | No |
Does the vendor restrict physical access to server rooms or on-site access for services to vetted, contracted personnel only. |
| 24 | Yes | No |
Does the vendor maintain all of their services in-house (no subcontracting) with respect to the transport, management, configuration, support, or administration of customer service or data? |
| 25 | Yes | No |
Does the vendor require and enforce non-disclosure agreements of employees and partners? |
All above results together lead to the following results.