pressmaster - Fotolia


Follow this SaaS vendor checklist to find the right provider

Before you ditch your legacy IT system, vet its potential cloud replacements with these SaaS SLA and RFP questions. Dig into compliance, performance, support and more.

Enterprise IT managers deal with a lot of legacy software. This software often runs on hardware that's no longer supported, risking downtime and tying up money in specialist contracts. It probably also uses a specific programming language that makes it challenging to manage and maintain -- let alone improve.

Businesses know the time and money IT teams sink into these legacy software systems, but they're often afraid to switch to a cloud-hosted alternative. No one wants to get hacked or discover they have no support available during an outage.

Still, the risk can be worth it if you find the right provider. SaaS tools -- such as a cloud-based CRM that replaces a legacy content management tool -- hand maintenance and upgrade tasks over to the vendor. These tools also open opportunities for customization. They're typically written in popular programming languages and outfitted with integration options. And they can improve developer productivity by reducing specialization.

However, an enterprise IT team must vet the provider first, if it wants to convince business leadership to support a shift to SaaS. To properly evaluate a cloud service provider, use this SaaS vendor checklist that tackles these topics:

  • security, privacy and compliance;
  • reliability and performance;
  • support;
  • vendor lock-in;
  • partnerships; and
  • the vendor's roadmap and finances.

Cloud security, privacy and compliance

Security and governance look different in different industry verticals. Companies that store health records must comply with HIPAA, for example. U.S. government contractors should work to Federal Risk and Authorization Management Program (FedRAMP) standards. Before making any changes to the IT systems and software in use, research the regulations that apply in your industry.

For any industry, choose a SaaS provider that uses recognized standards and frameworks. Look for the Cloud Security Alliance -- specifically, the nonprofit's Cloud Controls Matrix framework. NIST and the International Organization for Standardization (ISO) also provide popular standards, such as ISO/IEC 27001 for information security management.

Make standards and certifications one of the first questions in your cloud provider request for proposal (RFP). Ask what industry standard certifications they have and request a copy to review.

In addition to the framework, review a SaaS vendor's System and Organization Controls (SOC) reports. SOC reports are audits performed by a certified public accountant. In the RFP, ask how often the company is audited, and by whom. SOC reports show the controls a SaaS vendor uses financially and internally to keep customer data safe.

If your corporate data is global, ask potential vendors how they comply with the EU's GDPR and the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These regulations, along with the California Consumer Privacy Act (CCPA) in the U.S., deal with end-user protection. Under GDPR and the CCPA, end users have the right to be forgotten, as well as the right to download their data and have it deleted. Under Privacy Shield, individuals have the right to erasure if the data collected about them is incorrect.

You want to know everything surrounding privacy at a SaaS provider that will house your corporate data. If the provider can't provide the information above, don't risk it.

Reliability and performance

Your SaaS vendor checklist should include documented reliability and performance data to evaluate, with clear expectations from your business, to form an enforceable cloud service-level agreement (SLA).

There's more than one kind of SLA. Set up both a performance SLA and an uptime SLA with a SaaS provider. An example of a performance SLA violation is if the system is technically up and online, but it takes more than five minutes to retrieve data from the vendor. Request a performance SLA you can review. Ask the provider for their guaranteed uptime. You can convert this number into time quantifiable figures with an uptime calculator . For example, an uptime of 99.5% equates to downtime of:

  • Daily: 7 minutes and 12 seconds
  • Weekly: 50 minutes and 24 seconds
  • Monthly: 3 hours, 39 minutes and 8 seconds
  • Yearly: 1 day, 19 hours, 49 minutes and 44 seconds

If this amount of downtime is not acceptable, negotiate a better uptime SLA. Knowing the guaranteed uptime before you ink the deal will help you negotiate a license or contract.


What good is a legacy system replacement if it doesn't include support?

Make a support SLA part of the SaaS vendor checklist. Ask vendors how quickly a support representative will contact a customer in the event of an issue. Ask more specific questions about response times, such as the callback time expectations based on the severity of an issue. Ask what country support is located in. Find out if the vendor outsources support to a third party. All these factors matter in a stressful, urgent support situation.   

Vendor lock-in

Vendor lock-in can be crushing. The cloud provider makes it nearly impossible to stop using its product, either due to high switching costs or because there's no way to get your data out of its system.

Prevent vendor lock-in and maintain data independence with the right questions in the RFP. Ask if the SaaS system is open or closed. If it is open, ask to review the vendor's open APIs. They should provide a link for your team to assess how easy it is to get data in and out.

Ask about data backup and restore technology, APIs and extract, transform and load and flat file options. If your company terminates the contract, you need a plan to get your data back.


If the cloud system has an open API, then partners can use it to build out integrations. Many tech companies use this model, including Salesforce, Twitter and Google.

The benefit of an open API is that the cloud provider can extend its ecosystem without having to manage custom frameworks. The cloud vendor provides the open API and lets the business come to them. One question you want to ask is: "What is the open API deprecation strategy?" You want to make sure the provider is versioning and not changing the API on the fly, which will break any integrations.

Vendor roadmap and finances

Use of a vendor license means that your organization relies on this company for success. How much are they investing annually in their product to make it better? Is their roadmap in line with your expectations? Are they profitable?

As part of your SaaS vendor checklist, ask to review any publicly traded vendor's latest 10-K. This document is an audited financial overview of the company filed with the U.S. Securities and Exchange Commission annually. The 10-K provides a comprehensive summary of the vendor's performance. If that isn't enough, look at their 10-Q, filed quarterly with the SEC.

Now that you have a SaaS vendor checklist to evaluate a provider's security, governance and financial standing, use it to vet five to 10 providers. You will be able to quickly weed out unsatisfactory providers and narrow the list to the top three. From there, you can proceed to proof of concept testing and eventually settle on a SaaS application that's the best fit to replace your legacy system.

Dig Deeper on Cloud app development and management