Security

SaaS Security Review Template

This security review template provides a standardized framework for evaluating the security posture of any SaaS vendor. Cover data handling, access controls, compliance certifications, and incident response in a structured assessment.

What's Included

1. Data Security

  • Encryption at rest (AES-256 or equivalent)
  • Encryption in transit (TLS 1.2+)
  • Data residency and storage locations
  • Backup frequency and recovery procedures
  • Data isolation in multi-tenant architecture

2. Access Controls

  • SSO support (SAML 2.0 / OIDC)
  • SCIM provisioning support
  • Role-based access control (RBAC)
  • Multi-factor authentication options
  • Session management and timeout policies

3. Compliance

  • SOC 2 Type II certification
  • ISO 27001 certification
  • GDPR compliance status
  • HIPAA compliance (if applicable)
  • Penetration testing frequency and results

4. Incident Response

  • Uptime SLA and historical performance
  • Incident notification process and timeline
  • Data breach response plan
  • Status page availability
  • Customer communication during incidents

How to Use This Template

Send this template to the vendor as part of your procurement process. Score each criterion as pass, partial, or fail. Use the results to identify risks that need mitigation or contractual protections before signing.

Why You Need This

Every SaaS tool you adopt expands your attack surface. A structured security review ensures you understand the risks before giving a vendor access to your data. It also creates an audit trail for compliance purposes.

SaaS Security Review Template FAQ

At minimum, look for SOC 2 Type II. ISO 27001 is also valuable. HIPAA compliance is required for healthcare data. GDPR compliance is necessary for EU user data. Ask for recent audit reports.
Conduct initial security reviews during procurement, then annual reviews for critical tools. Re-review whenever a vendor reports a security incident or when your compliance requirements change.
Unauthorized access through weak authentication is the most common risk. Require SSO and MFA for all SaaS tools. Shadow IT (unapproved tools) is the second biggest risk, as these bypass security reviews entirely.

StackTidy catches every subscription the moment you're charged — and flags the ones your team stops using.

See what StackTidy can find

Automate Your SaaS Management

Templates are a great start. StackTidy takes it further by automatically detecting every subscription and alerting you before renewals.

Start detecting subscriptions