SaaS Security: Questions to Ask Before Signing Up for Any Cloud Tool

Australian small businesses are embracing cloud software at a remarkable rate. Project management tools, accounting platforms, CRM systems, communication apps, document storage — the average small business now uses dozens of SaaS (Software as a Service) tools, many of which hold sensitive customer and business data.

The convenience is real. But so is the risk. Every SaaS tool you add to your stack is another place where your data lives and another potential entry point for attackers. Before you click "Start Free Trial" and start uploading your business data, it pays to ask a few key questions.

Why SaaS Security Due Diligence Matters

When you store data in a SaaS platform, you're trusting that provider to protect it. But not all providers take security equally seriously. Some use outdated encryption standards. Some store data in jurisdictions with weak privacy protections. Some have poor access controls internally. Some have been breached multiple times.

Under the Australian Privacy Act and the Notifiable Data Breaches scheme, if a SaaS provider is breached and your customers' personal information is exposed, you may still be responsible for notifying the OAIC and affected individuals — even though the breach happened in someone else's system.

Doing some basic due diligence before signing up is far less painful than managing a breach notification after.

Questions to Ask About Data Security

Where is my data stored?

Data residency matters for Australian businesses. If your data is stored in the United States, it may be subject to US law enforcement requests under the CLOUD Act. If you're in a regulated industry (healthcare, finance, government), you may have specific requirements about data being stored within Australia. Ask where data resides and whether you can choose Australian data centres.

Major providers like Microsoft Azure, AWS, and Google Cloud all have Australian data centre regions. Many SaaS tools built on these platforms can be configured to store data locally.

Is my data encrypted at rest and in transit?

Encryption at rest means your data is encrypted when stored on the provider's servers. Encryption in transit means your data is encrypted as it travels between your browser and their servers. Both should be standard. Look for AES-256 encryption at rest and TLS 1.2 or higher in transit. If a provider can't confirm these, look elsewhere.

Who within the provider's organisation can access my data?

Some SaaS providers allow their support staff routine access to customer data. Others use strict access controls that require justification for any internal access. Ask whether their staff can access your data, under what circumstances, and whether access is logged and audited.

Questions to Ask About Access Controls

Do you support multi-factor authentication?

MFA should be non-negotiable. Any SaaS tool that doesn't support MFA is a risk. Some platforms not only support MFA but can require it for all users — this is worth enabling from day one.

What role-based access controls do you offer?

Can you control what different users within your business can see and do? Good platforms allow you to grant some team members read-only access while others have full edit access. This limits the damage if a team member's account is compromised.

Do you support single sign-on (SSO)?

SSO integration with Microsoft 365 or Google Workspace lets you manage all your SaaS logins through one central account. This makes it much easier to revoke access when an employee leaves and to enforce consistent security policies.

Questions to Ask About Compliance and Certifications

Do you hold SOC 2 Type II or ISO 27001 certification?

These independent security certifications are the gold standard for SaaS security. A SOC 2 Type II report means an independent auditor has verified the provider's security controls over an extended period (typically 6–12 months). ISO 27001 certification means their information security management system has been independently assessed.

Many reputable SaaS providers — Atlassian, Salesforce, HubSpot, Xero, Slack, and others — make their SOC 2 reports available under NDA on request. If a provider doesn't hold either certification and can't explain why, treat that as a yellow flag.

Are you compliant with Australian privacy law?

Specifically, ask whether the provider's data handling practices comply with the Australian Privacy Principles under the Privacy Act 1988. Check their privacy policy for explicit references to Australian law and their process for handling data deletion requests.

Questions to Ask About Incident Response

How will you notify me if there's a breach involving my data?

Under Australian law, you may have as little as 30 days to assess a breach and notify the OAIC. You need your SaaS provider to notify you quickly. Ask for their breach notification timeframe and whether it's written into your contract.

What is your uptime guarantee and how do you handle outages?

For business-critical tools, downtime is a real cost. Look for a published Service Level Agreement (SLA) with a specific uptime guarantee (99.9% is common) and understand what compensation is available if the provider fails to meet it.

Where to Find Security Information Without Asking

Most reputable SaaS providers publish security information proactively. Look for:

• A security or trust page (often at security.[provider].com or trust.[provider].com)
• A privacy policy that explicitly addresses data residency, retention, and deletion
• A sub-processor list that shows which third-party services the provider uses to deliver their product
• A security whitepaper or detailed technical documentation

Key Takeaways

• Before signing up for any SaaS tool, ask where your data is stored, how it's encrypted, and who can access it
• Require MFA support as a non-negotiable baseline for any tool that holds business or customer data
• Look for SOC 2 Type II or ISO 27001 certification as evidence of independently verified security controls
• Check the provider's breach notification process — you need timely notification to meet your own legal obligations
• Most reputable providers publish security documentation on their website — if you can't find it and they won't provide it, that tells you something

The SaaS tools you choose are part of your cyber risk profile. Use Flagged's free assessment to evaluate your overall cloud security posture and identify where you might be taking on more risk than you realise.