Data Privacy is one of the leading concerns that customers express when setting up a Vendor Portal. Vendor Portals transfer sensitive data from buyers to suppliers and back again. Ultimately, each customer must make some degree of internal risk-reward calculation to determine if the time-money saving benefits of a Vendor Portal will outweigh the data privacy and security concerns that a SaaS tool introduces.
Though there are no silver bullets of data privacy, I try to explain to customers that there are some lead ones. With a little planning and some good aim, you should be able to knock out enough risk to make the process safe and secure.
Here is a list of my top six Data Privacy issues you should look to get clarity on before you commit to a SaaS-based Vendor Portal System.
Vendor Portals manage both financial, transactional data as well as supplier profile data. Financial SaaS systems have established Certifications programs for the development processes such as SSAS 16, SOC1, SOC2 and SOC3. If the provider is not SSAE 16, SOC 1 certified, you will need to walk away.
Data Center Certification
Most SaaS providers usually do not host their data internally rather they outsource their hosting with a professional hosting provider. These providers know very well what certifications they need and will be willing to submit their certifications on request.
We addressed this in the security section, but the SaaS provider should be able to offer Single Sign-On integration and allow you control of your users at all times.
Who Owns the Data
Always ask for and receive, in writing, a data ownership policy document. There are no real standards for data ownership, but this document will tell you a lot about the firm that you are about to partner with. Keep in mind that just because you are the customer you may not own all of the data. In the Vendor Portal world, much of the data should be and is owned by the suppliers.
How long will the data be stored after the contract?
In this case, I do not think there is any guidance with respect as to how long the data should be stored rather you should make sure that the provider will be willing to work with you and destroy the data if you ask them to. Again, you may not own all of the data, and it may not all be destroyable
How is your Data Segregated?
Most SaaS solutions are multi-tenant. Multi-tenancy means that the provider will house all of the data from many customers in one database. A SaaS partner should be able to articulate their privacy policies as well as the steps that they have taken to keep your information safe.
Also, some SaaS solution might contract out some of their data service to other providers. If this is the case, you will need to get a simple data custody map and do not be afraid to say no.