Security checklist for your SW/IT supplier
1. Do You Train Your Staff Regularly on Data Protection?
2. What Features Do You Offer to Help Us Become GDPR Compliant?
- How do you encrypt my data?
- Which data are encrypted and which are not?
- Do you have access to the encryption key and therefore unencrypted data?
- Where is the encryption key stored?
- Do you encrypt every object with a different key?
- Do you ensure password quality (disallowing weak passwords)?
- How do you store user passwords?
- Do you use slow hashing functions to protect passwords?
- Is 2-factor authentication used?
- Is your architecture highly available (using load balancers, auto-scaling etc.)?
- Are the data stored/backed-up on multiple locations?
- Is your SW architecture audited?
- Is the source code periodically audited?
- Do you do penetration testing?
3. Can You Process Customer Data Deletion Requests From Us? If So, How Quickly?
4. Do Any Third-parties Have Access to our Customer’s Data?
5. What Data Breach Protection And Protocols Do You Have? Can you Detect Data Breaches?
- What protection mechanisms do you use?
- Which type of attacks can you detect?
- How do you evaluate if the data has been compromised?
- Have you identified possible disaster scenarios?
- Is there a disaster recovery plan in place?
6. How Easy is it to Export Data? Is All Data Ready For Portability Requests?
- Which data can be exported?
- How can I export the data? Do I need your help?
- What is the format of the data (XLS, csv/txt, documents, etc.) and their structure?