Strike a balance when answering customer security questions


We have a free B2B Saas offering - we are young company and still getting established and we get asked questions on a daily basis about security. The questions we get asked almost daily are things like:

  • How secure is our data? (Love getting this one as it always then spawns 50 additional questions when replied to...)
  • Where is our data stored?
  • Does our data ever leave the country?
  • How do you back it up?
  • How do you ensure Client A cannot access Client B's data?
  • How do you ensure users cannot access admin functions etc?
  • How do you control and monitor access to the servers?
  • How do you control and monitor access to database?
  • Do you use encryption? If so, what data is encrypted and using what methods?
  • How are passwords and other sensitive information stored?
  • How often do you update operating system, applications, databases etc?

Some clients really want to go to extreme depths (which is understandable I guess) and we would love to create a security document answering all these questions and more (or add to our FAQ maybe) as it would free up a lot of email and ticket time but how do we strike a balance between reassuring customers that we take security of their data very seriously whilst not compromising the security of the application by telling people how we have built and secured our application and infrastructure? How have others in B2B addressed this?

Saas Security

asked Nov 6 '13 at 21:44
735 points
  • Just be open and honest and discuss it all, on the FAQ as you say. It is a rookie mistake to rely on keeping your methods secret. – Steve Jones 8 years ago

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Saas Security