
Compliance and SaaS
Some of the common compliance laws the companies need to meet depending on the services or products that they provide are:
- Sarbanes-Oxley (SOX)
- Gramm-Leach-Bliley (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- The Payment Card Industry Data Security Standard (PCI DSS)
There are other federal and state laws that companies who are subject to the rules must meet.
Key SaaS compliance questions
Some of the compliance issues the SaaS provider must address are:
- What laws apply to the data center?
- What conditions apply to each law?
- Who has access or who might have access to the data in the cloud?
- How is the data being stored on the SaaS provider’s infrastructure?
- What steps is the SaaS provider taking to prevent data breaches and exposure of the data?
- How can the data be accessed?
- What authentication controls such as logins and passwords are in place, who creates them, and who has access to them? Are the credentials of workers who leave the company deleted?
- Some compliance laws require extensive audit trails. Can these trails be used by both external sources, such as the SaaS provider and your company? Determining access to the audit trails may need to be negotiated.
SaaS providers should be asked what security measures they are taking to prevent breaches and what plans they have in place if a breach occurs, such as restoring data and notifying clients and customers.
If the SaaS provider uses servers or other tools that are in non- U.S. locations, then the SaaS provider will likely have to comply with the laws of those other countries.