pressmaster - Fotolia


A SaaS evaluation checklist to choose the right provider

Replacing a legacy app with a SaaS alternative can be tedious. Create a checklist related to reliability, support and uptime to pick the right SaaS app and provider.

Enterprise IT managers deal with a lot of legacy software. This software often runs on hardware that's no longer supported, risking downtime and tying up money in specialist contracts. It most likely also uses a specific programming language that makes it challenging to manage and maintain -- let alone improve.

Businesses know the time and money IT teams sink into these legacy software systems, but they're often afraid to switch to a cloud-hosted alternative. No one wants to get hacked or discover they have no support available during an outage.

Still, the risk can be worth it if you find the right provider. With SaaS applications, IT teams can hand software maintenance and upgrade tasks over to the vendor. These applications also open opportunities for customization. They're typically written in popular programming languages and outfitted with integration options. They can also improve developer productivity by reducing specialization.

However, an enterprise IT team must carefully vet providers if it wants to convince business leadership to support a shift to SaaS. To properly assess a cloud application provider, use a SaaS evaluation checklist that tackles the following topics:

  • security, privacy and compliance
  • reliability and performance
  • support
  • vendor lock-in
  • integrations
  • the vendor's roadmap and finances
Key questions to ask prospective SaaS providers

Cloud security, privacy and compliance

Security and governance look different in different industry verticals. Companies that store health records must comply with HIPAA, for example. U.S. government contractors should work to Federal Risk and Authorization Management Program (FedRAMP) standards. Before making any changes to the IT systems and software in use, research the regulations that apply in your industry.

For any industry, choose a SaaS provider that uses recognized standards and frameworks. Look for the Cloud Security Alliance -- specifically, the nonprofit's Cloud Controls Matrix framework. NIST and the International Organization for Standardization (ISO) also provide popular standards, such as ISO/IEC 27001 for information security management.

Make standards and certifications one of the first questions in your cloud provider request for proposal (RFP). Ask what industry standard certifications they have and request a copy to review.

In addition to the framework, review a SaaS vendor's System and Organization Controls (SOC) reports. SOC reports are audits performed by a certified public accountant. In the RFP, ask how often the company is audited, and by whom. SOC reports show the controls a SaaS vendor uses financially and internally to keep customer data safe.

If your corporate data is global, ask potential vendors how they comply with the EU's GDPR and the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These regulations, along with the California Consumer Privacy Act (CCPA) in the U.S., deal with end-user protection. Under GDPR and the CCPA, end users have the right to be forgotten, as well as the right to download their data and have it deleted. Under Privacy Shield, individuals have the right to erasure if the data collected about them is incorrect.

You want to know everything surrounding privacy at a SaaS provider that will house your corporate data. If the provider can't provide the information above, don't risk it.

Reliability and performance

Your SaaS evaluation checklist should include documented reliability and performance data, with clear expectations from your business, to form an enforceable cloud service-level agreement (SLA).

There's more than one kind of SLA. Set up both a performance SLA and an uptime SLA with a SaaS provider. An example of a performance SLA violation is if the system is technically up and online, but it takes more than five minutes to retrieve data from the vendor. Request a performance SLA you can review. You can convert the guaranteed uptime number into time quantifiable figures with an uptime calculator. For example, an uptime of 99.5% equates to the following downtimes:

  • Daily: 7 minutes and 12 seconds
  • Weekly: 50 minutes and 24 seconds
  • Monthly: 3 hours, 39 minutes and 8 seconds
  • Yearly: 1 day, 19 hours, 49 minutes and 44 seconds

If this amount of downtime is not acceptable, negotiate a better uptime SLA. Knowing the guaranteed uptime before you ink the deal will help you negotiate a license or contract.


What good is a replacement for a legacy application if it doesn't include support?

Make a support SLA a prominent part of a SaaS evaluation checklist. Factors such as response times -- including call-back time expectations based on issue severity -- and whether the vendor outsources support to a third party are important.

Organizations can also use a trial run of a SaaS product to get a basic idea for the types of support offered, as well as the onboarding assistance they might see from the vendor.

Vendor lock-in

Some cloud providers make it nearly impossible to stop using their products, either due to high switching costs or because there's no way to get your data out of their system.

Prevent vendor lock-in and maintain data independence with the right questions in the RFP. Know whether the SaaS system is open or closed. If it is open, ask to review the vendor's open APIs. They should provide a link for your team to assess how easy it is to get data in and out.

If your company terminates the contract, you need a plan to get your data back. If you decide to leave the vendor, what is the timeline for your data being returned and in what format is it returned to you? Understand the involved data backup and restore technologies, APIs, and extract, transform and load and flat file options.

Narrow it down

To start, use a SaaS evaluation checklist to vet five to 10 providers. Quickly weed out unsatisfactory providers and narrow the list to the top three. From there, proceed to proof of concept testing and eventually settle on a SaaS application that's the best fit to replace your legacy system.


If the cloud system has an open API, partners can use the API to build out integrations. Many tech companies, including Salesforce, Twitter and Google, use this model.

The benefit of an open API is that the cloud provider can extend its ecosystem without having to manage custom frameworks. The cloud vendor provides the open API and lets the business come to them. One question you want to ask is: "What is the open API deprecation strategy?" You want to make sure the provider is versioning and not changing the API on the fly, which will break any integrations.

Vendor roadmap and finances

Use of a vendor license means that your organization relies on this company for success. Understand how much the vendor invests annually in product improvements. Is the vendor's roadmap in line with your expectations? Is the company profitable?

As part of your SaaS evaluation checklist, ask to review any publicly traded vendor's latest 10-K. This document is an audited financial overview of the company filed with the U.S. Securities and Exchange Commission annually. The 10-K provides a comprehensive summary of the vendor's performance. If that isn't enough, look at its 10-Q, filed quarterly with the SEC.

Editor's note: This article originally published in 2020 and was updated in 2022 to include more considerations for choosing a SaaS provider.

Dig Deeper on Cloud app development and management

Data Center